Remember the good old days when fishing was simply a fun pastime?
Things are way more complicated now. We have phishing, spear phishing, and whaling—all very bad news for our clients—and for us as financial professionals. In fact, when we fail to recognize these forms of fraud and our clients’ accounts are compromised as a result, clients lose assets and we’re vulnerable to regulatory fines and worse.
How it works
First, to clarify terms. You’re probably familiar with phishing that targets groups of people with emails attempting to get personal information—account numbers, passwords, Social Security numbers and the like. But phishing’s evil twin—spear phishing—takes this a step further. With spear-phishing scams, the fraudsters have already done their homework: Fraudulent emails are individually targeted, with enough personal information to make them appear real and legitimate. So real, in fact, that the recipient often takes the action requested, which usually involves withdrawing or transferring funds. The fallout from spear phishing, obviously, is disastrous.
(Whaling, by the way, is phishing that targets large, high-profile individuals, as in the c-suite.)
Spear phishing incidents in financial sectors are on the rise because they’re so effective. As a financial professional, you may receive fraudulent email requests that, on the surface, appear to come from a client. In some cases, a fake email is sent from an email account of an advisor’s long-time client—someone the advisor knows well and feels (maybe too) comfortable enough with to execute an emailed withdrawal request.
Because these emails include legitimate information (albeit obtained fraudulently), they’re extremely difficult to identify as fraudulent. Accounts are compromised, assets are stolen. Due to the rise in spear phishing, there’s also been an increase in regulatory fines levied against financial professionals due to fraudulent, third-party withdrawals from their clients’ accounts. Specific cases vary, but the stakes are high across the board. In two recent examples, a former Morgan Stanley professional and Wells Fargo Advisors representative were personally fined and suspended for falsely claiming verbal confirmations of wire transfer requests they received in fraudulent “client” emails.
With spear phishing, emails may be sent from the client’s actual email account that has been compromised (hacked) by a fraudster or from a different email account that only looks like the customer’s actual account. For example, if the client’s real email address is “JohnDoe@yahoo.com,” its fraudulent counterpart may be JohnD0e@yahoo.com. In both cases, the fraudster has included enough information about the client or about the financial professional that the emails appear to be legitimately sent from the client.
The addition of a clever new tactic
While phishing and spear phishing are not new, we are now seeing a new tactic. The fraudster, after sending a spear-phishing email to a financial professional, pretends to be the client and follows up with a phone call, thereby giving credibility to the email already sent. Be honest: Do you know your clients so well that you can recognize all their voices?
Admittedly, this is a clever tactic that can dupe the best of us, especially the unsuspecting. Consider a recent case: The fraudster successfully targeted a client who was very well known to a financial advisor’s office. When the office staff and advisor questioned the sound of the caller’s voice, the fraudster explained it away with a simple “illness from a cold.” Think about the many other voice-distorting factors we encounter every day—cell phones, poor signals, crowded buildings, general ambient noise—that essentially work in the fraudsters’ favor.
Today’s technology also allows fraudsters to “spoof” phone numbers and email addresses. This means that the phone number calling you appears as an entirely different number on your caller ID. For example, if my phone number is 205-555-1234, I can use a free, call-spoofing app online to make my phone number appear as a completely different number on your caller ID, including a different area code.
What to look for and what you can do
These scams are so realistic and effective that taking time to look below the surface is a critical first step with any and all emails! Approach all communications with a critical eye: Does something about an email, a follow-up call or anything else related to a transaction request seem even a little bit “off?” Or do you suspect (now having read these warnings) that an email could be from someone other than your actual client? If your instincts are telling you that something’s not quite right, contact the client to confirm that he or she sent the email.
Protecting client assets—and yourself
Here’s a good reminder for us all: Never act solely on instructions emailed from a client for disbursements, bank account changes or address changes without the client’s verbal confirmation. Be sure to call the client at a number you know is valid or speak with them in person.
There are a handful of best practices that will help safeguard clients’ assets from email phishing/spear-phishing schemes, not to mention protecting the integrity of your own processes and helping to avoid potential regulatory issues and penalties.
Follow your gut—and follow through
- Thoroughly read and examine every email you receive. Take time to take a second or third look.
- If you question even small details about the look or tone of an email, contact your client to verify the email’s authenticity.
Let’s deliver on our promises. Together.
Ryan Schwoebel, Manager, Special Investigative Unit and Anti-Money Laundering
For Financial Professional Use Only. Not for Use With Consumers.