Annie McQuilken, a fee-only planner and principal at Forever Financial Advisors in Fairport, N.Y., knew that a client was looking for a house to buy. Still, she was a little surprised when she received a message, sent from the clients email account, asking her to wire money directly to the seller for a closing scheduled for the next day.
Even though I knew this client was house hunting and it wasnt unusual to communicate with her via email, I was surprised that she would get to the closing without talking to me, McQuilken says. Part of me was annoyed that she hadnt given me more notice.
- Read more: Cybersecurity Best Practices: 6 Tips
As it turns out, the sender wasnt McQuilkens client the email had come from a thief who was trying to steal the clients money. The scammer had hacked into the clients email account, assumed her identity and was asking McQuilken to send client funds into a third-party account.
McQuilken had seen scammer emails before, but those were obviously fraudulent, featuring broken English and details that she knew could not have come from clients. This one was more skillful. At first I was fooled into thinking it was my client because the language was proper American English, not like many foreign fraud schemes, McQuilken says. There was nothing about the way that this was written that was a red flag.
Whats more, she says, the hacker knew many of the clients personal details. The scammer had clearly read enough of her emails to know what was going on in the clients life.
As she scrambled to get the money ready for the closing, however, the situation began to seem strange to McQuilken. Things were just moving too fast, she recalls. She called the client. In fact, she had just made an offer on a house, so when I first called and said, 'Im calling about sending you money for your closing, she said 'Great!? As the conversation went on, however, it came out that the real closing wasnt for several weeks and that the client hadnt sent the email McQuilken received.
That phone call saved McQuilken and her client from falling victim to identity theft. Although the FBI website says its not possible to know precisely how many attempted and successful identity thefts happen, the problem does appear to be growing with thieves becoming more sophisticated.
Experts say its crucial for advisors to understand that the rules of the game have changed: Planners and their clients are both targets, and new federal rules (and custodians policies) make advisors primarily responsible for fraud prevention. It has become vital for planning firms to create effective fraud-prevention policies and put them into effect.
I think that fraud and identity theft are on the rise and should be an increasing concern for investment advisors, says Justin Kam, director of investment advisor services at National Compliance Services in Delray Beach, Fla. Fraudsters are using techniques that, while not necessarily innovative, are being used more frequently as a means to try to impersonate clients and steal client money.
Fraud was on the uptick in the middle and end of 2011, and it has grown from there. Its happening everywhere and to everyone, agrees Nina Weiss, a vice president in the compliance department at Pershing Advisor Solutions in Jersey City, N.J.
In a May survey of Financial Planning readers, almost a quarter of respondents said they had received what appeared to be a fraudulent request for funds in the last 12 months; nearly 8% said they had multiple attempts. (Just under 2% were, perhaps worryingly, not sure.)
Weiss says fraud attempts tend to follow a similar pattern. What were seeing as an industry is investors emails being attacked and taken over, she says. A fraudster will get into an investors email and scrub it to see if theyre communicating with a financial professional, a broker or an advisor. Then they look for attachments with account numbers and signatures.
The would-be thief then sends an advisor an email, either from the victims email account or from an account with a very similar address, Weiss says. Often the email is a new response to a past email from the advisor. The thief asks the advisor to transfer money into a third-party account or perhaps into a new account registered under the clients name.
The request is typically presented as urgent, and there may be an excuse about why the client cant talk about it in person. The writer might say, 'Dont try to call me. Ill be at my aunts funeral, and my daughter in England or Arizona really needs this money for college tuition. Thats one of the biggest red flags, Weiss says.
Or the thief might deliberately call someone at the planning firm who doesnt know the client. Weiss says: They say, 'I couldnt reach my advisor, and I dont have time to try again. Please tell him that I OKd this transfer.
Meanwhile, either the fraudster or a mule for the fraudster will walk into a bank in another city and open a new bank account, says Kevin Taylor, Pershings chief compliance officer. When the clients stolen money arrives at the bank, the thief removes all but a tiny sum typically on a Thursday or Friday. You cant recall money over the weekend, Taylor says. This gives them a two-day head start.
Planners all over the country report a variety of these scam attempts.
