A new study conducted by Kaspersky Lab has revealed that cybercriminals are targeting financial advisors, stealing their credentials to access email accounts in order to gain control of the advisor’s business. The research reveals that around 41% of all attempted attacks on finance professionals were successful due to poor security practices, with more than half (51%) occurring at work.
Business email compromise (BEC) is a type of fraud where an attacker compromises the email account of an employee who then sends money to the attacker. The BEC process begins with the attacker sending an email to the targeted company’s employees, often posing as a business partner or supplier.
As most people are aware, email fraud is on the increase. What’s startling is how prevalent phishing email scams are among financial advisers. Business email compromise scams are the name for these sorts of phishing assaults (BEC scams).
According to a 2018 SEC analysis, corporate e-mail hack assaults cost publicly listed corporations over $5 billion in financial damages between 2013 and 2017. While BEC scams impact a wide range of businesses, financial advisers are particularly vulnerable since they have money. It’s your money.
In this post, we’ll look at:
- Learn all there is to know about BEC scams.
- Discuss the many sorts of BEC scams.
- Cover two real-life customer case studies where BEC schemes were attempted.
- Describe how you and your financial adviser may prevent falling victim to a BEC scam.
Let’s start with an explanation of what a BEC scam is.
What exactly is a BEC con?
According to the FBI, a BEC scam is sending an email message posing as a genuine request from a recognized source.
This might take the form of:
- A company’s vendor provides an updated postal address for invoice payments.
- A title firm sends a message to a homebuyer with advice on how to wire the down payment for closing.
- An email from their bank’s finance department, requesting private information to be verified.
Posing as a customer and sending an email to deposit money to their bank account, like in the case of financial advisers. Let’s take a look at some of the tactics that crooks utilize to carry out BEC scams.
How Do Criminals Conceal BEC Scams?
Scammers use a variety of methods to carry out BEC frauds. Here are four of the most popular methods used by fraudsters to carry out BEC assaults.
Phishing campaigns are emails sent from an attacker’s account that attempt to deceive consumers into providing sensitive information to the attacker. This information might be only one aspect of what the scammer needs to execute the hoax.
Phishing emails may be crafted to collect any sort of data, including:
- Information about money
- Individually identifiable data (PII). PII is personally identifiable information that is not deemed public. Social Security numbers and driver’s license numbers are two examples.
- Account numbers and other payment details
For a long time, the FBI has been warning Americans about phishing. The FBI’s Internet Crime Complaint Center issued a public service notice in 2018 detailing how hackers utilize social engineering tactics to collect payroll information from workers. Here’s how it works:
- Phishing email is sent to a targeted employee’s email account.
- The criminal gets access to the corporate account of an employee.
- Employee salary is diverted to phony bank accounts by a criminal.
- Employee’s account is locked, and the employee no longer has access.
Another scenario is when a USAA member receives an email from USAA requesting that they update certain information on file. However, it is possible that it is not from USAA.
And that’s because the hacker may have fooled it.
Spoof emails are created when BEC attackers alter a real email address or website address slightly.
For instance, your buddy John Smith sends you an email from his [email protected] account. John, on the other hand, does not have a Gmail account. He uses Hotmail to communicate.
The attacker created the Gmail account as a phony email account. And any answer to this email goes straight to the attacker’s email account.
Or redirecting you to a slightly different version of a website you often visit. That website looks nearly comparable to the regular website, thus it passes undetected.
For instance, the insurance site of USAA (hyperlinks deleted) is:
https://www.usaa.com/inet/wc/auto-insurance?wa ref=pub global products ins auto
This doesn’t seem to be all that different from
https://www.usaaa.com/inet/wc/auto-insurance?wa ref=pub global products ins auto
The additional ‘a’ in the second link would only be seen by a keen eye. This link would take the victim to a website controlled by the cyber criminal.
The harmful URLs are often concealed in the content. This makes determining if it is genuine challenging.
Spearphishing is similar to spoofing, except that the communication looks to be from a trustworthy sender and requests sensitive information from the recipient.
Spear-phishing, unlike phishing, is a focused assault rather than a numbers game.
This assault might be directed towards workers of a firm. However, rather than obtaining personal information, the goal might be to get corporate data.
Criminals are increasingly using spearphishing to enter businesses.
Scammers already know a lot about most individuals because to social media and publicly accessible information.
That spear-phishing email with the subject line “We’re verifying our records, please verify your account” is merely an effort to get that final bit of information that isn’t publicly accessible.
This might include account numbers, PINS, passwords, user names, or other information, just as in typical phishing attempts.
Whalefishing is a kind of spearphishing that is very focused.
Whalephishing targets top officials, such as the CEO of a corporation, who may have the most access inside the organization.
Malware, or malicious software, is often used to obtain access to enterprise networks and documents. This is generally done by a malicious attachment.
