2020 Compliance For RIAs

Cathy Vasilev
07/28/20 4 PM EST
CFP Live CPA IWI
Program Id: 660004611
9.1
Average Attendee Rating
Poor Average Excellent

For state and federally registered investment advisers (RIAs), the 2020 compliance landscape comes down to:

Reg BI
Cybersecurity
Fee calculations

Cash Management
Outside Brokerage Accounts
Personal Trading
Complaints

The main learning objective of this class is to give CCOs and owners of RIAs what they need to know to fulfill their regulatory responsibilities in the current environment.

Cathy Vasilev is a founder Red Oak Compliance Solutions, which advises 400 RIAs on regulatory compliance. With over 25 years of FINRA and SEC compliance experience at broker/dealers, serving registered reps as well as CCOs and CEOs at RIAs, Cathy co-founded Red Oak to serve RIAs in 2010. She previously served as the Assistant Vice President of Supervisory Systems and Controls at NFP Securities, an independent B/D, and RIA, and also was an Associate Manager for Prudential, where she supervised 75 representatives, performing all compliance functions for the branch. Cathy began her career as a stockbroker for Salomon Smith Barney. Cathy earned a Masters of Business Management degree. She is a member of the Association of Compliance Professionals, National Society of Compliance Professionals,  Compliance and AML Professionals; and maintains FINRA Series 7, 24, 26, 63 as well as Life and Health licenses.

 

This webinar is eligible for one hour of CE credit towards the CIMA® and CPWA® certifications, CFP® CE, PACE credit toward the CLU® and ChFC® designations and live CPA CPE credit.

 

 

 

 

2020 Compliance For RIAs

Cathy Vasilev, a cofounder of Red Oak Compliance Solutions, a regulatory consultant to 400 RIAs, leads A4A's webinar series for RIAs, providing continuing edcuation credit to CFPs 24/7 and CPAs received credit at the live CPE classes. Below is a transcript and the slides from the first class in A4A's RIA Compliance Webinar Series, which describes the latest regulatory compliance trends affecting RIAs. It's a free sample of the thought leadership for advisors on A4A.    

For $120 annually financial professionals receive unlimited access to CE classes about compliance 24/7 plus a comprehensive curriculum for running a professional practice featuring the latest news for advisors about low-expense investing, tax and financial planning, current financial economic conditions and behavioral finance from thought leaders.   

Tuesday, July 28, 2020, at 4 P.M. Eastern Advisors4Advisors Webinar Series

2020 Compliance For RIAs

Cathy Vasilev

Red Oak Compliance Solutions

Andrew Gluck, Moderator

Andrew Gluck: Hey. Hello. Good afternoon, everybody. Welcome, welcome, welcome. Today is Tuesday, July 28th, 2020, and we’re going to talk about compliance today. So, thank you for joining us. Cathy Vasilev is one of the founders of Red Oak Compliance, and she’s here and we’ll get started in just one minute.

WEBINARS

Gideon Rothschild

Covid Crisis Estate Planning

Thursday, July 30

Prasad Ramani

Behavioral Finance Webinar Series For Financial Advisors

Tuesday, August 4 At 12pm EST

Robert Keebler

August Tax Planning Webinar

Thursday, August 6

Fritz Meyer

Economic Update

Tuesday, August 11

Fritz Meyer

Quarterly Economic Review For Private Wealth Advisors,

July 2020

Replay


Andrew Gluck: Just want to go over what we have coming up. On Thursday—that’s this Thursday, July 30th—Gideon Rothschild is going to be here discussing estate planning during this period of the epidemic. Gideon is the past chairman of the American Bar Association Real Property, Trust and Estate Section. That’s a mouthful. And that’s a large section, an influential section, of the ABA. He’s one of the nation’s foremost experts on asset protection. And when I started Advisor Products 24 years ago, I didn’t really know Gideon. Somebody had told me that he was this really brilliant guy. On a whim, I called him. And he took pity on me when I was starting my company, and he would spend two hours a quarter teaching me about estate planning. Point is, this guy is not just a genius. He’s a really nice person. And I think you’ll enjoy the session.