John M. West III, an advisor, chief operating officer and chief compliance officer at Spraker Wealth Management in Maitland, Fla., heard from a client who said he needed to know the balance in his accounts in preparation for wiring money overseas. The thief sent two other emails, saying, 'Dont call me, Im in a meeting, email will be sufficient,? West says. A third email gave permission and nudged us to send the wire. The English was a little garbled by then, but on the first attempt, it looked pretty good.
West called his client, who had not sent the email, and told him of the fraud attempt. He was very appreciative, and he changed all the passwords on his accounts, West says.
David D. Wilder, chief investment officer at Financial Management Group in Cincinnati, already knew that a client was traveling outside the country when he got an email asking him to wire some of the clients money to a third party.
I replied with a request for some additional information to confirm that it was really our client, since we are aware that these types of requests are often fraudulent, Wilder says. The sender replied that she was too busy for this and wanted me to tell her simply how to get the money moved. We exchanged a couple of additional emails, where she first became angry and then supplied information that she had somehow obtained about a family member, in hopes that this might be the information I was looking for. It wasnt.
At RTD Financial Advisors in Philadelphia, Richard Durso, the director of financial planning, got three emails from a supposed client: one saying hello, a second asking for an account balance, and a third asking him to wire money.
The first email didnt sound like her, and it didnt have her typical send-off, which is 'Cheers,? Durso says. This said 'Thanks, or 'Best. The grammar wasnt right and there were some spelling errors, Durso adds, noting that this client speaks and writes in perfect English.
There were other red flags. The second request was very out of the ordinary, Durso says, and the third was a dead giveaway. She said that she needed to know the amounts of all the cash in all the accounts, because she just lost her nephew. I know she doesnt have a nephew.
Dena Minning, president of Personal Asset Management in Treasure Island, Fla., remembers an emailed money request that had the clients exact signature and written mannerisms. A single detail tipped her off: He asked me to wire '30,000 USD, and my clients dont really think in terms of 'USD. They would use a dollar sign.
FORMALIZE A PLAN
Creating an anti-fraud program is a smart step. It also may be the law, depending on how youre registered. Last year, the SEC implemented regulation S-ID, known as the red flags rule, which requires that federally registered investment advisors adopt and implement an identity theft protection program. State registered advisors are not included under the rule, but its still a good idea as a best practice, says National Compliance Services Kam.
Custodians, too, are increasingly implementing fraud-protection rules and procedures such as not transferring money without a notarized letter or a personal conversation between planner and client. And if you mistakenly send money to a thief, your custodian will consider you responsible for reimbursing the client.
If an advisor sends out money without taking steps that a reasonably prudent person would take, they could be held liable in a lawsuit, Kam says.
Dont assume that youre protected by your custodian, your broker-dealer or even your insurance policy. If the custodian has made a mistake, the company will typically make the end-client whole. If the planner makes the mistake, however, he or she is responsible for fixing it and errors and omissions insurance may or may not cover the expense.
When we take instructions from an intermediary that appear to be in good order, and the underlying transaction turns out to be fraudulent, then we would look to the advisor to make that customer whole, says William R. French, vice president in the risk management group at Fidelity Investments. We dont typically get involved in making the customer whole.
Even if [an advisor] follows all the best protocols, he or she can still be a victim, French adds. E&O insurance may or may not be helpful. Assessing what your coverage is and where it would apply is a good conversation to have with your insurance company.
An effective fraud-protection plan can also protect your most important asset: your client relationships. No advisor wants to admit that a scammer has made off with client assets even if the firm later recovers or replaces those assets.
And, in general, clients appreciate knowing that their planners have thought about ways to protect them. We have not encountered a client yet who is angry about the inconvenience of the extra few steps when moving money around, says Roger Pine, a partner at Briaud Financial Advisors in College Station, Texas. They understand that these sorts of security measures are the new reality.
Sometimes an advisors actions can protect assets elsewhere. We were the first ones to catch a fraud attempt that also went to the clients bank, Pine says. Within 20 minutes of this email going out, we were able to contact her. That showed that we knew her really well and were looking out for her, and thats a big win for us.
What makes a good fraud-prevention program? First, individual accountability. A senior person at the firm should be responsible for cyber security, says Pershings Taylor for defining, analyzing, controlling and improving procedures. This should be part of the governance model. Cybersecurity is that important.
