It was a Monday afternoon. As the advisor sat across from me and told his story, I began to cringe.
The previous Friday, he’d received the call every RIA fears: a client had spotted a big withdrawal in her online account — one she hadn’t authorized. When the advisor was finally able to reach the clearing agent on Monday morning, he discovered that the client’s account had been plundered — to the tune of six figures!
“The scammer was really, really good, Kimberly,” the advisor told me. “Everything about the transfer request looked perfectly innocent, including the ‘cute' way [she] always signs off on her emails. They impersonated her perfectly."
The advisor later found that the online perpetrator had hacked his client’s computer and had been virtually stalking her for weeks, learning her patterns of and styles of communication and, most critically, eavesdropping on her interactions with her financial planner.
As a result, it was a simple matter for the hacker to spoof the victim’s email and provide a fake authorization to move $100,000 from her account to a “new” bank account she had supposedly set up. Naturally, the funds vanished from the account almost as soon as they posted.
The deductible
On that dreadful Monday, I counseled my colleague and friend on several crucial determinations and decisions that had to be made in very short order, and sometimes without the luxury of having all the necessary information.
The first thing to discover was whether or not his E&O policy would cover the client’s loss. Many advisors may not realize that the types of activity covered by the errors and omissions section of their liability insurance can vary widely from insurer to insurer, and that an advisor’s deductible may vary depending on the type of coverage offered by a given policy.
In this case, my friend’s deductible for coverage of losses due to wire fraud was $25,000 — a pretty big hit but still better than coming up with $100,000 from his own pocket. After some fraught calls with the insurer, we determined the advisor was covered for everything above his deductible. That was the first hint of a silver lining in the very dark, expensive cloud that was still hanging over his head, even factoring in that it was likely his policy premiums would be hiked due to the claim.
By the way, we learned from our conversations with the insurer that many liability companies are now requiring much higher deductibles for losses due to wire fraud, and most are denying coverage for losses due to social engineering.
Sobering as that fact may be, it makes sense in light of the staggering increase in online fraud of all types that has accompanied the coronavirus pandemic. Online security site F5 reports that phishing attacks and other online scams
We also learned that the majority of insurers are starting to require advisors to utilize dual authentication of client identities for online orders, for example responding to a text message or email in addition to entering the correct username and password.
Making the client whole
After hanging up with the insurer, we next called the transfer agent to find out if they would be able to make the client whole. That seemed most unlikely, since they were acting on orders from my colleague, who had believed, when he gave the sell order, that he was carrying out a legitimate request from his client. In most cases, as long as the transfer agent has performed correctly according to the instructions received from the advisor, they will deny any liability for losses due to a fraudulent transaction. We determined pretty quickly that this was a blind alley.
Then we contacted the correspondent bank to find out how long it would take to conduct a fraud investigation that could potentially relieve the advisor of the financial liability to his client so that it would not be necessary to file an insurance claim.
Most of our clients know that if a fake transaction is made or attempted using their credit or debit card, they can avoid liability as long as they notify the bank or card issuer in a timely fashion. But in a transaction of this size, the correspondent bank, which had set up the account the hacker used to accept the funds, would likely require a considerable amount of time in order to conduct a thorough investigation. In other words, it could be weeks before the advisor would know if he could expect his client to be made whole by the bank.
If that were to happen, it would be a huge burden lifted. Not only would he not be required to file on his E&O policy, but the client’s money would be replaced by someone else’s resources instead of his.
However, we determined that he could not afford to wait; he needed to make his client whole as soon as possible. While it is not clear that there is a best practice for advisors in such cases, my colleague felt strongly that the client-first standard of care indicated by his fiduciary role meant that he needed to not wait on the outcome of an investigation that could take weeks or even months. He would need to place the client’s needs ahead of his own and assume the risk of the outcome of the bank’s investigation himself.
Having decided to file on his E&O policy and pay the $25,000 deductible himself, the advisor’s next concern was whether the market would go against him in the meantime. As a fiduciary, he would need to use the proceeds of his policy and his own $25,000 to restore the client’s holdings to their condition before the unauthorized sale of assets and transfer of funds had occurred. But the markets never sit still, do they?
