Data breaches at Target and Neiman Marcus were certainly scary. Personal information from tens of millions of people fell into the hands of cybercriminals.
But an equally threatening and perhaps more personal attack is a hacker getting into your email and then using it to take money from your bank and brokerage accounts.
It is a problem that is increasing at all wealth levels, from individuals with small investment accounts to family offices that serve the wealthiest clients. Naureen Hassan, senior vice president of client experience at Charles Schwab, which is the largest custodian of independent advisers in the country, said the firm had seen a fivefold increase in email-related fraud over the last two years.
“The biggest type of fraud we see is the fraudster takes over the person’s email, and emails the adviser asking for urgent money,” Ms. Hassan said. “The other problem is related to clients storing signed pieces of paper in their email, which allows fraudsters to forge their signature.”
One of the better-known cases involved a client of GW & Wade, a Focus Financial Partners firm in Wellesley, Mass., that manages about $4 billion. The firm, which settled in October with the Securities and Exchange Commission, sent $290,000 of a client’s money in three separate wires to a foreign bank, in response to a hacker sending emails from the client’s account requesting the transfers.
The S.E.C. accused GW & Wade of not having adequate safeguards to prevent the thefts and fined it $250,000 for executing the transfers. In its censure of the firm, the agency required it to take remedial steps to increase data security.
“When alerted to the situation, we took immediate action and ensured our client was never at financial risk,” Neil Goldberg, a principal of the firm, said in a statement. “Since then, we have put into place both new systems and procedures to prevent any similar occurrence.”
While GW & Wade ended up being penalized financially and took a reputational hit, its mistake served as a warning to other independent advisers eager to respond to client requests.
A client of a Boston adviser said that he and his wife were traveling in Asia in the fall when their account was hacked and emails were sent to everyone at the adviser’s firm who had ever emailed him, asking for a wire transfer.
He said the adviser tried to contact him, unsuccessfully, and then reached out to his son to let him know what was happening.
“They read my emails, and they mimicked my tone for requests for money,” said the man, a retired financial services executive who requested anonymity. “The whole system appeared to be more sophisticated than these notes from Nigeria.”
The Nigerian prince email swindle, in which a supposed royal offers riches in exchange for a bank account number, is to today’s phishing scams what a Brother word processor from the 1980s is to a MacBook.
A security executive at a trust company told of a hacker who got creative in trying to fool the firm. The executive, who requested anonymity, said the firm received an email from a client’s account asking that $137,000 be wired to Italy to buy some art. He said this client was part of a large family that traveled frequently, so the request was not odd on its face. But he said the family had put a procedure in place in which no wires went out without a call being made to the person requesting the money.
The executive said clients can be frustrated by this level of bureaucracy, until someone they know gets hacked. “Once it’s happened to one of their family members,” he said, “it’s amazing how they’re much more accommodating.”
This is where the solution to a sophisticated swindle can sometimes be the simple action most people would take if a stranger knocked on their door at night: They would not answer it.
“I called my wealth manager and said, ‘If I emailed you to wire $25,000 to a third party or someone with the same last name as me, what do you do?’ ” said Ken Springer, a former F.B.I. agent who is now president of Corporate Resolutions, an investigations firm. “He said they would want to get a verbal confirmation, and they’ll document what phone number I used. Most reputable firms require that.”
It wouldn’t hurt to ask the same question of your wealth manager. Where some advisers slip up, though, is in thinking they have received several levels of verification when they have not.
“An email with an attached, signed letter is not enough because it’s all the same communication,” said Jeffrey R. Bedser, founder and chief executive of iThreat Cyber Group. “That’s not two forms, that’s one communication. There should always be a secondary verification.”
Beyond employing offline common sense, individuals need to be vigilant about how they use technology and the systems their advisers have to prevent their accounts from being hacked, or, if they are hacked, to keep their money from being transferred.
A common area where security breaches occur is an unsecured public wireless network, say in a coffee shop or park. People who commit fraud set up fake hot spots that will still give you access to the Internet but will capture everything you do on the swindler’s computer.
Another mistake is using your email address as your login for any banking or investment account. “You’re giving hackers half the battle,” said Bill Wyman, chief executive of Summitas, a firm that builds encrypted communications portals for financial services companies.