According to Greg Ruppert, Charles Schwab’s vice president of financial crimes investigations, there are only two types of firms: those that have been hacked, and those that don’t know it yet.
At a Wednesday morning cybersecurity panel during the IMPACT 2015 conference in Boston, Ruppert said this ignorance is a major reason hackers as such a threat to advisors. Financial services professionals need to be as vigilant with cybersecurity as they are with their own homes.
Gone are the days of 14 year old hacker in their mothers' basements, or the poorly worded emails from Nigerian princes.
“This has turned into an organized enterprise,” Ruppert said. “These are sophisticated, well-written, targeted campaigns.”
The largest threat is still “spear phishing” attacks, where a criminal sends an email link designed to trick victims into clicking and giving away personal information. Ruppert, who had a career in the FBI’s cybercrime division before joining Schwab, said that out of the 2 billion emails sent every day, one in seven contain a phishing link.
Understanding how phishing and other fraud schemes work is paramount in preventing fraud, said Clyde Langley, another former FBI agent who is now Schwab's vice president of fraud prevention and investigations. Langley showed IMPACT attendees what Schwab is doing to fight cybercrime, including a new initiative to monitor the web for phishing scams utilizing the Schwab brand.
While Langley tried to put some minds at ease, Michelle Thetford, a Schwab’s vice president of advisor services risk and control, said it comes down to advisors and their clients taking steps to protecting themselves.
“The challenge with the whole cybersecurity thing is where do you start? You have a business to run.” Thetford asked, before delivering some good news. “Implementing proper controls can prevent 95 percent of external fraud your firm faces.”
Where advisors can start is by preparing staff in advance with workplace policies and education.
Thetford also provided examples of suspicious behavior that should be red flags that a client’s account was compromised.
Clients cannot be left out of the preparation process. Brokerage account fraud is very different from identity theft or credit card fraud for example, as accountability isn’t always as easy to determine, and clients need to be aware of the difference.
Advisors should engage clients to do their own verification of activity, provide friendly reminders to update software and change passwords, and inform clients of their process for handling a security breach. Thetford said these little things go a long way, and could be the difference between keeping or losing a client following a cyber attack.