 

Also, coming up on Tuesday, August 4th, we’ll have Prasad Ramani. And he’s going to be talking about behavioral finance for financial advisors. That session is going to be at noon on August 4th, keep in mind. Prasad is a chartered financial analyst. He’s also a chartered alternative investment analyst. That one’s out there, that designation for alternatives. And he also holds an FRM, a financial risk manager designation. And Prasad is also—he’s no slouch—he’s a peer reviewer for The Journal of Behavioral Finance, and he’s a regular speaker at the London Business School, where he teaches behavioral finance and decision science. Prasad is also cofounder of Syntoniq, a behavioral finance application that’s used by large institutions.

Prasad Ramani is going to be teaching a core class in behavioral finance for advisors on Tuesday, August 4th, at noon Eastern. And that’s going to be the main class that you need to put to use academic concepts in a practice with your clients. And also, we got Bob Keebler coming up on August 6th, then, and Fritz Meyer on August 11th, so there’s a lot going on for you here on A4A.

Andrew Gluck: Also, please notice that the registration pages now have lots of new content. For instance, Prasad Ramani gave me a list of some very excellent resources for advisors to prepare for his webinar and get a backgrounder on behavioral finance. Those links are on the resource table on that registration page for that webinar. .

 

CPA CPE Credit

 

CFP® CE Credit

 

Advisors4Advisors is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on

the National Registry of CPE Sponsors State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org.

• • •

Session eligible for CFP CE credit.

Must attend at least 50 minutes

Live sessions

       Enter CFP® ID in post-webinar survey

       CE credit automatically reported by A4A

Replays

       Post-webinar quiz required.

       Send CFP Board the A4A approval letter from your A4A Account’s CE Credit tab.

 

PACE Recertification – CLU® & ChFC®

 

 

CIMA® and CPWA® Certifications

 

This event is approved for PACE credit toward CLU® and ChFC® designations.

       Must attend at least 50 minutes

       Live sessions

       Email This email address is being protected from spambots. You need JavaScript enabled to view it. for your certificate of completion.

       Replays

       Post-webinar quiz required.

       Use the CFP approval letter from your A4A Account’s CE Credit tab for PACE recertification.

 

• •

Session pending one hour of CE credit towards the CIMA® and CPWA® certifications. Must attend at least 50 minutes

Live sessions

          Enter CIMA®/CPWA® ID in post-webinar survey

          CE credit automatically reported by A4A

Replays

          Post-webinar quiz required.

          Send IMCA the A4A program approval letter from your A4A Account’s CE Credit tab.

 

Other Certifications

 

7 Submit “Thank You For Attending” Email to obtain credit

 

Andrew Gluck: The class today is eligible for CE credit, and that’s great because CFPs normally … This is, I think, the first time that we’re getting you CE credit for a compliance webinar. So, that’s a new thing. Congratulations to all of you, and to the CFP Board for having the good sense to do that. That is something that I’ve, for years, said should be done, because what they’ve done is made technology something that you can get credit for. That’s a really good thing. So, teaching you about compliance, not just about financial planning, is something that we can now let you get credit for.

 

 

8

Cathy Vasilev

Founding Member,

Chief Operating Officer,

Senior Vice President

Red Oak Compliance Solutions

512-796-3299

cCathy This email address is being protected from spambots. You need JavaScript enabled to view it. www.redoak.com

Founding Member, Chief Operating Officer and Senior Vice President of Red

Oak Compliance Solutions, which advises 400 RIAs on regulatory compliance

More than 25 years of compliance and supervisory expertise in independent broker-dealers, wire-house broker/dealers, and RIAs

Served as the Assistant Vice President of Supervisory Systems and Controls at NFP Securities, an independent broker/dealer, and RIA

Former Associate Manager for Prudential where she supervised 75 representatives, performing all compliance functions for the branch

Began her career as a stockbroker for Salomon Smith Barney and later moved to compliance and operations

Holds a Masters of Business Management degree

Member of the Association of Compliance Professionals; a member of

National Society of Compliance Professionals; a member of Compliance and AML Professionals; and has FINRA Series 7, 24, 26, 63 and Life and Health licenses

Andrew Gluck: Now, let me tell you about Cathy Vasilev. Cathy and I have been talking now for several months, and she’s really impressed me as being earnest, sincere and knowledgeable. And so, we’ve got this partnership. She supervises, compliance-wise, 400 RIAs, and she has spent 25 years in compliance. A4A members will come  to know Red Oak and get easy access to compliance services for RIAs on A4A through Red Oak's compliance platform.  The Red Oak team is also reviewing content for clients of Advisor Products, which makes a platform with FINRA reviewed client education content.  

