Technology Update

A lesson from an adviser cybervictim

In your efforts to please clients, don't overlook important checks and balances

Feb 19, 2012 @ 12:01 am

My recent column regarding what financial advisers should and shouldn't do to protect clients from cybercrime prompted strong re- sponses from readers.

One came from an adviser who requested anonymity because he is in the middle of a legal action with his errors-and-omissions carrier. Still, he chose to share his story in hopes that other advisers might avoid the mess in which he found himself.

Here is what happened. Someone pretending to be a client sent an e-mail requesting a money transfer, which was put through by a staff member in the adviser's office because the e-mail looked valid.

Once the adviser determined that the e-mail was fraudulent, he reimbursed the client out of his own pocket — to the tune of almost $200,000 — within 48 hours. He then turned to his E&O carrier, which denied the claim.

Now that the adviser has hired an attorney, it appears that the carrier may cover a portion of the loss, part of which was recovered.

Based on his experience, our adviser has a couple of suggestions for others.

First, criminals lurking in cyberspace are intercepting your clients' e-mails and getting better at impersonating them. They send out counterfeit e-mails that appear legitimate.

Second, while advisers are doing everything possible to improve customer support and make clients happy, procedures shouldn't be so streamlined that a fund transfer can be accomplished merely by relying on a client signature on file.

“Our office policy is now simple: All requests for wires, copies of tax returns and all address changes require a voice response in addition to signatures,” he said.

He emphasized that the low-tech response of a simple phone call can solve many problems.

“It's easy. You get an e-mail from a client requesting money, you just ask them to call and verify,” he said. “We know the voice and have caller ID, so it gives us reasonable assurance,” he said.

“We live in a world where people don't talk on the phone anymore, and we assume that e-mails are genuine. They may not be.”


As our adviser's story shows, addressing e-mail fraud can be accomplished, in part, by changes in office practice. But technology also can be a solution.

In that area, I want to mention an important initiative called Domain-Based Message Authentication, Reporting and Conformance. The unincorporated working group (at has issued a draft specification that resolves several long-standing problems with e-mail.

Specifically, these relate to authentication protocols, which allow e-mail servers to identify legitimate e-mail from the other kind.

Although DMARC was officially launched at the end of last month, its developers have been at work over the past 18 months building and testing the specification.


Backers represent 15 companies and organizations, among them some of the largest e-mail service providers, including AOL, Gmail, Hotmail and Yahoo Mail, as well as major financial institutions and financial services providers, including Bank of America Corp., Fidelity Investments, PayPal and Bits, which is the tech policy division of The Financial Services Roundtable, a trade group of the nation's largest financial companies.

Several big social-media companies also support the effort, including Facebook Inc. and LinkedIn Corp.

Paul Midgen, a DMARC working group member and a senior program manager with Windows Live Hotmail at Microsoft Corp., ex-plained what advisers can expect.

“What you won't see is a setting in your [Microsoft] Outlook [program] that says something like, "Enable DMARC.' What's going on is happening on the level of a message transfer agent, like your company's Exchange server, for example,” he said.

This behind-the-scenes activity is why it is important for big e-mail providers to be involved, along with e-mail infrastructure and intermediary companies that many advisers probably have never heard of, such as group members Cloudmark Inc. and eCert Inc., Mr. Midgen said.

Alex Popowycz, vice president of information security at Fidelity, and another DMARC member, reiterated why invisibility is actually a good thing in terms of the end-user.

“Since this is operating at an infrastructure level, there is little the end-user has to know,” he said.

Fidelity is keeping a close eye on how e-mail providers are using and deploying DMARC, and anticipates that his own firm is considering an initial rollout of the technology this year, Mr. Popowycz said.

For a reality check and to add some unbiased perspective, I contacted someone not working with the DMARC initiative, Andrew Honig, co-author of the recently published “Practical Malware Analysis,” (No Starch Press, 2012), a book for security and IT professionals. He is an information assurance expert for the Defense Department who teaches courses on software analysis, reverse engineering and Windows system programming.

“Adoption of these technologies will be slow, but it's certainly progress in the right direction,” Mr. Honig wrote in an e-mail.

He said that problems with e-mail remain even after DMARC does its work.

Specifically, Mr. Honig noted that while a user receiving an e-mail adhering to DMARC can be much more certain that the e-mail is valid, the user still won't know the originator's intent.

For example, he or she won't know whether the sender is trying to break into the user's computer or whether a valid e-mail is coming from a hacked account or computer.

So what can advisers do? Although nothing is perfect, DMARC is a giant step in the right direction.

For that reason, make sure that your major tech partners and providers, including custodians, broker-dealers and insurance carriers, are aware of DMARC and support it.


What do you think?

View comments

Recommended for you

Upcoming Event

Jul 10


Women Adviser Summit

The InvestmentNews Women Adviser Summit, a one-day workshop now held in four cities due to popular demand, is uniquely designed for the sophisticated female adviser who wants to take her personal and professional self to the next level.... Learn more

Featured video


How did we pick this year's 40 under 40 winners?

Special projects editor Liz Skinner and editor Fred Gabriel say efforts to improve the financial advice industry and the promise of future success factored heavily in candidate selection.

Latest news & opinion

Meet our new 40 Under 40s

For a fifth year, InvestmentNews is proud to shine a spotlight on the amazing accomplishments and potential of top young financial professionals.

Merrill re-evaluates commission ban in retirement accounts

The wirehouse's wealth management group announces a fresh look at the ban now that the DOL rule is on the brink of death.

10 biggest retirement mistakes

Adhere to enrollment deadlines and distribution rules or pay a hefty penalty.

DOL fiduciary rule on brink of death as key deadline passes

Justice Department didn't petition the Supreme Court to rehear the case. A mandate from the 5th Circuit would finally lay the fiduciary rule to rest.

Finra to overhaul broker information system, cut compliance costs for broker-dealers

The move is intended to cut compliance costs for firms as well as make the registration and disclosure process more efficient.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print