Mind those emails: Don't fall victim to a cyberattack

Breached emails a major entry point into advisers' practices for hackers

Mar 2, 2016 @ 1:25 pm

By Alessandra Malito

+ Zoom

For financial advisory firms, one of the biggest cybersecurity threats they face are hacked emails of clients and top managers designed to trick advisers and their staffers into transferring money or privileged data.

As a result, advisers must be quick to identify the authenticity of any email and decide whether they trust it, experts say.

It's an everyday occurrence for the industry in which a hacker uses personal information found in a breached email account to pretend to be that client and request money or information. Some firms are quick to nip it in the bud, but many others have fallen victim. This scam is known as "spear-phishing."

"There is a lot of valuable information in those systems and phishing is a tried and true way for people to get into those systems and either export the data or to modify internal data," said Aaron Tantleff, partner and intellectual property lawyer at Foley and Lardner.

There are a few phishing methods — cyber criminals can pretend to be a client, but they can also pretend to be within the firm. Most recently, Snapchat was the victim of the latter, when someone pretended to be the chief executive and emailed an employee to send over all payroll data, TechCrunch reported.

Financial services is an attractive industry for hackers, and cybersecurity is growing in awareness. According to a Websense Security Labs report, cyber criminals targeted financial service firms 300% more than other businesses between January and May 2015.

In 2014, there was an 8% increase in spear-phishing targeted attacks, according to a 2015 Symantec study. There was an overall decline of this type of scam by 12%, but the study stated that there were no signs that the intensity of these targeted attacks was falling, suggesting spear-phishing emails have become more creatively crafted to bypass security.

A Wells Fargo adviser, for example, received emailed requests for wire transfers in 2008 that totaled $67,532 from an email not associated with a client, but never sought verbal confirmation in either case, Finra reported.

It's not always easy to determine the origins of an email. A 2015 McAfee study asked 19,000 participants from 144 countries to identify which of 10 emails were a phishing scam. Only 3% got all the answers right and 80% answered at least one question wrong, opening them up for a potential breach.

The report suggested users never click on links or attachments, be suspicious of messages asking for personal information, check that the sender's email and information match, look for poor grammar and be cautious of urgent calls to action. Mr. Tantleff said advisers and firm employees should be trained to identify questionable emails.

"Your employees are the first line of defense and last line, so being more cautious as to what they open up and click on and what they respond to is critical," he said. "Employees should be empowered to question this type of interaction."

One way to identify a malicious email is by the tone of the message, assuming an adviser knows his or her client well enough. Another clue: If a request seems out of the blue or unordinary. Small details of an email can also unmask a threat, such as if an email address or signature line is off.

Advisers in particular should call to confirm any transaction requests in an email. Jerry D. Murphy, a financial adviser at JDM Financial and Investments in Bowie, Md., said this was a lesson reaffirmed when a client's email was hacked and used to contact him two years ago. The hacker must have looked through past communication with the adviser, because the email he received included information he and the client had discussed. When he called the client to confirm the exchange, she said it wasn't her.

There's a balance he and other advisers must manage though, as clients may prefer to communicate online.

"More so than ever, I am leery of email communications," he said. "My clients do prefer to contact via email so I have to acquiesce to the client's needs, but if something is out of the ordinary I call to verify what I am seeing is accurate."

Jonathan Kelley, vice president of Hinds Financial Group in Lakewood, Colo., said his firm had almost been a cyber victim due to phishing emails twice.

"Ever since the first client attempt, we take it very seriously," Mr. Kelley said. "We can do all of the things we're supposed to do and we can continue to try to educate clients on the dangers, but we can't monitor 400 client email servers, and clients are the ones who are most likely to get hacked."

Mr. Kelley said he and his firm look for identifiers as to whether an email is authentic and from the client. He said his firm will also tell a client it will call him or her back on a different number to ensure it is the appropriate person. In two months, the firm is having a cybersecurity expert speak at a client event to go over the importance of security procedures.

"We feel our job kind of extends to keeping them knowledgeable," Mr. Kelley said.


What do you think?

View comments

Recommended for you

Sponsored financial news

Upcoming Event

Apr 30


Retirement Income Summit

Join InvestmentNews at the 12th annual Retirement Income Summit - the industry's premier retirement planning conference.Much has changed - and much remains to be learned. Attend and discuss how the future is full of opportunity for ... Learn more

Featured video


How T. Rowe Price is courting advisers

Managing editor Christina Nelson and senior columnist John Waggoner discuss the storied fund family and the ways it is aggressively moving into the financial adviser space.

Video Spotlight

The Search for Income

Sponsored by PGIM Investments

Recommended Video

Path to growth

Latest news & opinion

Trump rejects idea of new caps on 401(k) savings in tax plan

GOP reportedly had been considering reducing the cap on the annual amount workers can set aside for 401(k)s.

Finra's stats reveal an industry in decline

The broker-dealer regulator reports fewer entities under its watchful eye.

T. Rowe Price steps up its game to serve financial advisers

The Baltimore-based mutual fund giant is more aggressively targeting financial advisers with a beefed-up wholesale crew and placement on custodial platforms.

The most important tax changes for 2018

The Internal Revenue Service issued inflation adjustments to more than 50 tax provisions for 2018.

Shift to Roth 401(k)s 'highly likely' part of tax reform: former Treasury official Mark Iwry

Mandated contributions to Roth accounts would likely only be partial, as opposed to having a full repeal of pre-tax accounts.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print