This data is often used to timing requests or communications so that access personnel do not challenge payment requests. Malware may also be deployed inside a company to acquire access to an individual employee’s email account or customer data, which can then be utilized in future assaults.
Scams Against Financial Advisors by the BEC
The most concerning trend is fraudsters targeting financial advisers with corporate email breach schemes. Without the customer having done anything wrong, a successful BEC assault against an unknowing adviser may wipe out their clients’ funds!
Here are three reasons why financial advisers are being targeted by BEC scams.
There is already a foundation of trust.
It takes a lot of confidence for investors to trust an adviser with their money. We spend a lot of time talking about financial planning’s technical parts, such as investing, Roth conversions, and tax planning.
However, trust is a two-way street. As a result, a financial adviser may be ready to believe an email from a customer concerning wire transfer payments. Even if they need to be cautious.
This is due to the fact that most financial advisers are quite busy. Owning and operating a small company.
Many financial counselors run their own businesses.
Small business entrepreneurs understand how much time it takes to manage a successful company. You’re probably in charge of compliance if you’re the CEO and the head janitor.
The majority of financial advisers keep up with their compliance processes. Otherwise, the Securities and Exchange Commission (SEC) or their state’s regulatory agency would shut them down.
Cybersecurity is also becoming a higher priority for auditors. However, not all financial advisers catch the message.
Finally, fraudsters are targeting the accounts your adviser manages for another reason.
That’s where all the cash is hidden!
The Investment Advisory Association claimed that SEC-registered investment advisers handled approximately $110 trillion in 2020. This compares to $43 trillion in 2010.
As a result, thieves have a strong incentive to target the accounts that your adviser manages for you.
We had numerous attempted BEC frauds while I was a financial adviser. Fortunately, we were not duped, and our customers’ funds were not lost.
Let’s go through them so you can keep an eye on what these folks are up to.
Case Study #1 of the BEC Scam
A customer sent us an email requesting that a big amount of money be moved from her investment account to a “relative.” It provided instructions on how to transmit the wire.
Our customer’s request for wire transfers was unusual since we had bank account transfer information for this client on file. We were also cautious since we are familiar with our client’s personality. This email seemed to be unusual.
We phoned to confirm that this was really what she intended as part of our standard verification processes. “No,” the client said. This email was not sent by me. Thank you for informing me; I’ll investigate.”
When she investigated more, she discovered that someone had obtained access to her email and had been monitoring her emails for some time. The offender prepared an email that appeared identical to previous requests, assuming that we would just comply.
The spam email was then removed from the ‘Sent Emails’ folder in the hopes that our customer would not notice it.
This customer would have lost a lot of money if our personnel hadn’t been on the lookout or if our business hadn’t put systems in place to validate email inquiries.
Case Study #2 of the BEC Scam
This time, I tried something a bit more subtle, more sophisticated, and sneakier.
Another consumer requested $5,000 be sent to his bank account by email. This customer requests $5,000 or $10,000 every now and again, so it didn’t seem unusual at first.
He got an email from his wife requesting him to transfer $5,000 to another account at the same time. We phoned, checked, and processed the request as per our standard protocols since the customer truly needed the money.
His wife’s email, on the other hand, had been hacked without his knowledge. The fraudster was seeing his typical procedure play out as she was copied on the email conversation concerning the initial money transfer.
When the fraudster saw that the initial transfer had been completed, he or she sent the second email. Our customer was worried that we had been copied on that email (we hadn’t) and told to make a transfer to an unknown bank account.
He was certain that we would call to check the second request since we had phoned to verify the first.
Our firm’s protocols and our client’s knowledge in this situation prevented the email breach from becoming more severe.
Your adviser should constantly be suspicious of scam.
What Can YOU Do to Avoid BEC Scams?
There will always be individuals seeking to defraud you. Perhaps you maintain a modest web presence. Even so, a highly motivated individual is likely to find enough publicly accessible material to work with.
BEC scams, on the other hand, only succeed if the fraudster can get that essential piece of information that is not accessible online. For instance, a password here, a PIN number there, and security questions (such as what color was your first car?).
Thankfully, there are steps you may do to safeguard yourself. Although several of these security techniques are well-known, they are worth mentioning:
Always update your antivirus and anti-malware software.
The simplest approach to accomplish this is to download and install updates on a regular basis. Although updating software is annoying, it is the most effective approach to keep your antivirus software up to date.
Management of passwords
It’s not enough to just keep your password to yourself. Hackers are getting smart nowadays. Here are some tips on proper Management of passwords.
Use long passwords.
Everyone understands that a mix of letters, numbers, and special characters should be used. Passwords of 8 to 10 characters were widespread a few years ago. Security experts now often prescribe passwords with 16, 20, or even 25 letter, number, and character combinations.
For each website, use a separate password.
What if one of your accounts is hacked? Your hacker is likely to try your login details elsewhere.
You’re doomed if you use the same combination everywhere.
To keep passwords safe, use a password manager.
