Holiday Cheer or Cyber Fear?
by Casey Cotton - Chief Technology Officer, Arete Wealth
November 21, 2023
The holidays are just around the corner, and unfortunately, that means an increase in fraud, malware and viruses that demand extra vigilance. We need to make sure we remain cognizant of our basic fiduciary responsibility to our clients by helping them make informed decisions so as to protect their personal and financial information. So in order to keep such bad tidings at bay, let’s take a quick tour of the problems lurking out there.
Malware is software used to disrupt computer operations, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other.
Phishing is the act of attempting to acquire information such as usernames, passwords, credit card details and sometimes even money by masquerading as a trustworthy entity in an electronic communication. Communications purport to be from popular social websites, auction sites, banks, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to a legitimate one. Phishing is an example of social engineering techniques used to deceive users and exploit the poor usability of current web security technologies.
Use of AI (Artificial Intelligence) to commit Fraud. Here are a couple of ways bad actors are using AI to commit fraud.
- Combine real and fake data to create fake identities. (Forge passports and ID documents)
- Conduct Phishing scams at scale.
- Voice cloning, with access to their public and black-market information to redirect bank funds and other accounts.
- Creating deepfake videos for scams
These types of third-party fraud are increasingly directed at the financial services industry. To prevent it from making your holiday season (and thereafter) less than joyful, you need to be able to identify it and set a plan of correction so that the jingle doesn’t stop the bells from ringing in the good times.
How does a Phisher/Hacker look to compromise a client?
Phishers usually begin by creating a “mule” account by scamming a user to share their bank account information for transfers. It can be hard to believe that anyone falls for these “I have a gift for you” approaches, but they do.
How does a Phisher/Hacker look to compromise an advisor?
Common methods of compromise include password cracks, malware key loggers, phishing links (an email appearing to be from a senior member of your organization, a friend or family member in trouble, please send money email, PayPal password has expired, DocuSign envelope to sign, Microsoft password reset, email inbox alert, etc.). The compromise also usually grants access to a user’s email box such that the following happens. The Phisher scans the box to determine its worth. He then locates all emails related to the financial advisor and clients. The Phisher will then email the advisor to check status and amounts on accounts. These Phishers keep connections to accounts by creating rules to have all new messages from the advisor go to a trash bin/ archive folder or to a new address altogether. For example, sometimes a RULE adding a number after the email address is used such that it is easy to redirect who is to receive it – the Client or the Phisher. The Phisher then gathers the necessary financial review information and emails the advisor to wire transfer an amount that would not typically raise any red flags to the Phisher’s mule account. The Phisher can then transfer the monies received to a prepaid card, which can then easily be exchanged, traded or even leave the country without a trace. Remember that prepaid cards are not and do not need to be declared.
The net result is that an advisor thought he had received an email from the client, and as such acted upon it in what seemed a responsible manner. But then all or a portion of a client’s account is liquidated.
Luckily for the client and the advisor, a good broker-dealer has a careful process in place to verify with the client all third-party money transfers. After talking to the client it can be determined if the request is fraudulent. Alerts can then be placed on all accounts held at the broker-dealer and the client can be advised to file a police report and put a fraud alert on accounts held away. We’re now in a digital age. But it is still important to have personal human contact with clients to ensure privacy and protection. The greater ease of doing business digitally comes with a real threat of potential fraud.
Ask yourself the following questions.
- What precautions should I take to protect my clients?
- Do I meet in public locations to go over accounts with my clients?
- How do I ensure that nobody is looking over my shoulder or listening in?
- Do I take advantage of free public wireless connections?
- Does my device have client data stored on it?
- Am I even aware of this?
- If I do have client information stored, is my device’s hard drive encrypted?
- When I receive an email do I question the validity?
‘Tis the season to be jolly, but folly is afoot, too. Let’s make sure you do not put your clients or your business in harm’s way.
I have listed a few best practices below to help alleviate the stresses that Fraud, Phishing, Malware, and Hacking efforts may bring to your practice.
- Education and Awareness:
- Regularly educate clients and staff about the latest phishing and hacking techniques.
- Encourage clients to verify the authenticity of unexpected requests for sensitive information.
- Secure Communication:
- Use encrypted communication channels for sensitive information.
- Implement two-factor authentication wherever possible to add an extra layer of security.
- Email Security:
- Advise clients and staff to verify the sender’s email address carefully, especially for unexpected or suspicious emails.
- Utilize email filtering systems to detect and block phishing attempts.
- Client Verification:
- Establish a robust process for verifying client identity, especially for financial transactions or requests for sensitive information.
- Secure Devices:
- Ensure that all devices used for client interactions, including laptops and smartphones, have updated security software.
- Implement device encryption and strong, unique passwords.
- Public Wi-Fi Precautions:
- Discourage the use of public Wi-Fi for accessing sensitive client information.
- If necessary, use a Virtual Private Network (VPN) to secure connections on public networks.
- Regular Audits:
- Conduct regular audits of security protocols and update them to adapt to evolving threats.
- Monitor and review access logs to detect any unusual activity.
- Have an Incident Response Plan:
- Develop and implement an incident response plan to address any security breaches promptly.
- Train staff on how to recognize and report security incidents.
- Client Communication:
- Keep clients informed about security measures in place and any changes to protocols.
- Encourage open communication about any security concerns they may have.
- Regulatory Compliance:
- Stay abreast of and comply with industry-specific regulations and guidelines regarding data security.
- Client Meetings:
- Consider using secure virtual meeting platforms for discussions involving sensitive information.
- When meeting in person, be cautious about discussing sensitive information in public places.
- Continuous Learning:
- Stay informed about the latest cybersecurity trends and best practices to adapt and strengthen your security measures continuously.
Remember, cybersecurity is an ongoing process, and staying informed and proactive is essential to safeguarding both client and business interests.