It's the kind of case that cybersecurity experts have been warning advisors about

for years – and that they only expect to see more of.

A Cetera Financial advisor lost his 17-year career after falling for an email from a hacker who impersonated a client and persuaded him to illegally transfer $160,000 to a bank unconnected with the client or his wife.

David Paul Santos agreed to a lifetime bar from the industry in a FINRA case after falsifying the signatures of a client on 10 documents transferring money out of the client's individual account and a joint one that he held with his wife. The imposter had hacked into the client's email account.

"It's a huge cautionary tale," says Steve Ryder of True North Networks, a consulting firm that advises more than 50 large planning firms nationwide on cybersecurity issues.

If Santos had simply picked up a phone and spoken to his client, he might have uncovered the scam, Ryder and securities lawyer Robert Rex, of Boca Raton, Fla., both said. And more rigorous advisor training also might have prevented the deception, Ryder noted.

Santos could not be reached for comment and his lawyer, Brian Mumford of Saratoga Springs, N.Y., declined to comment. Neither the FINRA filings, nor Cetera, reveal whether or not Santos tried to call his client.


At an SEC cybersecurity roundtable in March, IT expert John Reed Stark warned attendees about such a threat to their practices: "One data breach can bring down an [investment advisor], I think, very quickly because of … the kind of relationships they have with their clients." At the time, Stark was a managing director of Stroz Friedberg, an IT security company that works with firms to prevent and respond to breaches. He now runs an eponymous consulting firm in Bethesda, Md.

Though the danger persists, it's rare to see details of such a case become public.

"Up to 90% of cybersecurity incidents aren't even reported," Ryder says. "It's embarrassing, right? Often times people don't want to talk too much about it."

Speakers at the SEC gathering stressed the importance of sharing information about attacks and emerging threats with regulators and others in the industry.


However, the Santos case offers scant detail as to how the hacker succeeded in duping the advisor. The filings say only that the imposter convinced Santos to falsify client signatures authorizing trades over the course of nine email requests between February 14, 2014 and April 8, 2014.

"Once the imposter was discovered by the third-party bank, the firm recovered some of the funds from the third-party bank and reimbursed [the client and his wife] for their entire loss," according to the March judgment by FINRA arbitrators. FINRA officials did not immediately respond to a request for further details about the case.

Cetera also declined to elaborate on details beyond the following statement:

"We expect our advisors to adhere to the highest possible standards of conduct in the industry," the firm's spokesman Joe Kuo said. "The advisor in question was terminated by our firm last year, and our firm reimbursed customers for their entire loss. Beyond that, and as a matter of policy, we do not publicly discuss regulatory or legal matters related to individuals who no longer work with our firm."

The case illustrates the importance of educating advisors about common tactics, such as "phishing" attacks of this sort, Ryder says. In phishing attacks, perpetrators use electronic communication to trick recipients into handing over valuable information or money.


Advisors "should have required training in both phone phishing attempts and email phishing attempts" like this one, Ryder says. "That's such a huge part of cybersecurity. It's not just spending thousands and thousands of dollars on technology and firewalls."

Santos, who did not have discretion to execute trades in his clients accounts, made a total of 12 unauthorized trades of stocks and municipal bonds to fund the wire transfers, FINRA says. He also made $259.69 in commissions for the trades.

Neither Cetera nor FINRA disclosed whether or not the perpetrator or perpetrators were caught or if they successfully made off with the stolen funds.

"So much of [phishing] is computer generated and it's a numbers game," Ryder says. "They could send millions of emails out and all they need is 1/1,000th of those to respond."

Kenneth Corbin contributed reporting to this story.

Read more:

Register or login for access to this item and much more

All Financial Planning content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access