If you have a manager who remembers everything for you, it’s simpler to stay on top of password maintenance.
If you only use Apple devices, the iCloud keychain will almost certainly enough. Your information is also safeguarded if you lose your phone thanks to biometric data such as facial recognition or fingerprint scanning on iOS devices.
If you switch between OS systems often, you may consider investing in a third-party password manager. You may also use a password manager to keep track of your passwords.
For your logins, use two-factor authentication.
Two-factor verification occurs when a log-in needs the entry of a code (typically received by text or email) before access is granted. This is required for most bank accounts to help safeguard against fraud.
Take a breath when you get an email from’someone’ asking you to do anything.
Look for mistakes in the sender email address (not the name). If you get an email prompting you to log into a website (such as your bank’s website), don’t immediately click the link. Instead, enter the URL into your browser and log in from there.
Call a close friend or family member if you see anything unusual.
Check to see whether they really sent the email. Similar frauds are also appearing on social media sites such as Facebook and LinkedIn.
But instead of responding to the email, pick up the phone and dial.
Sign up for the Federal Trade Commission’s fraud warnings.
Visit the FTC’s website for further information. You may report frauds, learn more, or sign up for email updates from there.
Hold your valued advisors responsible.
Most banks use standardized processes and are likely to follow the most recent banking legislation.
Your smaller professionals, on the other hand, who have access to your money and personal information, may not have access to corporate resources, IT budgets, or the infrastructure needed to safeguard it. Consider an accountant, an estate lawyer, and a financial adviser.
However, they should take reasonable precautions to protect your personal information.
What can my adviser do to keep my data safe?
Your financial adviser might (and should) be doing more to secure client data even without company funding.
The Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA), which regulates broker-dealers, are both pushing down on advisers who do not have enough safeguards in place. Financial advisers who have not contacted to check customer information have been punished by FINRA (as mentioned above).
The following is a list of what your financial advisers may do to secure your accounts, as well as how you can check it:
Have systems in place to authenticate a client’s identification whenever money is requested from their investment account.
This should be done over the phone, not over text, email, or social media.
Before your money left your account, your adviser should have personally called you to verify the request. If so, you should ask your adviser to set up a standing order so that money does not leave the account until you specifically authorize it.
Your adviser should adhere to the same (and higher) standards as you do.
The preceding list was a rather simple set of typical identity-protection protections that everyone should have in place. MORE should be available to your adviser.
Procedures should be established in your advisor’s compliance handbook.
A compliance handbook is needed of every registered investment adviser. It’s essentially their ‘rulebook’ for how things should be done in the company. It’s also the first item the auditor looks at during a surprise audit.
At a minimum, your advisor’s compliance handbook should include:
- Employee education
- Password protection
- Encryption of data
- Software guidelines
- Where is client data kept?
- How do persons outside the office have access to customer data? (working from home, public wi-fi areas, etc).
- Physical protection
- Website safety
- Malware/antivirus protection
Any employee should respond to any query in the same way.
During an audit, an auditor verifies that all workers are following the compliance manual’s rules and recommendations. After all, if no one observes the rules, what use is the compliance manual?
For a lone adviser who does most (if not all) of their own work, this isn’t normally an issue.
If you’re a customer of a bigger business, though, one of the risk areas may not be the adviser, but the quality of the personnel. In a bigger business, the individual who actually processes your money transfer may not be the adviser, but rather a member of the support staff. It doesn’t matter what the adviser says to you if that individual isn’t adequately trained.
You shouldn’t receive two different responses on how to conduct a money transfer from two distinct employees in a well-run organization.
If the adviser says, “We’ll call to double-check before we transfer any money,” you should receive the same response from everyone other.
And if there are two or more persons who could perform the job, they should all be able to state the same thing. That indicates a company that follows established security standards. That company will most likely safeguard you against fraudsters and identity theft.
Your advisor’s security should be multi-layered.
Good security isn’t any ONE of these. It’s ALL of these, layered on top of each other—Password protection, Physical protection, private wi-fi connections, etc. to make your firm a hard target.
Your adviser should be able to transmit and receive papers in a secure manner.
Email is not included since it may be hacked. A customer portal on the firm’s website or a third-party provider with strict encryption requirements might be used.
Your adviser should assist you in maintaining personal security.
You’re just as strong as your weakest link when it comes to cybersecurity.
Scams involving the BEC are genuine. They’re particularly frightening because if your financial adviser falls for a con, it might have a direct effect on you. So speak to your financial adviser about the efforts they’re doing to secure you, your information, and your money.
Business email compromise is a type of cybercrime that can happen when someone sends an email to your business pretending to be you. The email may contain sensitive information, such as login credentials or credit card numbers. This type of crime has been on the rise in recent years and there are many ways for businesses to protect themselves from this threat. Reference: business email compromise statistics.
- how does business email compromise work
- secret service business email compromise
- business email compromise ic3
- how does the fbi contact you
- bec wire transfer