Cyberattacks are an equal opportunity destroyer. They affect all firms, big and small. They affect individuals and corporations alike, and, they do not discriminate.
News of data breaches at major retailers like Target and Home Depot remind the public of the dangers affecting their credit card numbers. The media also reports on fraudsters misrepresenting themselves as working for the IRS, which leads to individuals unwittingly giving out their social security numbers via email or other electronic means.
While almost all broker-dealer and investment advisory firms recognize they need a plan to deter, prevent and detect cyber invasions, most advisors don’t seem to realize the vital role they play. That is a big misconception, as an advisor’s everyday routine can leave an opening for a scammer.
Here are some of the basic ways that a financial advisor can become victim of a cybersecurity attack:
- Opening an email that contains a virus—The majority of viruses are spread through email attachments or links embedded within an email. These emails might look like spam and therefore easy to detect. However, some emails known as phishing appear to come from a trusted source.
- Hacked email—This type of attack encompasses two distinct actions: First, scammers can hack an advisor’s account and send malicious attachments and links to her contacts; Second, once the hacker gets into the email, he can access the advisor’s personal information and contacts through previous email correspondence.
- Responding to an email from someone posing as a client. In this instance, an advisor receives an email from what appears to be a client’s email address and unbeknownst to her it is actually from a fraudster who hacked into the client’s email. The advisor follows instructions from the “client” within the email and inadvertently might change an address or even send out a wire transfer.
- Visiting a website infected with malware. An advisor surfing the web for research or educational materials might inadvertently end up on a website infected with “malware.” Malware is actually an abbreviation for malicious software—a program specifically designed to gain access to a computer without the knowledge of the user. Malware is often embedded in “adware” (forced advertising).
- Mobile Hacking. Today, most advisors store client contact information on their smartphones and/or tablets, and may even access to client accounts and therefore sensitive information via apps on their devices. A fraudster could obtain access to these devices via public Wi-Fi or through a stolen phone.
The first step in preventing these types of attacks is education. The compliance department and technology team should work together to ensure that advisors are informed as to how scammers and fraudsters can breach the inner sanctum. Even a firm with very sophisticated cybersecurity software can suffer a breach if their advisors don’t follow the rules set forth by the compliance/technology team. Any advisor who thinks that cybersecurity is a only a “firm” or “clearing firm” issue has not been educated on where the dangers lie. The risks should be highlighted not only in an annual compliance meeting but also in various types of meetings and communications throughout the year.
Meetings should focus on what advisors can do to stay safe and include the following recommendations:
- Don’t click on links to unknown destinations—It is hard not to click on a link provided in an email. For example, a client might send an advisor a friendly joke with a link to a video. While it is tempting to click on the link, it could have a disastrous outcome.
- Passwords kept safe and changed often—Hackers can get an advisor’s password by cracking their “code”. Using family names, pet names and birth dates as passwords is an easy way for hackers to gain access to an advisor’s email or other secure sites. Another way hackers get passwords is by sending an email with a login page that looks like an advisor’s email login page but is actually fake and once the username and password are entered the hackers have control of it. Best practice for an advisor is always to go to a trusted site from her web browser—never from a link in an email.
- Confirm verbally all client email requests—An advisor should always speak to the client to confirm an email even if they are positive it came from the client. Fraudsters are quite convincing and often replicate words and phrases commonly used in conversations to make them appear legitimate.
- Install anti-virus software and keep it up to date—This is one of the most important steps an advisor must take. An advisor’s firm might automatically install this software on all computers in the office, but in the case of independent advisor the software might very well be their responsibility.
- Don’t surf the web—Use firm sponsored sites and materials. Firms spend significant financial resources to get their advisors access to top-notch research, quotes and the like. There should be no reason for an advisor to use un-approved websites to do research.
- Never click on Internet advertisements—These are often “pop-up” ads on reputable websites that re-direct the user to malicious domains. Once there, a computer can easily become infected with malware, which can easily and swiftly spread to the entire network.
Simple steps can make the difference between keeping client data secure and suffering a cyber attack. Once advisors are properly educated they can take simple steps to help protect themselves, client data and corporate networks. Investing in education and remembering that compliance comes in many forms will lead to higher dividends in the long run.
Wendy Lanton is Chief Compliance Officer at Melville, NY-based Lantern Investments