9

Compliance for RIAs in 2020

Cathy Vasilev

Red Oak Compliance Solutions

Andrew Gluck: She worked at large broker-dealers, independent broker-dealers, so she really knows the rules. She’s got experience. I did something on Reg BI a few weeks ago with her. She’s immersed in it. She’s doing it all day. Cathy’s in Austin, and like I said, she’s been a delight.

Back to Slide 1: A4A Webinar Series – Tuesday, July 28, 2020

Andrew Gluck: We forged a partnership that’s going to give A4A members a discount on compliance services. Let me know if you’re interested in that. You get that as a membership benefit with A4A. So, you get this content, but she can also work with you, and we’re enabling that. Trying to make A4A as practical as possible for you, just like we’re doing with the behavioral finance app.

Without further ado, let me get out of the way. Cathy, thank you so much for doing this, and for working with me over the last few months to get this off the ground. Thank you so much. Welcome.

Cathy Vasilev: Well, thank you, Andy. That was a wonderful introduction. And thank you, everyone, for attending today. We are going to talk about my favorite topic, which is compliance. And I know that compliance is not something that’s a taste for everybody’s palate, but it is something that I’m very passionate about and I love a great deal.

AGENDA

Reg BI / Form CRS

Cybersecurity

Fee Calculations

Cash Management

Outside Brokerage Accounts

Personal Trading

Complaints

10

Cathy Vasilev: So, we’re going to talk a little bit about Reg BI and the new Form CRS, touch on cybersecurity, your fee calculations, your cash management, what you need to do for outside brokerage accounts and personal trading, and what happens if, God forbid, you get a complaint.

Compliance Mission

Compliance is a Culture, Not a Policy

Compliance tone set at the top and expected of everyone.

Compliance is everyone’s business.

11

Cathy Vasilev: There’s a mission statement in compliance. Compliance is a culture. It’s not just a policy, like everybody thinks. It’s not a policy and procedure manual. It’s not a compliance manual. The tone for compliance is set at the top of an organization, and it filters down and it’s expected of everyone. So, the key takeaway that I want everyone to get from this presentation is compliance is not just the job of the chief compliance officer. Compliance is everyone’s business. It’s everyone’s job. Everyone has to participate in order for it to be successful.

Reg BI / Form CRS

Reg BI is the new SEC Rule for broker dealers

Form CRS is a new SEC rule for advisers

These new rules do not impose any new requirements for investment advisors, but reaffirms that investment advisers owe a fiduciary duty to its clients under the Advisers Act. Investment advisers have fiduciary duties of care and loyalty, must serve the best interest of its clients and not subordinate its client’s interest to its own.

The adviser must also eliminate or make full and fair disclosure of all conflicts of interest which might cause the adviser to give advice that is not disinterested.

12

Cathy Vasilev: So, with that out of the way, let’s talk a little bit about Reg BI and Form CRS. I’m sure most of you have heard that Reg BI is the new SEC rule for broker-dealers. And the Form CRS is the new SEC rule for advisors. Broker-dealers get to abide by both Reg BI and Form CRS. Advisors are lucky. They only have to do Form CRS. These new rules do not impose any new requirements on investment advisors, but the SEC did reaffirm that investment advisors still owe a fiduciary duty to their clients under the Advisers Act. That has not changed. You must serve in the best interest of your clients, and not subordinate your clients’ interest to your own. You also have to make sure that you make full and fair disclosure of all conflicts of interest that you give. So, investment advisors just have to live with Form CRS.

Form CRS Continued

Adviser must deliver an initial Form CRS to each new or prospective customer who is a retail investor before or at the time of entering into an investment advisory contract.

Adviser must deliver an updated Form CRS to an existing client before or at the time of:

Opening a new account that is different from retail investor’s existing account(s); or

Recommending that the retail investor roll over assets from a retirement account into a new or existing account or investment; or

Recommending or providing a new advisory service or investment that does not necessarily involve the opening of a new account and would not be in an existing account;

Dual registrants are required to deliver a Form CRS at the earlier of the requirements for investment advisers or broker-dealers.

