Inside A Vicious Phishing Scam Targeting RIAs: Read The Emails That Nearly Defrauded A Successful Financial Planning Firm Of $35,000

Saturday, March 29, 2014 14:06
edit
Inside A Vicious Phishing Scam Targeting RIAs: Read The Emails That Nearly Defrauded A Successful Financial Planning Firm Of $35,000

Tags: advisor technology | AdvisorVault | client communications | client emails | cyber criminal | cybercriminals | data security breach | email scam | phishing scams | practice management | privacy; security | risk management

Here’s a cautionary tale of an advisor who nearly fell victim to a $35,000 phishing scam that is targeting investment advisors.
 

The RIA, co-owned by an advisor I’ve known for many years, has changed its procedures since the incident occurred 11 months ago, and he did come to eventually realize that it was a scammer before sending any money to the account as requested. But he says his firm has been targeted twice and that the scams are getting more sophisticated.


To help other advisors avoid falling victim to phishing scams, the advisor provided A4A a copy of the email thread (below) from last April between the cybercrooks and his firm, giving A4A readers an inside look at a phishing scam targeting investment advisors.

This Website Is For Financial Professionals Only



Perhaps because I write about tech news and have previously written for advisors about phishing scams, the advisor does appear to have been a little na├»ve. The initial email contained some telltale signs of a phishing scam — specifically, an abundance of spelling, punctuation and grammatical errors. In fairness to the advisor, however, we are looking at events with 20-20 hindsight.

Just yesterday, I received an email from a business contact who might turn out to be a huge breakthrough for my company or could turn out to be a fraudster. I've asked for a telephone call to verify. (Telephone verification is always a good safeguard.) Point is, it's hard to tell sometimes whether someone is scamming you, even for a sophisticated techie like me.

When an advisor reads an email from a client on a busy day, it’s understandable that it could draw an advisor to ask an assistant to help the “client” get $35,000 wired.

However, the advisor in this instance would come to learn later that a hacker was spoofing his client’s email address and name in the emails he was reading. He says he dismissed the spelling errors in the initial email he received, thinking the client was in a rush. The scam began with this initial email:
 
-----------------------------------
From: Keith
Sent: Monday, April 15, 2013 12:16 PM
To: Frank
Subject: Good Morning
 
Hello,
 
    A friend of mine needs to borrow 35,000 do i have enough cash to be able to lend that to her. she will be repaying it back in about 4 months. ive lent her money before and got every penny back.......so i would like to do this if possible. if it is possible, can you also arrange for the wire transfer once ive gotten all of the necessary information.
 
Thanks,
--------------------------------------
 
Asked in an email if he had any advice to offer to practitioners about setting up a procedure to defend against phishing scams, the now security-conscious advisor responded: “Upload all sensitive client data and information to the web vault and confirm all requests for money via a phone call to the client,” he says. ” No call? No confirmation of ID? No $$$!”
 
After reading the email thread below, please post a comment letting me know if you would have or could have fallen for this scam? If you could have fallen for the scam, then you’re not reading A4A regularly and that’s a mistake.
 
 
 
 
 
 
 
--------------------Begin email thread (names changed or redacted) -----------------------
 
From: Mindy
Sent: Tuesday, April 16, 2013 7:34 AM
To: Frank
Subject: FW: Loan
 
FYI . . . funny-strange…
 
From: Keith
Sent: Monday, April 15, 2013 5:21 PM
To: Mindy
Subject: Re: Loan
 
Mindy,
 
    Thanks the wire is not needed again, As Susie has taKeith care of it....
 
Thanks once again.
Keith.
-----Original Message-----
From: Mindy
To: Keith
Sent: Mon, Apr 15, 2013 10:35 pm
Subject: RE: Loan
Dear Keith:
 
Attached is the completed form.   Please sign and have Susie sign in Section 4 of the form.  Scan it and email it back to me. 
 
If you send this back signed today, I will take care of it in the morning.  Have a great evening.
 
Sincerely,
Mindy
 
 
From: Keith
Sent: Monday, April 15, 2013 4:18 PM
To: Mindy
Subject: Re: Loan
 
Mindy,
 
      I am not at the office, but you can fill in the form scan and email it to me then I will sign it off and then scan and have it sent back to you. Here is the wire instruction below:
 
Bank Name: NAME REDACTED
Bank Address: REDACTED
Bank Phone #: REDACTED 3
Account #: REDACTED
Routing #: REDACTED
Account Owner: REDACTED
Holder Address: REDACTED
Wire Amount: $35,000.00
 
Kindly fill the form and send it to me then I can sign and email it back to you.
 
