A lesson from an adviser cybervictim

My recent column regarding what financial advisers should and shouldn’t do to protect clients from cybercrime prompted strong re- sponses from readers.

One came from an adviser who requested anonymity because he is in the middle of a legal action with his errors-and-omissions carrier. Still, he chose to share his story in hopes that other advisers might avoid the mess in which he found himself.

Here is what happened. Someone pretending to be a client sent an e-mail requesting a money transfer, which was put through by a staff member in the adviser’s office because the e-mail looked valid.

Once the adviser determined that the e-mail was fraudulent, he reimbursed the client out of his own pocket — to the tune of almost $200,000 — within 48 hours. He then turned to his E&O carrier, which denied the claim.

Now that the adviser has hired an attorney, it appears that the carrier may cover a portion of the loss, part of which was recovered.

Based on his experience, our adviser has a couple of suggestions for others.

First, criminals lurking in cyberspace are intercepting your clients’ e-mails and getting better at impersonating them. They send out counterfeit e-mails that appear legitimate.

Second, while advisers are doing everything possible to improve customer support and make clients happy, procedures shouldn’t be so streamlined that a fund transfer can be accomplished merely by relying on a client signature on file.

“Our office policy is now simple: All requests for wires, copies of tax returns and all address changes require a voice response in addition to signatures,” he said.

He emphasized that the low-tech response of a simple phone call can solve many problems.

“It’s easy. You get an e-mail from a client requesting money, you just ask them to call and verify,” he said. “We know the voice and have caller ID, so it gives us reasonable assurance,” he said.

“We live in a world where people don’t talk on the phone anymore, and we assume that e-mails are genuine. They may not be.”

FRAUD SOLUTION

As our adviser’s story shows, addressing e-mail fraud can be accomplished, in part, by changes in office practice. But technology also can be a solution.

In that area, I want to mention an important initiative called Domain-Based Message Authentication, Reporting and Conformance. The unincorporated working group (at DMARC.org) has issued a draft specification that resolves several long-standing problems with e-mail.

Specifically, these relate to authentication protocols, which allow e-mail servers to identify legitimate e-mail from the other kind.

Although DMARC was officially launched at the end of last month, its developers have been at work over the past 18 months building and testing the specification.

WELL-KNOWN BACKERS

Backers represent 15 companies and organizations, among them some of the largest e-mail service providers, including AOL, Gmail, Hotmail and Yahoo Mail, as well as major financial institutions and financial services providers, including Bank of America Corp., Fidelity Investments, PayPal and Bits, which is the tech policy division of The Financial Services Roundtable, a trade group of the nation’s largest financial companies.

Several big social-media companies also support the effort, including Facebook Inc. and LinkedIn Corp.

Paul Midgen, a DMARC working group member and a senior program manager with Windows Live Hotmail at Microsoft Corp., ex-plained what advisers can expect.

“What you won’t see is a setting in your [Microsoft] Outlook [program] that says something like, “Enable DMARC.’ What’s going on is happening on the level of a message transfer agent, like your company’s Exchange server, for example,” he said.

This behind-the-scenes activity is why it is important for big e-mail providers to be involved, along with e-mail infrastructure and intermediary companies that many advisers probably have never heard of, such as group members Cloudmark Inc. and eCert Inc., Mr. Midgen said.

Alex Popowycz, vice president of information security at Fidelity, and another DMARC member, reiterated why invisibility is actually a good thing in terms of the end-user.

“Since this is operating at an infrastructure level, there is little the end-user has to know,” he said.

Fidelity is keeping a close eye on how e-mail providers are using and deploying DMARC, and anticipates that his own firm is considering an initial rollout of the technology this year, Mr. Popowycz said.

For a reality check and to add some unbiased perspective, I contacted someone not working with the DMARC initiative, Andrew Honig, co-author of the recently published “Practical Malware Analysis,” (No Starch Press, 2012), a book for security and IT professionals. He is an information assurance expert for the Defense Department who teaches courses on software analysis, reverse engineering and Windows system programming.

“Adoption of these technologies will be slow, but it’s certainly progress in the right direction,” Mr. Honig wrote in an e-mail.

He said that problems with e-mail remain even after DMARC does its work.

Specifically, Mr. Honig noted that while a user receiving an e-mail adhering to DMARC can be much more certain that the e-mail is valid, the user still won’t know the originator’s intent.

For example, he or she won’t know whether the sender is trying to break into the user’s computer or whether a valid e-mail is coming from a hacked account or computer.

So what can advisers do? Although nothing is perfect, DMARC is a giant step in the right direction.

For that reason, make sure that your major tech partners and providers, including custodians, broker-dealers and insurance carriers, are aware of DMARC and support it.

[email protected]

Related Topics: Technology Update