Jim O’Hara, CISM, CISSP, CEH, Information Security Officer
March 10, 1876. Alexander Graham Bell’s Boston laboratory.
“Mr. Watson come here – I want to see you. I think someone just looted my brokerage account.”
Okay. Those may not have been the exact words spoken over the first useful telephonic device. But similar words are spoken on any given day in the modern world.
In the early 2000s, hackers and fraudsters preyed upon a burgeoning digital world. As financial institutions rushed to establish an online presence, cyber security controls were often overlooked, inadequate, and sometimes nonexistent. Regulatory bodies were slow to adjust to the new playing field as well, and firms could quite literally put their clients at risk without violating written regulations.
After a few hard lessons, smart financials became extremely focused on security, and the regulators followed suit, updating compliance requirements to counter the threats inherent in the brave new digital world. The SEC was no longer telling firms to “exercise responsibility in protecting client data.” They were now saying “deploy and maintain a stateful inspection firewall.” Seeking compliance, firms tossed out the security appliance purchased at the local office superstore and installed second generation firewalls and network intrusion prevention systems. They hired information security professionals who established security departments and put in place comprehensive technical controls and written policies. Game on.
Hackers and fraudsters soon discovered that their old tools and methods were no longer effective. It had suddenly become much more difficult to compromise the now security-savvy financial firms. What to do?
If you can’t pick the lock, steal the key. Criminal focus shifted from defeating the security systems protecting valuable data, to compromising individuals who had direct access to it. Credential theft became the hack-du-jour, and remains so to this day, in the fraudsters’ all-time favorite flavor: Email phishing.
The most effective use of phishing as a fraud tool follows this simple 3-step process:
- Phish the investor. Typically, in the form of an email masquerading as the victim’s email provider. The investor is asked to follow a link and validate their credentials. The linked site is usually very convincing, complete with the email provider’s current branding. The victim dutifully enters their username and password and is told “Thank you. Your account is secure.”
- Using the stolen credentials, the fraudster logs into the investor’s email account and reviews its contents. They watch and wait. They learn who is managing the investor’s money, how they communicate, and in some cases, they may even see prior communications related to a distribution.
- When the timing is right, usually around the holidays or a weekend, the fraudster jumps into an existing email message thread. They talk about how long it’s been since they’ve spoken, ask how Jenny is doing at Cornell, and then….instruct the financial advisor to perform a distribution to a newly established bank account. Usually it’s for a down payment on that dream vacation home, sometimes it’s to buy their spouse the classic convertible they’ve always wanted. A theme common to all the messages is that time is of the essence. The advisor needs to move the money quickly or the opportunity for the house or car will be missed.
Alexander Graham Bell’s invention then comes into play in one of two ways. Either the advisor calls their client and learns of the attempted fraud, or the client calls the advisor a week or two later and asks why their account is short. It’s the advisor who determines which call takes place.
The views expressed are those of Brinker Capital and are not intended as investment advice or recommendation. For informational purposes only. Brinker Capital, Inc., a registered investment advisor.