Archive | Compliance RSS feed for this section

Ambush Phishing: Don’t let it happen to you

Posted on August 9, 2017 by in Compliance

Inspired by nature, hackers have developed a new stealthy technique to dupe their victims: “Ambush phishing”

Some of the most successful predators in the animal kingdom are not the biggest, strongest, or the fastest. Rather, these predators have evolved techniques to conceal their presence by laying motionless, patiently wait for prey to wander within striking range before launching their attack.

via GIPHY

These predators are known as ambush predators, and online hackers are turning to such techniques to attack their victims.

Phishing Tactics

Phishing techniques are now fairly well-known among the internet community. Attackers attempt to obtain sensitive information such as bank account numbers, credit card information, or online passwords by sending requests disguised as legitimate correspondence from a trusted entity. Attackers then use the information they receive from victims to gain access to email and/or financial accounts to continue their attack, often stealing money from their victims.

To increase the efficacy of phishing techniques, attackers have targeted specific individuals with a practice called spear phishing by leveraging specific details learned about the targeted individual to make the fraudulent request appear to be just as legitimate as standard requests victims typically encounter.

As victims become more aware of phishing and spear phishing techniques, attackers are now implementing techniques I call ambush phishing.

Ambush Phishing

Ambush phishing has rapidly increased in prevalence this year among individuals buying homes in the United States. The majority of home purchases are funded with some kind of cash down payment, and that down payment is frequently sent by a wire transfer between the buyer’s bank and an escrow company.

Attackers exploit this known process of wiring funds to an escrow company by targeting individuals involved in the home buying process, specifically the real estate agent representing the buyer and/or the escrow company involved in supervising the transaction. Ambush phishing is the second step of the attack, as hackers first need to compromise communication channels by gaining access to the buyer’s agent’s email account or that of the escrow company.

Ambush phishers monitor correspondence in the compromised email accounts and wait until the day the down payment is expected to be wired. Typically, the escrow company sends its wire instructions and account information to the buyer, who then instructs his/her bank to wire money to a specific destination, but real estate agents can also provide the information as a courtesy to their clients.

Shortly after seeing the legitimate wire instruction correspondence sent to the buyer, attackers will send a new message to the buyer masquerading as a follow up message. In the forged follow up message, attackers apologize for originally sending incorrect wire instructions for the transfer, and instead offer new wire instructions that are the ones to be used.

To increase the efficacy of the ambush phishing, attackers will often add language about the time sensitive nature of the wire transfer and that the transfer needs to be completed immediately or the entire home transaction may be jeopardized, resulting in the buyer losing the home of his/her dreams.

Due to the time-sensitive nature of the email communication, victims often do not think to verify the wire instructions by first contacting the escrow company or real estate agent by phone or in person. In addition, attackers will likely wait until a few minutes before the cutoff times for wire transfers for the day (information that is generally available on most major bank websites). If wire transfer cutoff times coincide with the closing business hours of the escrow company, buyers may not successfully reach an employee of the escrow company to authenticate the instructions they receive even if they do try and contact someone at the company!

The odds of recovering funds wired to the attacker’s bank significantly decrease as time goes by, and the options to interrupt or reverse wire transfers vary widely across financial institutions. Ideally, the best odds against an ambush phishing attack are to identify and thwart the attack before a wire transfer is submitted.

I found several examples of ambush phishing exploits covered in recent publications:

Defending Against Ambush Phishing

I see two main methods to defend against ambush phishing: Two-factor/multi-factor authentication (2FA or MFA) and outbound verification.

Generally, ambush phishing is carried out by first exploiting the email accounts of real estate agents or escrow companies. One of the better defenses for email accounts is to enable two-factor authentication. Not only do the login credentials need to be correct to access the account, users also need to enter a one-time code obtained through a second method, typically a mobile device. A popular two-factor authentication solution is Google Authenticator app for iOS and Android.

Google Authenticator is arguably a better verification solution than codes delivered via SMS, as attackers have reportedly been successful in gaining control of mobile phone numbers by tricking cellular carriers to port phone service to another SIM card. Google Authenticator is a software-based token app that, while it runs on a mobile device, does not verify a user’s identification using SMS communication. So wherever possible, enable two-factor authentication using a software token app such as Google Authenticator for your accounts that contain sensitive information.

