Take steps to protect your accounts from e-mail hackers

Originally published in The Boston Globe on February 16, 2014
By: Paul Sullivan
Data breaches at Target and Neiman Marcus were certainly scary. Personal information from tens of millions of people fell into the hands of cybercriminals.
But an equally threatening and perhaps more personal attack is a hacker getting into your e-mail and then using it to take money from your bank and brokerage accounts.

It is a problem that is increasing at all wealth levels. Naureen Hassan, senior vice president of client experience at Charles Schwab, said the firm had seen a fivefold increase in e-mail-related fraud over the past two years.
“The biggest type of fraud we see is [when] the fraudster takes over the person’s e-mail, and e-mails the adviser asking for urgent money,” Hassan said. “The other problem is related to clients storing signed pieces of paper in their e-mail, which allows fraudsters to forge their signature.”
One of the better-known cases involved a client of GW & Wade, a Focus Financial Partners firm in Wellesley, Mass. The firm, which settled in October with the Securities and Exchange Commission, sent $290,000 of a client’s money in three separate wires to a foreign bank, in response to a hacker sending e-mails from the client’s account requesting the transfers.
The SEC accused GW & Wade of not having adequate safeguards to prevent the thefts and fined it $250,000 for executing the transfers. In its censure of the firm, the agency required it to take remedial steps to increase data security.
“When alerted to the situation, we took immediate action and ensured our client was never at financial risk,” said Neil Goldberg, a principal of the firm. “Since then, we have put into place both new systems and procedures to prevent any similar occurrence.”
While GW & Wade ended up being penalized financially and took a reputation hit, its mistake served as a warning to other independent advisers eager to respond to client requests.
A security executive at a trust company told of a hacker who got creative. The executive, who requested anonymity, said the firm had received an e-mail from a client’s account asking that $137,000 be wired to Italy to buy some art. He said this client was part of a large family that traveled frequently, so the request was not odd on its face. But he said the family had a procedure in place in which no wires went out without a call being made to the person requesting the money.
The executive said clients could be frustrated by this level of bureaucracy, until someone they know gets hacked.
This is where the solution to a sophisticated swindle can sometimes be the simple action most people would take if a stranger knocked on their door at night: They wouldn’t answer.
“I called my wealth manager and said, ‘If I e-mailed you to wire $25,000 to a third party or someone with the same last name as me, what do you do?’ ” said Ken Springer, a former FBI agent who is now president of Corporate Resolutions, an investigations firm. “He said they would want to get a verbal confirmation, and they’ll document what phone number I used. Most reputable firms require that.”
A common area where security breaches occur is an unsecured public wireless network, say in a coffee shop. People who commit fraud set up fake hotspots that give you access to the Internet but capture everything you do on their computer.
Another mistake is using your e-mail address as your login for banking or investment accounts. “You’re giving hackers half the battle,” said Bill Wyman, chief executive of Summitas, a firm that builds encrypted communications portals for financial services companies.
Hassan said Schwab was completely revamping how its advisers wired money for clients. The new policy will require clients to confirm any wire transfers from their accounts.