LOGIN
Subscribe

Tips for avoiding cyberattacks

Consultant Bill Winterberg and RIA April Rudin offer advice on how to protect your firm from hack attacks and cyberfrauds.

Bill Winterberg, the founder of FPPad and consultant to registered investment advisers and technology vendors, lately has noticed an uptick in a few key patterns that hackers are using to fool RIAs.
“When something is attractive and it works, then they all gravitate toward it and exploit is as much as possible until it stops working,” he said.
“Right now, it’s still working. The RIA community is still fragmented enough … that there are still firms that fall victim to these attacks,” Mr. Winterberg said.
In an interview, he provided the inside scoop on a few of the most common cybersecurity threats that are taking place in the financial advice industry.
(Don’t miss this report on how advisers face new competition from online platforms.)
The fake caller. A hacker will break into a client’s e-mail account and send an e-mail to their financial adviser, asking for a withdrawal or wire transfer. Often, the hacker will have looked through the client’s past e-mails to frame the communication in a way that seems more legitimate, Mr. Winterberg said. For example, if they see receipts from airlines or hotels, they may refer to a recent trip that the client has taken and claim their passport was stolen, so they need emergency cash for a return ticket home.
Typically, the hacker will ask for a relatively small amount of money, less than $10,000. That is just enough to “fly under the radar,” Mr. Winterberg said. If the scheme works, the hacker may ask for more. “Hackers know they don’t have to steal from clients directly,” Mr. Winterberg said. “They can exploit the trust with the adviser and get the adviser to move the money, and then the client is completely clueless.”
How to prevent this: If an adviser receives an e-mail asking for a withdrawal or wire transfer, they should validate that request with the client. One way to do that is by asking the client to do a quick video chat. “Not only are you speaking with your client, but you’re actually seeing your client’s face,” Mr. Winterberg said. Another way to authenticate the request is by using a previously established code word or password that the client and adviser have agreed upon. This should be something more difficult to crack than a mother’s maiden name or the last four digits of a Social Security number, which could be found in an e-mail account, Mr. Winterberg said. He recommends using a phrase that can be prompted with a question such as, “Who was your favorite teacher in elementary school?” Or, “What was the color, make and model of your first car?”
The phishing attempt. Phishing attempts continue to be a common threat for advisers. For example, a hacker will send an adviser an e-card with a message like, “Happy birthday from your client!” When the adviser clicks on it, a message will pop up saying that the adviser needs an updated version of JavaScript to view the message. It’s really a hack attack. “Hackers are trying to install sniffing software within the RIA firms so they can start getting passwords to custodian logins, log in as an adviser and start sending out withdrawals,” Mr. Winterberg said.
How to prevent this: Resist the temptation to click on links in e-mails. Many times, the URLs that hackers send will be very close to legitimate ones, with a few characters off, Mr. Winterberg said. Advisers should be vigilant not to install third-party software or respond to prompts about things such as Java Script updates. Instead, they should have their information technology professional provide these services or download updates directly through the Windows or Apple application store, based on what operating system they use.
The “reserve social engineering” threat. A hacker will call an adviser, pretending to be from Microsoft Corp. or another technology company. They will give a line such as, “Your computer has been sending us error files because you’ve got bad software. Go open this file and follow my steps.” As the call progresses, the hacker will convince the adviser to download bad files, disguising it as software that will solve the error problem. “They’re persuading advisers to quote-unquote ‘fix’ their computer, but it’s actually opening up malicious software,” Mr. Winterberg said. “If you’re not a computer user, you can be fooled,” he said. “That’s what the attackers are counting on.”
How to prevent this: Advisers who download updates regularly through the app store don’t need to be concerned about these cold calls, Mr. Winterberg said. Advisers can say that their computers are up to date and politely hang up. It is key to resist the sense of urgency that the hackers are trying to instill in the adviser while on the phone. “They’re hoping to make you panic, and when you panic, you’re not thinking clearly,” Mr. Winterberg said. “An adviser needs to have a defense mechanism.”
Cyber security isn’t an issue that most RIAs like to address, said April Rudin, the chief executive and founder of wealth marketing firm The Rudin Group.
After attending a recent conference on the topic, she said that she was “frightened” by the threat of security breaches and she considers herself more tech-savvy than most RIAs.
But there are plenty of small things that advisers can do to protect themselves against threats in cyberspace.
“It’s beholden upon RIAs to really boost their knowledge of the Internet, how it works, what information is on the Internet, what’s public information,” Ms. Rudin said. “Cyber security is not an isolated issue.”
Here is some basic advice that Ms. Rudin gives to guard against scams online:
• No matter how difficult it is, have different passwords for everything.
• Don’t trust attachments in e-mails that use targeted keywords, such as “2013 tax return.” Phishers will try to use buzzwords such as these to lure advisers into clicking on a malicious document.
• Advisers who send out mass e-mails to their clients should make sure to BCC everyone, instead of CC-ing them. Otherwise, they will have the e-mail address of all the other clients. For firms that specialize in high-net-worth clients, that could include celebrities or others in positions of power.
• Once a month, advisers should Google their own names and that of their firm. It is important to know what information is out there, so that advisers can control their images and reputations.
• Overall, advisers should know how the Internet works and be knowledgeable about e-mail and social media. It is harder to spot a scam for those who aren’t familiar with the real thing.

Learn more about reprints and licensing for this article.

Recent Articles by Author

Tips for avoiding cyberattacks

Tips for avoiding cyberattacks

Consultant Bill Winterberg and RIA April Rudin offer advice on how to protect your firm from hack attacks and cyberfrauds.

Bitcoin is soaring, but financial advisers are steering clear for now

Bitcoin is soaring, but financial advisers are steering clear for now

Despite the Bitcoin hype, many advisers are steering clear of the online currency, which is unregulated by central banks and traded freely on the Internet.

Fixed-annuity sales driven by frustration with low interest rates, thirst for income

Fixed-annuity sales driven by frustration with low interest rates, thirst for income

Fixed-annuity sales in the third quarter reached their highest level since 2009, topping $22 billion. That number represents a 31% rise from the previous quarter and more than a 35% increase from the same period last year.

What do advisers look for in alternative investments?

What do advisers look for in alternative investments?

As more retail alternative investments hit the market, financial advisers are doing more due diligence and seeking out firms that provide the most transparency and have solid performance.

60/40 is fine for many advisers

60/40 is fine for many advisers

Investors have poured $156.6 billion into alternative investments, including nontraditional bonds, since 2010, according to data from Morningstar Inc. Nearly half of that amount — $74.6 billion — has come in 2013, giving the alternative market total net assets of $227.3 billion. Still, some believe that overdiversifying is unlikely to add value for clients and maintain that sticking to stocks and bonds is enough.

Latest news

Blackstone makes more real estate moves

Blackstone makes more real estate moves

Set solid expectations and boundaries with new clients

Leading through innovation – with Tom Ruggie of Destiny Wealth Partners

Raymond James notches wins in the Sun Belt with advisor additions

Huntington names new head of wealth business

MyVest announces tax-aware portfolio transition upgrades

Will the surge in Treasury yields slay the bulls (again)?

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print

Subscribe

Get unlimited access to InvestmentNews

Subscribe for just
$19.99 per month.

Subscribe