The second method to defend against ambush phishing is developing a habit of making outbound verification. In the home buyer example cited above, customers who make an outbound phone call to the real estate agent or escrow company involved in the transaction should be able to verify wire instructions verbally over the phone.

A problem with inbound phone calls for verification is that attackers, once again, can spoof the caller ID displayed on the incoming call and pretend to be an employee of the real estate agency or the escrow company. Here, too, information about company employees is often accessible through the company’s website or by conducting a quick LinkedIn search. Note that inbound calls are also used by attackers that claim to be representing Microsoft or other computer companies to get victims to install malware on their computer.

Be Prepared

Now that you are familiar with the technique of ambush phishing, you are better prepared to resist becoming a victim of these clever attacks.

Have you encountered an ambush phishing attack in your work? Also, what other ways do you recommend protecting accounts from ambush phishing? Share your insights in the comments below or reach out to me on Twitter, I’m @billwinterberg.

FileThis launches document and client portal for financial professionals

Posted on September 11, 2014 by in Compliance, Technology

FileThis enhances document fetch capabilities with a client portal for financial professionals. Image courtesy of FileThis, Inc.

FileThis enhances document fetch capabilities with a client portal for financial professionals. Image courtesy of FileThis, Inc.

FileThis automates the collection and archiving of clients’ important records

FileThis, a startup based near Silicon Valley, released a version of its electronic document retrieval and storage service for financial professionals.

In a broadcast last year (watch FPPad Bits and Bytes for August 16), I highlighted FileThis Fetch, a service that connects to users’ financial accounts to capture electronic statements and PDF files, routing them to the user’s storage service of choice, including Evernote, Dropbox, Personal, and Google Drive.

FileThis Client Portal

Aimed at reducing lost or undelivered documents by clients, the FileThis Document and Client Portal uses the company’s same Fetch process to capture files from a variety of financial institutions including banks, credit card companies, investment accounts, and more.

The new Document and Client Portal adds on administrative features financial advisers should find very useful. Advisers can invitations to use the FileThis platform from the dashboard.

Once clients activate their accounts, they can begin to link financial accounts to FileThis so the platform can fetch related documents and statements.

Automatic Organization

FileThis attempts to automatically identify and categorize documents fetched by the platform to sort them into meaningful categories.

Documents can be stored in cabinets that correspond to high-level categories such as education, financial, and vital records.

Documents are also identified by accounts using vendor names like AT&T and Bank of America. Finally, individual documents are tagged with metadata to identify the content of the document, including bills, statements, invoices, and more.

Security

Any service that retrieves and stores sensitive financial information must have high security protections in place.

FileThis follows bank-level security procedures to ensure the safety and security of the information it stores.

Data to and from FileThis is sent using 256-bit SSL, and account credentials are encrypted using AES 256-bit encryption. Much more information on the FileThis security features can be found on this page: https://filethis.com/security/

Pricing

With the launch of FileThis Documents and Client Portal, FileThis is offering introductory pricing for new users.

The starter plan is $49 per month for one admin, and the admin account permits up to 50 login accounts for end users, i.e. clients.

Firms that need more accounts for clients should consider the $99 per month plan with two admin accounts and support for up to 400 client logins.

Pricing information for more than 400 client logins can be viewed at the bottom of this page: https://filethis.com/pro/

 

Riskalyze announces Compliance Cloud to pinpoint risky portfolios

Posted on September 3, 2014 by in Compliance, Software, Technology

Riskalyze announces the launch of Compliance Cloud for broker-dealers and large RIAs

Riskalyze announces the launch of Compliance Cloud for broker-dealers and large RIAs

Riskalyze Compliance Cloud aims to single out portfolios that drift outside a client’s risk tolerance

In a press release today, Riskalyze, the provider of client risk tolerance quantification tools, announced the anticipated launch of Compliance Cloud, a utility that identifies portfolios that are outside their risk tolerance ranges established for individual investors.

Compliance Cloud was first announced by Riskalyze CEO Aaron Klein at the Laser App 2014 conference last month in San Diego. Today’s press release sheds additional light on the benefits Compliance Cloud offers to its institutional users.