13

Cathy Vasilev: Form CRS has lots of information in it, and you have to deliver a Form CRS to each new or prospective retail investor before or at the time that you enter into an investment advisory contract with them. You also have to make sure that you deliver an updated Form CRS to an existing client before or at the time of opening a new account that’s different than what the current existing client’s accounts are.

Recommending that a retail investor roll over assets from a retirement account into a new or an existing investment account. That also includes rolling over assets from, say, an existing broker-dealer account into an investment advisory account. It also includes rolling over assets from one type of an investment advisory account into a different type of investment advisory account. And that’s all under recommending or providing a new advisory service or investment that doesn’t necessarily involve opening a new account. It wouldn’t be an update to an existing account. This is more along the lines of, perhaps, selling someone an alternative investment, giving them advice on maybe a 529 plan, anything that involves you doing something outside the firm.

If anyone on this call is a dual registrant, you’re required to deliver a Form CRS at either the earlier of the requirements of the investment advisor or the broker-dealer. And I can tell you, the earlier requirement is the broker-dealer requirement for sure, because the broker-dealer requirement is you must provide the form before or at the time that you provide a recommendation.

Advisor Duty of Care

The Adviser duty of care comprises three components:

§  The duty to provide advice in the best interest of clients;

§  The duty to seek best execution of client transactions; and

§  The duty to provide advice and monitoring over the course of the advisory relationship.

The duty applies to all investment advice, including advice about retirement plan roll overs, advice regarding investment strategy, advice to engage a subadvisor and advice about account type (commission-based or fee-based).

14

Cathy Vasilev: The advisor has a duty of care. That duty of care comprises three components. You have to make sure that you provide advice that’s in the best interest of your clients. And understand that broker-dealers now will be able to say that their registered reps are also providing advice that’s in the best interest of their clients, so it’s going to be important that you educate your clients on what the difference actually is between a broker-dealer account and how they get paid, and an investment advisory account and how you’re paid.

You have a duty to seek best execution for your clients’ transactions. Remember, best execution is not necessarily the lowest price. It’s whatever you deem, after doing your research, is appropriate given the level of customer service, the level of products and services that are offered through the custodian that you determine to use.

And you have a duty to provide advice and monitoring over the course of the advisory relationship. Again, this is a key difference between investment advisors and brokerdealers. Broker-dealers tend to not monitor over the course of a relationship. They are much more transactional based. Whereas, as an advisory service, you’re going to provide ongoing monitoring of the clients’ accounts, quite often having discretion over them and trading them as you see fit. This duty applies to all investment advice, including advice about retirement plan rollovers, advice regarding investment strategy, advice on whether to engage a subadvisor or a third-party money manager, and about what type of account they should eventually open, whether it’s commission-based or fee-based.

Disclosures

Investment advisers must eliminate or expose through full and fair disclosure all conflicts which might cause them to render advice that is not disinterested.

Disclosures must be sufficiently specific so that clients can understand material facts or conflicts of interest and make informed decisions regarding consent.

Investment advisers are not required to make affirmative determinations that clients understood the disclosure and that the client’s consent to the conflict was informed. Nor must disclosures be in writing.

SEC has cautioned that some conflicts may be incapable of full and fair disclosure and consent. In those cases, conflict elimination or mitigation is required.

15

Cathy Vasilev: Investment advisors are also required to disclose all pertinent information to a client that they need in order to make an informed decision about whether to use you as an advisor or whether to actually pick the model portfolio or the strategy that you’re recommending. So, investment advisors have to eliminate or expose their disclosures and all of their conflicts of interest so that you can render advice as impartial as possible. Disclosures have to be sufficiently specific so that clients can understand what the material facts are, what the conflicts of interest are, so, again, they can make informed decisions. And, investment advisors, you’re not required to get in writing that clients understand all of these disclosures and what they mean. You are just required to make sure that you notify clients of this.