So, rather than waiting for the claim check from the E&O insurer to arrive, he went ahead and placed the necessary orders to replace the securities that had been wrongfully sold from the client’s account, funding it out-of-pocket. “The client has to come first,” he said. “The insurance will pay whenever it pays, but I can’t risk the market movement in the meantime.”
Early in our conversation, the advisor said he knew he would need to file a complaint with the FBI as soon as possible. The FBI investigates all instances of computer-related fraud and it’s important to file promptly using the agency’s
For one thing, most E&O policies require it. Next, it gives the authorities the information to search out and punish those responsible for committing online crimes. Further, the FBI can often aid efforts to recover lost funds. Also, a properly filed complaint helps to substantiate the events and timelines related to the loss, which can aid future investigations. Finally, when clients and other stakeholders know you are cooperating with the FBI and other authorities, it reassures them that you have taken the event seriously.
Sophisticated scammers
When discussing his case with the FBI agent assigned to investigate, the advisor learned some important things, which he related to me as we continued our conversations a few days later.
First, the hacker made a very calculated decision about the size of the theft. According to the FBI, amounts of $100,000 or less — though highly significant to us and our clients — do not typically attract the same type of focused attention from the authorities as those reaching closer to the $500,000 mark or more. So while the incident would be investigated and all possible actions would be taken to find and hold accountable the perpetrator, this case was not likely to end up as a headline on the nightly news.
Second, since crimes of this type are on the rise, greater volumes of online activity equate directly to
A resolution
In the roughly two months since my advisor colleague received the fateful call from his client, several things have happened. First, the investigation of the correspondent bank did actually result in the recovery of all but about $11,000 of the client’s stolen funds. From the information provided to my friend, this involved not only the original correspondent bank and the bank that issued the spurious account into which the funds were wrongfully deposited. There were actually several banks pulled into the investigation, as the perpetrator made multiple transfers in an attempt to cover their tracks (that’s why it is not unusual for such investigations to take three months or even more).
So, for my colleague, recovering the majority of the funds after “only” two months was actually a small victory. He was unable to learn whether the recovery of funds meant that the scammer was actually caught or brought to justice as the FBI does not provide this information.
After discussing the matter with his representative, my colleague decided to send back the claim check from the E&O insurer. Though he reports that he is reasonably certain his premiums will still increase, he is hopeful that reimbursing the company could mitigate the size of the hike. There is no guarantee that this will happen, but he believes it is the right course of action.
The call that matters
As my friend and I have continued to discuss the whole affair, several things have become clear to us both.
Most importantly, it was absolutely crucial that his first course of action was to make his client whole as quickly as possible. This should always be our stance: take care of the client before everything else. Yes, it is true that we were reasonably sure the E&O policy was going to pay for most of the loss, and yes, we knew it was possible that the bank investigation might recover some of the money, as well. But in those early moments, with so much in doubt, my colleague made the call that mattered most when he decided to put his client’s needs ahead of everything else.
This situation also brought home the importance of maintaining clear and regular communication with your liability insurance representative. Having to file an E&O claim is the last thing any of us want to do, but when you’re in the crucible, you want to know exactly where you stand with your insurer.
But perhaps the most important takeaway from this unfortunate situation is the ongoing need for heightened vigilance on behalf of our clients. If the bad guys are getting better at what they do, we have to get better, also. For example, my colleague will no longer accept buy, sell or fund transfer instructions from a client except by phone (with verification of identity), in person or via a videoconferencing application where the client is audible and on-screen.
This may seem obvious in hindsight, but in a time when we are all spending more and more of our time in the virtual world, it’s important to remember that we need to remain anchored in reality, especially where the safety of our clients’ accounts is concerned.
(I appreciate the candor of my advisor colleague in allowing me to share this story. By mutual agreement, we have altered certain details in order to protect confidentiality, but the lessons and implications should be clear to us all.)