BOCA RATON, Fla. – After the widely publicized Equifax hack, clients are asking prickly questions about data security, and advisors are taking those concerns to their regional broker-dealers.
As attacks have become increasingly prevalent at wealth management firms, clients are taking notice, said Raymond James’ Chief Information Security Officer Andy Zolper in an interview at the Raymond James' Wealth Manager Conference earlier this month. The Equifax hack has only heightened their concern.
“Over the last couple of years, the attackers have gotten more patient and more sophisticated,” Zolper said.
THE EQUIFAX QUESTION
Zolper suggests practical advice and a lot of reassurance when talking to clients about Equifax. Remind clients to check with the credit bureau to determine whether they were affected and about credit monitoring options, he said.
Clients should also consider placing a freeze on any lines of credit that could have been impacted. All three major credit bureaus will have to be contacted, he said.
Equifax's data breach may be the most serious, given that it covered 143 million consumers and involved reams of confidential information, but it wasn't the largest. Following are the biggest to date.
Lastly, help clients flag any unusual items on their credit reports, and inform financial institutions right away.
FIRST LINE OF DEFENSE
Email filtering is the first step toward preventing fraud and other phishing attempts, Zolper said, especially for RIAs that choose to host their own email servers separate from Raymond James’ platform.
While advisors are becoming savvier about such attacks, Raymond James still receives thousands of malicious emails. The firm scans all emails on its platform and discards 2.5 million per day. While not all of those are attacks, almost eight in 10 messages received are rejected, according to Raymond James.
Once gaining access, hackers now comb through months and months of correspondences to learn about the advisor-client relationship, he said.
“Hackers’ greatest skills are as social engineers,” Zolper said, adding that they will read all the old emails in an account to build context into their scheme. “They’ll say, ‘It was great playing golf with you three weeks ago,’ and the advisor really did play golf with the client, and the bad guys know that.”
Be aware of one major red flag. Scammers are aware that advisors must verify wire-request emails with a quick call to clients, and will have an excuse ready explaining why they're not available to speak over the phone.
WHAT TO WATCH OUT FOR
Beyond email hacking, ransomware is now the number 1 attack on firms, Zolper said. Once infiltrated, ransomware encrypts the data that then can only be accessed with a password. The hackers require the victim to pay with a form of cryptocurrency to release the data.
“For millennia, criminals have used extortion schemes,” Zolper said, adding that clients should regularly back up all critical documentation.
Another essential is two-factor authentication — a password that requires an additional form of verification when clients sign in to an account for the first time — especially to protect against email attacks, Zolper said.