Thanks,
Keith.
 
-----Original Message-----
From: Mindy
To: Keith
Sent: Mon, Apr 15, 2013 10:12 pm
Subject: RE: Loan
Dear Keith:
 
Sure, I can complete the form with the wire transfer instructions you collect from your friend.  I will then email it to you but we don’t have a fax machine.  Actually, are you in your office now?  How late will you be there?  I have an appointment in your complex this evening, I could stop by your office tonight for your signature and then I will complete the form with your friends wire instructions tomorrow for you.  Let me know.
 
Mindy
 
 
From:Keith
Sent: Monday, April 15, 2013 4:04 PM
To: Mindy Smith
Subject: Re: Loan
 
Mindy,
 
      Can I send you the information then you can help fill the information then you can send me the form or fax it then I can sign and fax back as I dont want to have any errors on the wire form.
 
Thanks,
Keith.
-----Original Message-----
From: Mindy
To: Keith
Sent: Mon, Apr 15, 2013 10:01 pm
Subject: FW: Loan
Dear Keith.:
 
Attached you will find a Schwab Wire Transfer Authorization form.  Please print this form and complete all of Section 3 and sign Section 4.  I would need to have the completed, signed form either emailed back to me or dropped off at our office by 12:00 tomorrow afternoon in order for the funds to be transferred by the close of business tomorrow.  Please note the cost is $25.
 
Please let me know if you have any questions.  Have a great day.
 
Sincerely,
Mindy
 
 
From: Frank
Sent: Monday, April 15, 2013 1:57 PM
To: Keith
Cc: Mindy
Subject: RE: Loan
Importance: High
 
OK….I will see to it that Mindy will get back to you right after lunch.
 
Frank
 
From: Keith
Sent: Monday, April 15, 2013 1:49 PM
To: Frank
Subject: Re: Loan
 
Frank,
 
    She needs it for business purpose and she just sent me an email asking the status of the loan and I said I will get back to her today so I will be glad if this can be done for her today, Kindly get back.
 
Thanks,
Keith.
-----Original Message-----
From: Frank
To: Keith
Sent: Mon, Apr 15, 2013 7:44 pm
Subject: RE: Loan
Keith,
 
I’m sorry…is this something that is of an emergency nature, that needs to be attended to immediately?
 
I didn’t understand that you were waiting for Mindy to contact you immediately with those requirements.
 
What is the deadline for this action so we can figure out how to work this into our schedule for today?
 
Frank
 
From: Keith
Sent: Monday, April 15, 2013 1:31 PM
To: Frank
Subject: Re: Loan
 
Am still waiting for you to send me the requirement
 
thanks
-----Original Message-----
From: Frank
To: Keith
Sent: Mon, Apr 15, 2013 6:54 pm
Subject: RE: Loan
Keith,
 
Will do.
 
Frank
 
From: Keith
Sent: Monday, April 15, 2013 12:54 PM
To: Frank
Subject: Re: Loan
 
I will prefer a wire transfer, Kindly ask Mindy to send me the wire information.
 
Thanks,
Keith
-----Original Message-----
From: Frank
To: Keith
Cc: Mindy
Sent: Mon, Apr 15, 2013 6:50 pm
Subject: RE: Loan
Keith,
 
Good day to you as well!
 
There is enough cash in your joint account to make that loan.
 
We can arrange for the wire transfer, but there is a fee for that service. Wouldn’t it be easier just to give her one of your Schwab checks?
 
If you confirm you must wire transfer her that money, I will have Mindy of my office send you a separate e-mail to let you know what all the information you will need to gather in order to complete that transaction.
 
Sincerely,
 
Frank
 -----------------------------------
From: Keith
Sent: Monday, April 15, 2013 12:16 PM
To: Frank
Subject: Good Morning
 
Hello,
 
    A friend of mine needs to borrow 35,000 do i have enough cash to be able to lend  that to her.  she will be repaying it back in about 4 months. ive lent her money before and got every  penny back.......so i would like to do this if possible.  if it  is possible, can you also arrange for the wire transfer once ive  gotten all of the necessary information. 
 