Pinpoint Risk

Compliance Cloud aims to reduce the number of unsuitable portfolio allocations applied to client accounts by automatically screening allocations advisors establish for clients and compares the amount of risk in each portfolio with each client’s risk score (likely the Risk Number™ generated by a Riskalyze assessment).

“Fortunately, with Compliance Cloud, the era of the ‘random account spot-check’ is officially over.” Aaron Klein, Riskalyze CEO

“Fortunately, with Compliance Cloud, the era of the ‘random account spot-check’ is officially over.” Aaron Klein, Riskalyze CEO

Any portfolios found to significantly exceed the client’s risk tolerance (or be significantly below) will be flagged by Compliance Cloud for further review. Not only is this automated risk scanning useful to individual advisers and broker-dealer representatives, Compliance Cloud will be a welcome feature for any institutional compliance officer responsible for oversight on thousands of the institution’s representatives.

‘Big Data’ for broker-dealers and institutions

Compliance Cloud is intended for use by broker-dealers and large registered investment advisory firms. Once again, these institutions typically have oversight over thousands, and potentially millions, of investor accounts, and manually identifying risk characteristics of investor portfolios is costly and inefficient.

Riskalyze takes advantage of the general adoption of “big data,” where useful insight and information is extracted by processing large volumes of disparate data spread across multiple systems. In Compliance Cloud, Riskalyze uses risk analytics obtained from millions of individual client portfolios and compares the data with risk tolerance data identified during the client data gathering and on-boarding process.

Historically, financial institutions and compliance officers lacked the tools to programmatically assess millions of holdings each day. Instead, client portfolios were selected at random and then spot-checked against the client’s (often incomplete or outdated) risk tolerance information.

Orion Advisor Services Integration

According to the Klein, Compliance Cloud has been in beta testing for several months with the general release of the product anticipated in October this year.  In addition, Orion Advisor Services, the nation’s largest privately held portfolio accounting service bureau, was identified by Riskalyze as “the premier launch partner” of the Compliance Cloud solution.

Compliance Cloud will be made available directly to Orion Advisor Services’ RIA clients where advisers can take advantage of the integration of reconciled portfolio accounting data, avoiding duplicate or manual entry of client holding information into Compliance Cloud.

Pricing for Compliance Cloud was not disclosed in the company press release, so check back in here at FPPad for more updates as this product enters the market.

Who supports two factor authentication? Find out in this awesome chart

Posted on March 28, 2014 by in Compliance, Technology

Find out who supports two factor authentication in this awesome chart

Two factor authentication significantly boosts the security of online accounts. Find out who supports the technique.

The damage to your business can be significant if hackers get a hold of your username and password to an online account. Once inside your program, whether it be your online CRM, portfolio accounting software, bookkeeping service, or even custodial dashboard, hackers can perform any number of nefarious activities.

So how do you increase your defenses against attacks and increase the security of your online accounts?

Use two factor authentication (see Boost your online security with two-factor authentication at FPPad)

Where is two factor authentication supported?

Sure, you understand how important two factor authentication is in protecting your online accounts from unauthorized access.

But WHICH online account providers actually support the technique?

I came across a terrific new resource online that spells out, industry by industry, who does and does not support two factor authentication.

The site is twofactorauth.org and it’s worth checking out when you have a moment.

You may discover several services you already use today that support two factor authentication, but you’re not yet using it.

So go visit twofactorauth.org and boost your online account security.

How Vestorly transforms advisers’ web presence into qualified leads

Posted on December 31, 2013 by in Compliance, Social Media, Video Spotlight

Vestorly uses “smart data” techniques to convert advisers’ online audience into qualified leads

I recently met with Justin Wisz, co-founder of Vestorly, to learn more about the company’s technology offering to financial advisers.

Vestorly is a content marketing platform designed to enhance client acquisition for financial professionals. What does that mean in plain English? Wisz explains in the video interview above.

“Smart Data”

Vestorly helps financial advisers publish content online from a variety of aggregated sources (all compliance approved!) targeted to the interests of clients and prospects. Featured sources include personal finance content from Kiplinger.

As the adviser’s online audience grows, Vestorly captures lead information such as names and email addresses and then uses “smart data” techniques in the background to further associate leads with demographic information.

One goal of Vestorly is generate measurable ROI from the online efforts pursued by advisers.

