Wealth Think

Protect yourself from a cyberattack — before it happens

The biggest threat to your firm’s security may be lurking in your inbox.

Email is a primary means for RIA communication with clients, vendors, other third parties and within a firm. As a result, most data and security breaches happen through email, usually due to some combination of user error and gaps in cybersecurity protection. The potential risks are so great that the SEC has enacted privacy laws concerning the use, storage, transmission and handling of personal information.

Client email accounts are prime targets for identity thieves, who send bogus emails from hacked accounts. Spoofed emails are used to transfer money from investment accounts with success from unsuspecting RIAs.

security man - here to assist you - bloomberg
A G4S Plc security officer stands guard next to a static aircraft display at the Farnborough International Air Show in Farnborough, U.K., on Thursday, July 12, 2012. The U.K. government said it will deploy troops to provide security at London Olympic venues after G4S Plc, the company with the contract to protect the games, said it wouldn't have enough staff available. Photographer: Chris Ratcliffe/Bloomberg
Chris Ratcliffe/Bloomberg

What’s a spoofed email address? It looks similar enough to a legitimate address so that the unsuspecting receiver does not recognize innocuous differences. The domain name may be changed from .com to .net, for example, or the address may be altered by just one character. Also, be cautious of letters that look alike. Sometimes, uppercase “i”s are passed off as lowercase “L”s, for example.

Correct:

wstillman@rightsize-solutions.com

Spoofed:
wstillman@rightsize-solutions.net (.net instead of .com)
wstilman@rightsize-solutions.com (missing 'l')
wstillman@rightsizesolutions.com (missing hyphen)

Obviously, mistakes resulting from unintentional or missed keystrokes are flagged when an email bounces back. However, a spoofed address is tied to an actual — if fraudulent — email account set up by a thief and closely resembles one that the end receiver would recognize. When the recipient replies to the email, they correspond directly with the thief without realizing it.

Consider the following real-life example: Using a spoofed email address, a thief gets in touch with a financial advisor posing as an existing client to request an account balance update. In his reply, the advisor emails the account balance, prompting the thief to request a wire transfer. The wire transfer request also includes a plausible excuse from the thief for why they cannot be reached via telephone to validate their identity — typically an illness or death in the family. The advisor accepts the rationale and executes the wire transfer of funds out of their client’s account and into that of the thief.

This fraud is the result of a sophisticated criminal or criminal network that broke into the client’s personal email account at some point in the past. They spent time monitoring email usage and communication patterns — getting to know with whom this individual corresponds and where potential assets are. They can also adopt the individual’s communication style well enough to commit a crime.

Without a policy preventing unauthorized access to a firm’s private network, RIAs are as vulnerable as their clients.

When a firm lacks adequate user-authentication protocols and network security, a thief can easily get access to an advisor’s email account. With the account hacked, the thief can send emails that are legitimately from the advisor’s account. They also have access to everything, not just email. The thief can tap into client emails and nonpublic information, and communicate directly with clients using the advisor’s legitimate email address.

To avoid getting caught, the thief initiates auto-forwarding rules for the advisor’s email account, so that email replies circumvent the advisor’s inbox and are passed to the thief.

How do thieves get this kind of access? Often they employ phishing emails, which use unsolicited emails or fake websites to prompt victims to provide valuable personal and financial information. Once someone clicks on a link within a phishing email, the email account is immediately compromised. Here’s what can happen next: Phishing emails are automatically sent to all of the advisor’s contacts. Auto-forward rules are added to the email account fraudulently, and blind copies of emails, which may include personal information, are sent to an external email account.

At a minimum, RIA staff must be trained to be alert when receiving client emails and to look at the email address and header.

Suppose a client makes a legitimate, verified request to transfer money to a different account but cancels the request. The RIA’s system was hacked a while back and a thief was monitoring transactions and correspondence. Posing as the client, the thief makes a request similar to the one that had been cancelled earlier, though the transfer is to a third party. Because the client’s distribution instructions are already on file, the advisor neglects to verify the legitimacy of the second request and he or she makes the transfer.

How can advisors improve security to prevent these hacks?

A cybersecurity policy may not prevent spoofed email addresses from landing in an advisor’s inbox, but strong protocols, conditional access rules and technology can alert advisors to the potential of fraud and thwart attempts to access accounts and information.

At a minimum, RIA staff must be trained to be alert when receiving client emails and to look at the email address and header. Further, firms should mandate verbal confirmations of asset transfer requests — no exceptions — before taking any actions. The confirmation process should also include a review of forms, signatures and voided checks before executing transfers.

Additionally, client email addresses should be put into the firm’s database so that inbound emails automatically convert to the client name when the advisor replies. If the email address does not convert, a red flag should go up and the email should be further investigated.

RIAs can also mandate encryption on emails containing personally identifiable or sensitive information. In addition, some firms choose to use secure portals or shared folders instead of sending personal information over email.

Conditional access rules help verify the user and prevent unauthorized access to the firm’s private network. To gain access, users must log in with strong passwords on registered devices — those that the network recognizes. With multifactor authentication, users who want to log in from an unregistered or unrecognized device, such as a personal mobile device or their own computer, must validate their identity in at least two ways.

Firms should have protocols for monitoring email to ensure that nothing is forwarded automatically. RIAs should also prohibit personnel from accessing personal email accounts through the firm’s private network.

The consequences of email misuse and fraud can be devastating. A multifaceted approach to email security helps prevent fraud, even if someone compromised a recognized user’s credentials through an email hack. And even though the sophistication of cybercriminal networks is rising, tighter protocols certainly raise the bar for thieves attempting to get through.

For reprint and licensing requests for this article, click here.
Cyber security Client communications Compliance RIAs Cyber attacks Phishing Practice Management Resource Center
MORE FROM FINANCIAL PLANNING