And again, all of this is information that, if you are an SEC-registered investment advisor, you are going to enclose in your Form CRS. If you are a state-registered investment advisor, you are currently not required to do the Form CRS. However, once they do make changes to the CRD system, where all these updates are made for the state regulators, they do anticipate many of the state regulators coming on board with this, because most of the state regulators have adopted by law anything that the SEC does. The SEC wants to make sure that you understand that some conflicts of interest just can’t be mitigated, and so those you need to eliminate.

Similar Requirements

While placing both BD and RIA firms under similar requirements, there will still be two separate sets of regulations that govern dealings with members of the public. In addition, firms that are dually registered will need to disclose the “hat” they are wearing in the offering of any given product or service, and will be required to follow whichever set of regulations that would be applicable.

16

Cathy Vasilev: While the requirements now for broker-dealers and RIAs are very similar, there’s still two very separate and distinct sets of regulations that are governing how you deal with the public. And firms that are dually registered, they’re going to need even more so than before to disclose what hat they’re wearing when they’re offering any type of a product or service, so that clients can have full disclosure over whether you’re acting as an investment advisor or as a broker-dealer. I can tell you, if you don’t do that, that there will be enforcement actions and there will be complaints filed by clients where there will be litigation, because people are going to say that they were confused.

Cybersecurity

Communication tools present challenges when used for business purposes

Keep passwords and accounts secure and do not share them with anyone.

Authorized users are responsible for the security of their passwords and accounts.

Need to properly safeguard non-public client information and other business information (“confidential information”)

Confidential information may be at risk for a security breach if:

§   Device is lost or stolen

§   Messages are not encrypted

§   Computers are not password-protected to prevent unauthorized access

Other devices must be encrypted and password-protected according to Firm standards

17

Cathy Vasilev: Let’s talk a little bit about cybersecurity. Currently, in the COVID pandemic, cybersecurity is a very big deal. I’m sure many of you saw that Garmin got hacked just in the last week. They were down for days. They’re still not completely up yet. And it’s a cybersecurity breach for them. So, cybersecurity is a big deal, no matter how small and no matter how large. Because the reality is, if I’m a hacker and I want to get to, say, one of the big custodians, Schwab or TD, I’m going to pick a small advisor and I’m going to try to hack into them so that then I can try to get into a backdoor to Schwab or TD. So, don’t make the mistake of thinking you’re too small a fish for a hacker to actually deal with. This is not true at all.

So, communication tools, they always present challenges when you use them for business purposes. So, your cell phone, your iPad, all of your different tablets, all of those present very specific challenges when you’re dealing with cybersecurity when you’re using them for business purposes. You want to make sure that you keep passwords and accounts secure and you do not share them with anyone. Authorized users are responsible for the security of their passwords and accounts, so you don’t share it with friends, you don’t share it with your significant others, you don’t share it with anyone.

And you need to make sure that you have all the safeguards in place so that any nonpublic client information or other business information does not get out. The most embarrassing thing for an advisor to go through is finding out that they have been hacked and their clients’ information has been compromised. And now you have to explain that to your clients. Very painful process. This confidential information can be at risk of a security breach if your device is lost or stolen. So, if something is lost or stolen, you want to make sure that you have some way that you can send a code or a signal or a something, so that it wipes your confidential information off. You need to make sure that any of your tablets and phones and things have passwords on them, so at least there’s a layer of protection that someone who’s stolen it has to get through.

If your messages aren’t encrypted, again, encryption is a wonderful thing. And anytime that you do not have anything that’s password protected, so, again, tablets, cell phones, computers, all need to be password protected. If at all possible, if you can use different systems, like Office 365 and those types of things, that have dualfactor authentication, those are much harder to get into. Even if they’re stolen, they’re much harder to get into. So, again, just make sure you’ve got nice, strong passwords, and that you use them every time you can on everything. And if you have numerous passwords for numerous different places, it’s a good idea to have a password manager so that you don’t have to remember all of them, because if you’ve got nice, strong passwords, they are long.
More Cyber

All computers, laptops and workstations should be secured with a password protected screen saver with the automatic activation feature set at 15 minutes or less, or by logging-off when the host will be unattended.

To help maintain the security and confidentiality of clients' information in the electronic age:

§   Hide Wi-Fi networks

§   Securely send information via email (i.e. password protecting documents, encryption, etc.)

