For financial advisory firms, one of the biggest cybersecurity threats they face are hacked emails of clients and top managers designed to trick advisers and their staffers into transferring money or privileged data.
As a result, advisers must be quick to identify the authenticity of any email and decide whether they trust it, experts say.
It's an everyday occurrence for the industry in which a hacker uses personal information found in a breached email account to pretend to be that client and request money or information. Some firms are quick to nip it in the bud, but many others have fallen victim. This scam is known as "spear-phishing."
"There is a lot of valuable information in those systems and phishing is a tried and true way for people to get into those systems and either export the data or to modify internal data," said Aaron Tantleff, partner and intellectual property lawyer at Foley and Lardner.
There are a few phishing methods — cyber criminals can pretend to be a client, but they can also pretend to be within the firm. Most recently, Snapchat was the victim of the latter, when someone pretended to be the chief executive and emailed an employee to send over all payroll data, TechCrunch reported.
Financial services is an attractive industry for hackers, and cybersecurity is growing in awareness. According to a Websense Security Labs report, cyber criminals targeted financial service firms 300% more than other businesses between January and May 2015.
In 2014, there was an 8% increase in spear-phishing targeted attacks, according to a 2015 Symantec study. There was an overall decline of this type of scam by 12%, but the study stated that there were no signs that the intensity of these targeted attacks was falling, suggesting spear-phishing emails have become more creatively crafted to bypass security.
A Wells Fargo adviser, for example, received emailed requests for wire transfers in 2008 that totaled $67,532 from an email not associated with a client, but never sought verbal confirmation in either case, Finra reported.
It's not always easy to determine the origins of an email. A 2015 McAfee study asked 19,000 participants from 144 countries to identify which of 10 emails were a phishing scam. Only 3% got all the answers right and 80% answered at least one question wrong, opening them up for a potential breach.
The report suggested users never click on links or attachments, be suspicious of messages asking for personal information, check that the sender's email and information match, look for poor grammar and be cautious of urgent calls to action. Mr. Tantleff said advisers and firm employees should be trained to identify questionable emails.
"Your employees are the first line of defense and last line, so being more cautious as to what they open up and click on and what they respond to is critical," he said. "Employees should be empowered to question this type of interaction."
One way to identify a malicious email is by the tone of the message, assuming an adviser knows his or her client well enough. Another clue: If a request seems out of the blue or unordinary. Small details of an email can also unmask a threat, such as if an email address or signature line is off.
Advisers in particular should call to confirm any transaction requests in an email. Jerry D. Murphy, a financial adviser at JDM Financial and Investments in Bowie, Md., said this was a lesson reaffirmed when a client's email was hacked and used to contact him two years ago. The hacker must have looked through past communication with the adviser, because the email he received included information he and the client had discussed. When he called the client to confirm the exchange, she said it wasn't her.
There's a balance he and other advisers must manage though, as clients may prefer to communicate online.
"More so than ever, I am leery of email communications," he said. "My clients do prefer to contact via email so I have to acquiesce to the client's needs, but if something is out of the ordinary I call to verify what I am seeing is accurate."
Jonathan Kelley, vice president of Hinds Financial Group in Lakewood, Colo., said his firm had almost been a cyber victim due to phishing emails twice.
"Ever since the first client attempt, we take it very seriously," Mr. Kelley said. "We can do all of the things we're supposed to do and we can continue to try to educate clients on the dangers, but we can't monitor 400 client email servers, and clients are the ones who are most likely to get hacked."
Mr. Kelley said he and his firm look for identifiers as to whether an email is authentic and from the client. He said his firm will also tell a client it will call him or her back on a different number to ensure it is the appropriate person. In two months, the firm is having a cybersecurity expert speak at a client event to go over the importance of security procedures.
"We feel our job kind of extends to keeping them knowledgeable," Mr. Kelley said.