Bill Winterberg, the founder of FPPad and consultant to registered investment advisers and technology vendors, lately has noticed an uptick in a few key patterns that hackers are using to fool RIAs.
“When something is attractive and it works, then they all gravitate toward it and exploit is as much as possible until it stops working,” he said.
“Right now, it's still working. The RIA community is still fragmented enough … that there are still firms that fall victim to these attacks,” Mr. Winterberg said.
In an interview, he provided the inside scoop on a few of the most common cybersecurity threats that are taking place in the financial advice industry.
The fake caller. A hacker will break into a client's e-mail account and send an e-mail to their financial adviser, asking for a withdrawal or wire transfer. Often, the hacker will have looked through the client's past e-mails to frame the communication in a way that seems more legitimate, Mr. Winterberg said. For example, if they see receipts from airlines or hotels, they may refer to a recent trip that the client has taken and claim their passport was stolen, so they need emergency cash for a return ticket home.
Typically, the hacker will ask for a relatively small amount of money, less than $10,000. That is just enough to “fly under the radar,” Mr. Winterberg said. If the scheme works, the hacker may ask for more. “Hackers know they don't have to steal from clients directly,” Mr. Winterberg said. “They can exploit the trust with the adviser and get the adviser to move the money, and then the client is completely clueless.”
How to prevent this: If an adviser receives an e-mail asking for a withdrawal or wire transfer, they should validate that request with the client. One way to do that is by asking the client to do a quick video chat. “Not only are you speaking with your client, but you're actually seeing your client's face,” Mr. Winterberg said. Another way to authenticate the request is by using a previously established code word or password that the client and adviser have agreed upon. This should be something more difficult to crack than a mother's maiden name or the last four digits of a Social Security number, which could be found in an e-mail account, Mr. Winterberg said. He recommends using a phrase that can be prompted with a question such as, “Who was your favorite teacher in elementary school?” Or, “What was the color, make and model of your first car?”
How to prevent this: Resist the temptation to click on links in e-mails. Many times, the URLs that hackers send will be very close to legitimate ones, with a few characters off, Mr. Winterberg said. Advisers should be vigilant not to install third-party software or respond to prompts about things such as Java Script updates. Instead, they should have their information technology professional provide these services or download updates directly through the Windows or Apple application store, based on what operating system they use.
The “reserve social engineering” threat. A hacker will call an adviser, pretending to be from Microsoft Corp. or another technology company. They will give a line such as, “Your computer has been sending us error files because you've got bad software. Go open this file and follow my steps.” As the call progresses, the hacker will convince the adviser to download bad files, disguising it as software that will solve the error problem. “They're persuading advisers to quote-unquote 'fix' their computer, but it's actually opening up malicious software,” Mr. Winterberg said. “If you're not a computer user, you can be fooled,” he said. “That's what the attackers are counting on.”
How to prevent this: Advisers who download updates regularly through the app store don't need to be concerned about these cold calls, Mr. Winterberg said. Advisers can say that their computers are up to date and politely hang up. It is key to resist the sense of urgency that the hackers are trying to instill in the adviser while on the phone. “They're hoping to make you panic, and when you panic, you're not thinking clearly,” Mr. Winterberg said. “An adviser needs to have a defense mechanism.”
Cyber security isn't an issue that most RIAs like to address, said April Rudin, the chief executive and founder of wealth marketing firm The Rudin Group.
After attending a recent conference on the topic, she said that she was “frightened” by the threat of security breaches and she considers herself more tech-savvy than most RIAs.
But there are plenty of small things that advisers can do to protect themselves against threats in cyberspace.
“It's beholden upon RIAs to really boost their knowledge of the Internet, how it works, what information is on the Internet, what's public information,” Ms. Rudin said. “Cyber security is not an isolated issue.”
Here is some basic advice that Ms. Rudin gives to guard against scams online:
• No matter how difficult it is, have different passwords for everything.
• Don't trust attachments in e-mails that use targeted keywords, such as “2013 tax return.” Phishers will try to use buzzwords such as these to lure advisers into clicking on a malicious document.
• Advisers who send out mass e-mails to their clients should make sure to BCC everyone, instead of CC-ing them. Otherwise, they will have the e-mail address of all the other clients. For firms that specialize in high-net-worth clients, that could include celebrities or others in positions of power.
• Once a month, advisers should Google their own names and that of their firm. It is important to know what information is out there, so that advisers can control their images and reputations.
• Overall, advisers should know how the Internet works and be knowledgeable about e-mail and social media. It is harder to spot a scam for those who aren't familiar with the real thing.