§   Using password managers or programs to store confidential passwords

§   Electronic tracking programs for lost mobile computing equipment

18

Cathy Vasilev: You should make sure that you set your screen savers so that they go blank after, at most, 15 minutes. I personally prefer five minutes, but no more than 15 minutes. Or make sure you and everyone in your office logs off before you leave something unattended, because you don’t want to leave the screen up where the cleaning people could see it. Or if you have a client that comes into the office, assuming the pandemic someday ends, that they can’t see that, as well.

You want to hide your Wi-Fi networks. When you send out emails, you want to make sure that you, at a minimum, password protect documents that have confidential information in them. Encryption is better, but for smaller offices that don’t have encryption, just password protect the documents. And you should always send the password to the document in a different email, not in the same email where you’re sending the document. Again, use password managers or programs to help you store your confidential passwords.

And there are tracking programs that can help you try to find information about any of your lost cell phones. So, if you lose your cell phone, there are electronic tracking programs to help you find it, especially on iPhones. Those are very good at it. And a lot of times, if the phone has not been turned off, they can actually wipe it for you if you get to them fast enough.

Risks

Top Threats Include:

§              Hackers Penetrating Firm Systems

§              Insiders Compromising Firm or Client Data

§              Operational Risks Two Kinds of Firms:

§              Those that have been Hacked and Know It  Those who have been Hacked and Don’t know it Most Common Way to Hack Your System:

§              Spear Fishing

§              User Clicks email and then attachment

§              Malware now enabled

19

Cathy Vasilev: So, risks for cyber. Your top threats are hackers penetrating your system, insiders who work for you compromising the firm or the client data, and then there are operational risks. There are basically two kinds of firms that are in this universe, those who have been hacked and know it, and those who have been hacked and don’t know it yet. I know of a firm that was hacked and they did not find out about it for seven weeks. In seven weeks there was an unbelievable amount of damage done to them, and it cost them millions of dollars to fix it.

The most common way that hackers use to hack your system is spear fishing. That’s where you get an email and they want you to either click somewhere in the email or click on an attachment. Once you do that, the malware is now enabled and they are in your system ready to do business.

Weakest Link

YOU

Clicking on Emails and Attachments Sending Unprotected Data to Clients Client Data in Wrong Hands is:

Used to Perpetrate Fraud

Sold to Perpetrate Fraud

Wire Fraud

Request to transfer funds will come from customer’s actual email address or one nearly identical. Request will be to wire funds to a third party.

Requestor may state that they can’t answer phone due to meetings Reason for wire will often be an emergency

20

Cathy Vasilev: So, the weakest links when it comes to cyber. The number one weakest link for cybersecurity is you. It is us human beings, because we are the ones who are going to click the link in the email that looks very, very realistic. Or we click on the attachment to open it, to try to determine whether it’s something that we want, that’s really something for us to do or not. We are also the ones who send clients’ data to them unprotected, and we can’t do that. That’s very dangerous because when client data falls into the wrong hands it’s going to be used to perpetrate fraud. It’s going to be sold to perpetrate fraud. They’re going to try to get wires that are fraudulent.

I can’t tell you how many advisors I know who have actually sent out wires because customers have requested transfers and have requested wire transfers. And it comes from the client’s actual email address or one that’s so close to it that it’s hard not to mistake it for real, and they request that the wire go to a third party. And usually, these emails will state that there’s some type of an emergency, that they can’t answer their phone right now. Oftentimes, they say they’re at a funeral. There’s a reason why they can’t talk to you. But do not ever initiate any wire transfers without actually physically talking to a client, because while it is inconvenient to call your client in advance and make them verify that they sent an email, it is much harder to tell a client that you have wired their money to somebody else and it’s now gone.

Phishing

Social engineering or “phishing” attacks are one of the most common cybersecurity threats

Phishing attacks may take a variety of forms, but all of them try to convince the recipient to provide information or take an action.

Some phishing emails are researched and carefully customized to reach one or more selected individuals (e.g., an individual who is likely to have administrator privileges or senior personnel.

21

Cathy Vasilev: Phishing is another form of—they call it social engineering—the most common cybersecurity threats. It can take a lot of forms, but most of them are trying to convince the recipient to either provide information or take an action. Some phishing emails are very researched and carefully customized to go to one or more people so that they really look like they’re legitimate. I get about 20 of these a week. Some of them come from Microsoft or QuickBooks, saying that I owe somebody money or I need to do something to my account.

