Heading off hack attacks

Financial advisers are on the front lines protecting their clients from cybercrime.

Just take the story of one firm and one adviser, Mark Reed.

The managing director of Bush O’Donnell Investment Advisors Inc. last week witnessed an online attack.

“On Monday morning, we got the e-mail. It was very specific,” Mr. Reed said.

“It was to the adviser in our firm who the client interfaces with. It was short on personal informalities like asking how the Cardinals are doing,” Mr. Reed said.

“It simply stated, “Could you please wire $51,000 to this bank in Hong Kong?’ and it was signed with the client’s name. The note said the purpose was to purchase a condominium, with “condominium’ spelled incorrectly,” Mr. Reed said.

SOMETHING WASN’T RIGHT

“We knew right away there was something phony about [the request], except that it had very specific information, such as the client’s account number. Someone had very clearly hacked into the client’s e-mail,” Mr. Reed said.

“We called the client. He confirmed he was not sending a wire request and was not buying a condo,” Mr. Reed said.

“We then called the custodian and, with permission of the client, contacted [the Securities and Exchange Commission] in Chicago,” he said.

“I feel sorry for our client. He’s got a real problem,” Mr. Reed said.

The scam artist was anxious about getting the client’s money, Mr. Reed said.

“Later in the day, the hacker pinged us twice to see when the wire transfer would take place,” he said.

This pattern of breaking into a client’s e-mail account, posing as the client to the adviser in an e-mail and trying to convince the adviser to wire money from the client’s account to a bank or other destination isn’t rare. In fact, such attempts by fraudsters posing as advisers have become all too common.

“During 2012, there was a big increase in the prevalence of attempts to defraud [broker-dealers] through the use of Internet-based tactics,” said Albert Caiazzo, managing director and chief quality and risk officer at First Clearing LLC. “There were very well-publicized incidents of clients’ being the victim of e-mail takeovers.”

Securities regulators are certainly taking notice of cybercrime and the threat to customer accounts.

The Financial Industry Regulatory Authority Inc. highlighted online security in its annual “business conduct and sales practice priorities” note to broker-dealers in January.

‘INDUSTRY IS VULNERABLE’

“The frequency and intensity of threats, such as denial-of-service attacks and the number of data security breaches, raises concerns that the securities industry is vulnerable to disruption and unauthorized access to customer account information,” Finra wrote.

The most common type of cybercrime that First Clearing has seen is wire fraud, Mr. Caiazzo said.

“In the most common situation, hackers impersonate clients through an infiltration of clients’ e-mail accounts,” Mr. Caiazzo said. “They then originate an e-mail to the FA and issue an authorization to wire funds out of the account.”

Advisers “need to be vigilant about protecting the assets they are stewards of,” Mr. Caiazzo said.

“What the industry has been seeing are e-mails with enough information to look like they were from the client,” he said. “A lot of these schemes are technology-based but rely on human failings to be successful.”

Mr. Reed had been concerned about such scams for the past year.

“We had anecdotally heard of these sorts of scams maybe about a year to 18 months ago from other colleagues in the business,” said Mr. Reed, whose firm is a registered investment adviser with $201 million in client assets.

“At that time, we beefed up our policies and procedures. One was that any wire transfer would require verbal confirmation from the client, and another was that any third-party requests for a wire transfer would require a customer signature,” Mr. Reed said.

“This year and last year, we sent a letter to clients advising them of our policy to expect a call if we ever got e-mail instructions from them. We also listed what to avoid in the e-mail world to keep them safe, such as clicking through any suspicious e-mail that says “click here,’” Mr. Reed said.

“Also, no custodian or broker is going to request valuable financial or private information from a client via e-mail, such as your or your kids’ Social Security numbers,” he said.

Mr. Reed stressed the importance of “the policy for a verbal confirmation of any e-mail wire transfer request from a client.”

PERSONAL DETAIL

Custodians typically don’t require such a confirmation if the transfer is to an account in the same name, but the level of personal detail that some hackers are able to steal from a client and then present to an advisers proves that rule wrong, he said.

Another adviser recently told Mr. Reed that one hacker sent an e-mail to his firm requesting a wire transfer and said that he couldn’t call the adviser, because he was attending the funeral of an uncle.

“In fact, the uncle had died,” Mr. Reed said. “Hackers can assemble a real profile of the victim.”

Although many hackers will fail or be rebuffed in such attempts, they still have their hands on sensitive client information, Mr. Reed said.

The lesson for advisers is “to make the phone call for all transfer requests and make clients aware that the reason to make the call is to protect them,” Mr. Reed said. “They won’t be bothered by that if it’s for their own well-being.”