Technology Update

A lesson from an adviser cybervictim

In your efforts to please clients, don't overlook important checks and balances

Feb 19, 2012 @ 12:01 am

My recent column regarding what financial advisers should and shouldn't do to protect clients from cybercrime prompted strong re- sponses from readers.

One came from an adviser who requested anonymity because he is in the middle of a legal action with his errors-and-omissions carrier. Still, he chose to share his story in hopes that other advisers might avoid the mess in which he found himself.

Here is what happened. Someone pretending to be a client sent an e-mail requesting a money transfer, which was put through by a staff member in the adviser's office because the e-mail looked valid.

Once the adviser determined that the e-mail was fraudulent, he reimbursed the client out of his own pocket — to the tune of almost $200,000 — within 48 hours. He then turned to his E&O carrier, which denied the claim.

Now that the adviser has hired an attorney, it appears that the carrier may cover a portion of the loss, part of which was recovered.

Based on his experience, our adviser has a couple of suggestions for others.

First, criminals lurking in cyberspace are intercepting your clients' e-mails and getting better at impersonating them. They send out counterfeit e-mails that appear legitimate.

Second, while advisers are doing everything possible to improve customer support and make clients happy, procedures shouldn't be so streamlined that a fund transfer can be accomplished merely by relying on a client signature on file.

“Our office policy is now simple: All requests for wires, copies of tax returns and all address changes require a voice response in addition to signatures,” he said.

He emphasized that the low-tech response of a simple phone call can solve many problems.

“It's easy. You get an e-mail from a client requesting money, you just ask them to call and verify,” he said. “We know the voice and have caller ID, so it gives us reasonable assurance,” he said.

“We live in a world where people don't talk on the phone anymore, and we assume that e-mails are genuine. They may not be.”


As our adviser's story shows, addressing e-mail fraud can be accomplished, in part, by changes in office practice. But technology also can be a solution.

In that area, I want to mention an important initiative called Domain-Based Message Authentication, Reporting and Conformance. The unincorporated working group (at has issued a draft specification that resolves several long-standing problems with e-mail.

Specifically, these relate to authentication protocols, which allow e-mail servers to identify legitimate e-mail from the other kind.

Although DMARC was officially launched at the end of last month, its developers have been at work over the past 18 months building and testing the specification.


Backers represent 15 companies and organizations, among them some of the largest e-mail service providers, including AOL, Gmail, Hotmail and Yahoo Mail, as well as major financial institutions and financial services providers, including Bank of America Corp., Fidelity Investments, PayPal and Bits, which is the tech policy division of The Financial Services Roundtable, a trade group of the nation's largest financial companies.

Several big social-media companies also support the effort, including Facebook Inc. and LinkedIn Corp.

Paul Midgen, a DMARC working group member and a senior program manager with Windows Live Hotmail at Microsoft Corp., ex-plained what advisers can expect.

“What you won't see is a setting in your [Microsoft] Outlook [program] that says something like, "Enable DMARC.' What's going on is happening on the level of a message transfer agent, like your company's Exchange server, for example,” he said.

This behind-the-scenes activity is why it is important for big e-mail providers to be involved, along with e-mail infrastructure and intermediary companies that many advisers probably have never heard of, such as group members Cloudmark Inc. and eCert Inc., Mr. Midgen said.

Alex Popowycz, vice president of information security at Fidelity, and another DMARC member, reiterated why invisibility is actually a good thing in terms of the end-user.

“Since this is operating at an infrastructure level, there is little the end-user has to know,” he said.

Fidelity is keeping a close eye on how e-mail providers are using and deploying DMARC, and anticipates that his own firm is considering an initial rollout of the technology this year, Mr. Popowycz said.

For a reality check and to add some unbiased perspective, I contacted someone not working with the DMARC initiative, Andrew Honig, co-author of the recently published “Practical Malware Analysis,” (No Starch Press, 2012), a book for security and IT professionals. He is an information assurance expert for the Defense Department who teaches courses on software analysis, reverse engineering and Windows system programming.

“Adoption of these technologies will be slow, but it's certainly progress in the right direction,” Mr. Honig wrote in an e-mail.

He said that problems with e-mail remain even after DMARC does its work.

Specifically, Mr. Honig noted that while a user receiving an e-mail adhering to DMARC can be much more certain that the e-mail is valid, the user still won't know the originator's intent.

For example, he or she won't know whether the sender is trying to break into the user's computer or whether a valid e-mail is coming from a hacked account or computer.

So what can advisers do? Although nothing is perfect, DMARC is a giant step in the right direction.

For that reason, make sure that your major tech partners and providers, including custodians, broker-dealers and insurance carriers, are aware of DMARC and support it.


What do you think?

View comments

Recommended for you

Sponsored financial news

Upcoming Event

Apr 26


Cracking the Code: Making Sense of Alternative Investments

InvestmentNews Research estimates that $150 billion in alternative assets could be added to client portfolios among independent advisers over the next three years. Roughly 85% of all clients are now expressing interest in learning more... Learn more

Accepted for 1 CE Credit by the CFP Board. Pending by Investments & Wealth Institute for 1 credit towards the CIMA® and CPWA® certifications.

Featured video


Why broker-dealers are on a roll

Deputy editor Bob Hordt and senior columnist Bruce Kelly discuss last year's bounce-back for IBDs.

Latest news & opinion

Things are looking up: IBDs soared in 2017

With revenue up, interest rates rising and regulation easing, IBDs are soaring.

SEC advice rule may give RIAs leg up over broker-dealers

Experts say advisers will be able to point to their role as fiduciaries as a differentiator in the advice market.

Brokers accept proposed SEC rule on who can call themselves an adviser

Some say the rule will clear up investor confusion, but others say the SEC didn't go far enough.

SEC advice rule: Here's what you need to know

We sifted through the nearly 1,000-page proposal and picked out some of the most important points.

Cadaret Grant acquired by private-equity-backed Atria

75-year-old owner Arthur Grant positions the IBD for the 'next 33 years.'


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print