One that’s going around quite virally right now is one where they pretend to be one of the owners of the company, and they’re asking you to help them out because they want to do something nice for everybody because of the pandemic and everything that’s going on, so could they please go out and buy x dollar amount of gift cards secretly, so that he can surprise the staff with them. It’s not real [laughs]. It’s never real. I’ve had emails from potential clients saying that they need me to pay some amount of money, and they’re not real clients. And somehow, they’re really, really good at figuring out when people are out of the office, and that’s generally the person’s email that it comes from. And it’s not their real email. It just looks like it is.

Phishing Continued

In a phishing event, the attackers try to disguise themselves as a trustworthy entity or individual via email, instant message, phone call or other communication, where they request PII (such as Social Security numbers, usernames or passwords), direct the recipient to click on a malicious link, open an infected attachment or application or attempt to initiate a fraudulent wire transfer. Such “phishes” can appear to come from a variety of sources.

22

Cathy Vasilev: The attackers try to disguise themselves as someone who’s trustworthy. Again, they’ll try to pick an owner of the company usually. They may have more information than you expect they do, and you can’t figure out why. And they always want you to click on something, to open something. Some of these are in the form of trying to get money out of you, and sometimes all they want is access to your email. And so, they will go into your email, they’ll take control of it, and they will start sending out emails to everyone in your contact list, trying to get them to click on it as well.

Things to Look At

Some things to look at in emails:

Discrepancy between the name and email address or “reply to” address of the sender

New individual with whom you do not regularly correspond, such as IT manager, senior manager or CEO of the organization

Generic Salutations

Unexpected timing, type or style of communication from a known sender, such as a friend, co-worker or boss

23

Cathy Vasilev: Some things to look at in emails when you get them. Generally, there’s a discrepancy between the name and the email address. Again, it can be something as simple as a period between the first and last name that you don’t expect, but they always name that email address name as the person they’re impersonating. Sometimes it’s some new person that you don’t regularly correspond with. They usually have very generic salutations. There’s an unexpected timing or a type or a style of communication, so while it looks like it came from that individual, quite often the style of their writing, the words that they use, they’re not familiar. So, if you’re in a hurry and don’t really pay attention to it, it would be easy to miss it.

More

Problems with grammar or spelling, including subtle character substitutions, such as 0 (zero) in place of O (the letter O), or 1 (the digit one) in place of l (lower-case letter L)

Request for highly sensitive information, such as customer account lists, Social

Security numbers, credit card numbers, user names or passwords

Sense of urgency with a request to access links or attachments, provide personal information or initiate a transaction

24

Cathy Vasilev: Sometimes there’s problems with grammar or spelling. Sometimes they’ll use a zero in place of an “O.” I have seen some where in the date they will not use the Americanized version of dates. They will use the European version of dates. So, even though they’re trying to look like they’re coming from the U.S., you can tell it’s really international because of their date. There’s always a request for highly sensitive information, and there’s always a sense of urgency that’s attached to these.

More

Content that is designed to induce an emotional reaction in the recipient, such as political messages, personal attacks or untrue accusations

Discrepancy between the written address of a link and its true destination

(determined by hovering over the link)

Suspicious URL patterns where the name of the intended web site appears anywhere other than at the very beginning of the URL

Upon visiting the site, a message that indicates a problem with the “certificate”.

25

Cathy Vasilev: The content is always designed to try to induce some type of an emotional reaction. There’s usually a discrepancy between the written address of the link and its true destination. You usually can only tell this by hovering over the link. So, the link may say, “Microsoft Office,” but if you hover over it, it is some conglomerate of a very long email string that has nothing to do with Microsoft Office. There can be suspicious URL patterns where the name of the intended website appears anywhere other than at the very beginning of the URL. And if you try looking at the site that’s listed in the URL, there’s usually a message that indicates that there’s a problem with the certificate. That means stay away.

Process

Perpetrator obtains access to information through Malware or phishing scheme

LOAs are used against the client

Mules often completely unaware of scheme Advisors want to be perceived as easy to work with

Single, most effective step is phone call!

When fraud attempt is discovered, action should be taken internally first

26