Thanks, 
 

 

Comments (5)

...
FamaFiduciary
Andy, good article. You asked for comments. Well, knowing what we know now about scams and the like, I cannot begin to fathom how anyone would ever agree to wire transfer money to a client without actually speaking IN PERSON with that client. I am in a super-small firm, so perhaps I myself am being naive in thinking that everyone should speak directly with their client in this instance, but really, how much trouble is it to get the client on the phone, and listen to their voice directly? The next question is how well do you know your client (as an advisor)? If you really don't know the client very well, this kind of thing is bound to happen. Certainly it makes sense to require a phone call to the client to confirm verbally. That is the very least that anyone should do. In my 14 years of advisory practice, I cannot think of one instance where I had to wire money for ANY client for ANY reason. But if I did, I would only do it after speaking personally with the client. I like the rehabilitated advisor's final response: "no phone call, no ID, no $$$". That says it all. Basic common sense.
FamaFiduciary , March 31, 2014
...
hfinancial
I got 2 attempts like this 6 months ago. Neither was successful but both were eye opening experiences. I require a phone call as well to release client funds fortunately.

I wish we could catch these people and inflict harsh jail sentences as a potential deterrent.
hfinancial , May 29, 2014
...
mitchellkeil
At the bottom of all emails from my office is a disclosure statement that no email request for trades or other transactions will be honored. Period. I speak directly to a client if this happens and then request an email confirming our conversation and the request as a backup for the request and instructions. I then confirm all information with the client by phone.
mitchellkeil , May 29, 2014
...
jmoore
Good reminder. I believe these criminals are getting more sophisticated and there can be no substitute for telephone confirmation. Because we have several new folks in our office who may not recognize a client's voice we are instituting a policy where we have to call the client back on their phone number. we are also oonsidering the idea of a "secret question" validation process where only the client and our firm would know the answer.

One other thing to consider: Double check your E&O as there is likely an exclusion phishing scams.
jmoore , May 29, 2014
...
Chris Winn
All great points.

There is no denying that the fraudsters are getting more sophisticated. I believe it is also fair to say that they have more information to work with. As your clients manage more of their personal life online and via email, it creates a simple trail for the fraudster to follow. We recently worked with an advisor that was unfortunately entangled in such a fraud. The fraudster took his/her time to read other emails and "chatted up" the advisor's team by saying, "I know [Advisory Person] has been trying to get me in the office to review my accounts. I have been swamped. Just got back from a business trip and heading back out of town later this week (obtained from prior correspondence with the firm and travel confirmations). By going to another person at the firm, it caught them off guard. Calling would have been a good control, but the expectation was already set that they would not be able to get the client live. It followed a pattern that the Advisor expected from this client...on the move and seeking help.

To combat these attempts, a call might not even be enough. How many clients use this same email to manage their phone account? One commenter always talks with the client. That works OK if you are a single person firm or only have specific people handling a particular client. As many practices evolve into a businesses, separation of roles and responsibilities come into play to manage the growth. This is a good thing, but these types of risks must be factored in. A service associate may be able to talk to the client, but can they actually verify the client?

I am certainly not suggesting that you abandon your processes of call verification. I only want to point out that for some firms, just stating you call to verify may not be enough and may instill a false sense of security.

What should advisors do then? They need a multi-step approach.
1. Train clients. Like it or not, your role is to coach the client through protection of their information. Suggest clients use different accounts for financial matters than for their general internet use and personal use.

2. Disclosure on emails, websites and phone prompts are helpful, but you need to consistently follow your policies.

3. Develop a clear policy and protocols for your firm. Who must approve money movements? Is there a dollar amount that a person has authority to approve without additional review/approval?

4. Implement security questions. Implement secure questions that only the client could answer. Your favorite pet, mother's maiden name, street you grew up on ARE NOT secure questions. How many clients have emailed a picture of Fido?

5. Consider a time-lag as part of your policy. Inform clients at the start of the relationship that you require an X-day hold on any wire requests (perhaps excluding standing instructions to known accounts like brokerage to known bank account). Use the time for additional verification.

6. Direct them to the paperwork instead of providing. Instead of pre-filling a wire form, instruct them to go to the custodian website to login with their account to get the forms. Their inability to login can be a safeguard.

7. Establish a client profile. Clients that do not ever expect to need money wired could be coded in your CRM for "No Wires". Of course things can change for a client, but at least it prompts the need for additional review.

8. Train your team. We have unfortunately assisted advisors with great policies on this topic where the fraud still happened because the team was not properly trained.

This will only get worse out there. Be prepared.


Chris Winn , May 30, 2014

Write comment

You must be logged in to post a comment. Please register if you do not have an account yet.

busy