Keeping Swindlers Out of Your Bank and Brokerage Accounts
Originally published in The New York Times on February 7, 2014
By: Paul Sullivan
Data breaches at Target and Neiman Marcus were certainly scary. Personal information from tens of millions of people fell into the hands of cybercriminals.
But an equally threatening and perhaps more personal attack is a hacker getting into your email and then using it to take money from your bank and brokerage accounts.
It is a problem that is increasing at all wealth levels, from individuals with small investment accounts to family offices that serve the wealthiest clients. Naureen Hassan, senior vice president of client experience at Charles Schwab, which is the largest custodian of independent advisers in the country, said the firm had seen a fivefold increase in email-related fraud over the last two years.
“The biggest type of fraud we see is the fraudster takes over the person’s email, and emails the adviser asking for urgent money,” Ms. Hassan said. “The other problem is related to clients storing signed pieces of paper in their email, which allows fraudsters to forge their signature.”
One of the better-known cases involved a client of GW & Wade, a Focus Financial Partners firm in Wellesley, Mass., that manages about $4 billion. The firm, which settled in October with the Securities and Exchange Commission, sent $290,000 of a client’s money in three separate wires to a foreign bank, in response to a hacker sending emails from the client’s account requesting the transfers.
The S.E.C. accused GW & Wade of not having adequate safeguards to prevent the thefts and fined it $250,000 for executing the transfers. In its censure of the firm, the agency required it to take remedial steps to increase data security.
“When alerted to the situation, we took immediate action and ensured our client was never at financial risk,” Neil Goldberg, a principal of the firm, said in a statement. “Since then, we have put into place both new systems and procedures to prevent any similar occurrence.”
While GW & Wade ended up being penalized financially and took a reputational hit, its mistake served as a warning to other independent advisers eager to respond to client requests.
A client of a Boston adviser said that he and his wife were traveling in Asia in the fall when their account was hacked and emails were sent to everyone at the adviser’s firm who had ever emailed him, asking for a wire transfer.
He said the adviser tried to contact him, unsuccessfully, and then reached out to his son to let him know what was happening.
“They read my emails, and they mimicked my tone for requests for money,” said the man, a retired financial services executive who requested anonymity. “The whole system appeared to be more sophisticated than these notes from Nigeria.”
The Nigerian prince email swindle, in which a supposed royal offers riches in exchange for a bank account number, is to today’s phishing scams what a Brother word processor from the 1980s is to a MacBook.
A security executive at a trust company told of a hacker who got creative in trying to fool the firm. The executive, who requested anonymity, said the firm received an email from a client’s account asking that $137,000 be wired to Italy to buy some art. He said this client was part of a large family that traveled frequently, so the request was not odd on its face. But he said the family had put a procedure in place in which no wires went out without a call being made to the person requesting the money.
The executive said clients can be frustrated by this level of bureaucracy, until someone they know gets hacked. “Once it’s happened to one of their family members,” he said, “it’s amazing how they’re much more accommodating.”
This is where the solution to a sophisticated swindle can sometimes be the simple action most people would take if a stranger knocked on their door at night: They would not answer it.
“I called my wealth manager and said, ‘If I emailed you to wire $25,000 to a third party or someone with the same last name as me, what do you do?’ ” said Ken Springer, a former F.B.I. agent who is now president ofCorporate Resolutions, an investigations firm. “He said they would want to get a verbal confirmation, and they’ll document what phone number I used. Most reputable firms require that.”
It wouldn’t hurt to ask the same question of your wealth manager. Where some advisers slip up, though, is in thinking they have received several levels of verification when they have not.
“An email with an attached, signed letter is not enough because it’s all the same communication,” said Jeffrey R. Bedser, founder and chief executive of iThreat Cyber Group. “That’s not two forms, that’s one communication. There should always be a secondary verification.”
Beyond employing offline common sense, individuals need to be vigilant about how they use technology and the systems their advisers have to prevent their accounts from being hacked, or, if they are hacked, to keep their money from being transferred.
A common area where security breaches occur is an unsecured public wireless network, say in a coffee shop or park. People who commit fraud set up fake hot spots that will still give you access to the Internet but will capture everything you do on the swindler’s computer.
Another mistake is using your email address as your login for any banking or investment account. “You’re giving hackers half the battle,” said Bill Wyman, chief executive of Summitas, a firm that builds encrypted communications portals for financial services companies.
Yet while technology can secure data both on computers and in transit, Mr. Wyman said, it is limited by what clients will tolerate. “It’s balancing ease of use with security,” he said. “Some clients will say ‘I don’t care,’ and have liberal agreements. Some are very strict and have no leeway.”
Ms. Hassan said that Schwab was completely revamping how its advisers wired money for clients. The system currently asks them if they talked to their clients before allowing a wire transfer to go through.
The new policy will require clients to confirm any wire transfers from their accounts. If Schwab does not recognize a client’s computer or if it has an unusual Internet Protocol address, she said, the new system calls the client with a code to complete the transaction.
“We thought there would be a barrier to this, but advisers are looking for help,” Ms. Hassan said.
While the hacking of Target and Neiman Marcus data has drawn a lot of attention to the issue, advisers say a money management firm without enough checks and balances is a more common risk for wealthy people.
Todd Kesterson, director of family office services at the accounting firm Rothstein Kass and former chief financial officer for a family office, pointed to the case of Paul Fireman, the founder of Reebok, whose money manager stole $25 million from him — even though he had paid the manager a high-six-figure salary, plus bonuses, for over 20 years.
“If it’s a couple of employees who are doing all the movement of family money,” Mr. Kesterson said, “you need to have reviews done to tighten up internal controls.”
He said that at his firm, no fewer than four people have to see every invoice before it is paid. And if a request comes in to transfer money to a new vendor or account, the scrutiny is even greater.
The risk of an inside job is not confined to the wealthiest. Mr. Springer of Corporate Resolutions said he was recently called by a small broker-dealer that suspected one of its employees had been moving money out of an account. He had — by wiring $25,000 10 times in three months to a friend with the same last name as a client. While the employee was caught and fired, Mr. Springer said the firm chose to remain silent for fear of damaging its reputation.
That desire for anonymity may be understandable, but it is keeping people from knowing more about how these networks are working.
For individuals, the best hope is due diligence before fraud can occur. “At the end of the day, it’s about being proactive,” Mr. Bedser of iThreat Cyber Group said. “Choose banking and financial partners that have a more secure process that you’re comfortable with. Do more monitoring yourself.”