There is no one-size-fits-all approach to executing disbursements, Weiss adds. Planners need to decide what instructions theyll accept, and through what delivery method. Using secure electronic drop boxes? If you rely on those services, you need to pick just one or two and perform due diligence, Weiss says. Will you require notarized paperwork? A personal conversation between client and planner? A secret access code? Some combination of the above?
Next, youll need to discuss your security policies with your clients. You want to have that conversation as part of the onboarding process, Taylor says. Talk about what instructions, if any, youll take by email, as well as considerations about their lifestyle and their expectations for how theyll access their money.
One client might be easily reached at home or work. Another might spend a lot of time aboard a yacht in the Mediterranean, far from Internet access. Procedures should fit each clients needs.
In every scam attempt we were told about for this article, the deal breaker was a telephone conversation between the clients and a planner who knew them well. Theres a clear takeaway for advisors: No matter what other security policies a company has, it should not ignore the safety offered by a simple telephone call.
The best control is a verbal confirmation from a customer you know, says Fidelitys French. Thats the closest thing we have to a silver bullet. Call the client. Dont rely on an email, a voicemail, a text or a fax.
When you call, use a telephone number that you already have on file for that person, not a new number sent to you via email. Dont accept an incoming client call as evidence of client instructions.
Truly sophisticated thieves can fake caller ID numbers, so that it looks as if youre getting a call from the client, says Kevin P. Sweeney, Boston-based chief compliance officer and wealth manager at Modera Wealth Management. You might also get a muffled call or one with background noise, so its difficult to make out the voice.
A person who knows the client well should make the call. There are certain things we know about our clients: their voices, histories, attitudes, relationships and memories, Durso says. There is no substitute for knowing the client, and we get to know them very well as we go through our financial life-planning process.
Dont make the conversation a short one, even if a client claims to be pressed for time. You want to make sure that the person youre talking to is really your client; that means talking for long enough that an impostor would find it hard to sustain the ruse.
Some planners also use a security question, which a client must answer correctly over the telephone before the planner disburses money.
The best security questions arent a Social Security number or account number, Weiss says. Ask: Where do you make your mortgage payment? Whats the name of your pet? Whats your brothers name?
You dont want to make it easy, she adds. That defeats the purpose.
Ingrid Case, a Financial Planning contributing writer in Minneapolis, is a former editor at Bloomberg News and author of Your Own Two Feet (and How to Stand on Them): Surviving and Thriving After Graduation.
- SEC Warning: Small Firms Won't Get a 'Pass' on Cybersecurity
- Advisors Beware: Single Data Breach 'Can Bring Down' a Practice
- Protecting Digital Assets: Advisors on 'Front Line'
- Hackers Claim Data Theft on 800 Million Cards But Is It True?
This story originally ran on July 1, 2014.
A recent report from National Compliance Services included this email, sent last Thanksgiving from a client impostor to an advisor.
Some of the telltale signs of fraud were evident: the urgent time frame, the awkward grammar, the unannounced trip.
One essential ingredient was particularly subtle, requiring sharp eyes to detect: The originating email address was false but close to the clients actual address, substituting an l where there should normally have been an i.
Sent: Thursday, November 28, 2013 11:53 AM
To: [Advisors Name]
It takes me great pain to write this but I need your help. Few days back we made an unannounced vacation trip to (Manila, Philippines) Everything was going fine until last night when we got mugged on our way back to the hotel, all cash and credit card were stolen off us but luckily for us we still have our passports with us. Ive been to the Embassy and the Police here but theyre not helping issues at all they asked us to wait for 3-weeks but we cant wait till then and our flight leaves in 18 hours from now but were having problems settling the hotel bills and the idiot manager wont let us leave until we settle the hotel bills, we are freaked out at the moment ... It has really been embarrassing for me ... $2000 will cover all my expenses but I will appreciate whatsoever you can afford to wire right now, I promise to refund it to you as soon as I arrive home. You can wire it to my name from a western union outlet around. Here are the details you need to get it to me; [Clients Name].Location - Evangelista Street 1640 Rudex Building, Makati, 1234, Philippines. Get back to me with the western union confirmation details.