Any activity in digital communications without a lead generation aspect is, frankly, a little bit of a waste of time and resources

– Justin Wisz, Vestorly co-founder

Vestorly is Free

Vestorly offers curated content from a variety of sources, smart data aggregation techniques, and compliance tools all in one platform, so how much does it all cost?

For individual advisers, Vestorly is free.

So why is Vestorly free for individual advisers? Watch the follow up video below to hear from Wisz.

According to Wisz, Vestorly combines a number of existing technologies common in online marketing, but not yet present among the financial services industry.

“Much of Vestorly is what we call status quo technology,” said Wisz.

“We think [that technology] should be free, especially for advisers who are just getting started with marketing in financial services,” he added.

Vestorly for the Financial Enterprise

But beyond individual adviser use, Vestorly is also built to suit the needs of large financial enterprises.

Vestorly’s enterprise relationships focus on integrations and expanding the utility of the content generation and lead generation functions.

In the extended interview below, Wisz describes how financial enterprises (e.g. broker-dealers and large RIAs) can compliment existing archiving and social media systems by tapping the Vestorly API for expanded features.

“I would see Vestorly as a major compliment to all the things that [broker-dealers] already have in place,” said Wisz.

“They’re now allowing reps to blog, send out email marketing, or do some social media marketing, but now it’s time to find out what they can get back,” Wisz added.

Client spoofing strikes again, RIA loses $290,000 of client funds

Posted on October 29, 2013 by in Compliance

An RIA’s poor compliance procedures let hackers steal $290,000 of client funds

Financial advisers who aren’t prepared to defend against client spoofing attacks not only stand to lose client funds, but also face steep penalties from regulators.

FPPad readers have known since April 2012 that hackers are targeting financial advisers, masquerading as clients via email in a ruse to steal client funds.

Go read Why advisers can’t trust their clients anymore for a refresher of what spoofing attacks are and steps to defend them.

Spoofing Strikes Again

This week, several of the industry trade magazines broke the story about GW & Wade, a registered investment adviser based in Wellesley, Mass., regarding how hackers were able to steal $290,000 of client funds from the company. See RIA Fined By SEC After Hacker Uses E-Mails To Steal Client Funds from Financial Advisor magazine and SEC Sanctions 3 RIAs for Custody Rule Violations from Financial Planning magazine.

The lapse in compliance policies and procedures at the company also resulted in a civil penalty assessed by the SEC in the amount of $250,000.

Full details of the SEC Administrative Proceeding can be viewed here (opens a PDF in a new window).

Hackers Target Advisers

Hackers continue to target investment advisers because they’re the ones with the ability to direct fund transfers.

Solo advisers might not fall victim to a client spoofing attack so easily because they may detect right away that something about the client’s communication is just “not right.”

But when the same attack is deployed in a multi-billion dollar RIA with dozens of administrative employees, hackers have much better odds of success.

Convenience Creates Risk

Once again, according to the Administrative Proceeding, GW & Wade had hundreds of blank Letters of Authorization (“LOAs”) forms on file with only client signatures.

Only after a request was received would the company fill in the pertinent details on a pre-signed LOA and route it for processing.

The convenience of pre-signed LOA forms decreased the chances the company would suspect something wasn’t right with a client wire request. Instead of verifying the authenticity of the request, the company simply routed the pre-signed LOA forms with wire instructions included.

Although, one could argue that if GW & Wade DID try to obtain a client signature via email, following the spoofed client’s instructions, the attack still would have succeeded.

So assume for a moment that no pre-signed LOA forms existed, GW & Wade likely still would have fallen prey to client spoofing because the company would have tried to obtain a client signature via email. The hacker likely would have quickly complied using a signature cut and pasted from another document in the hacked email account.

Clearly, a separate factor of authentication is required to properly authenticate wire requests from clients (a secret phrase, a video chat, Why advisers can’t trust their clients anymore has more details).

Calculating Fees With Spreadsheets Is Hard

Also buried in the Administrative Proceeding is a note about excess fees charged by GW & Wade.

Allegedly since January 1, 2005, the company failed to exclude mutual fund class C share holdings in assets subject to the company’s advisory fee schedule.

The company likely was already receiving 12b-1 fees from the C share holdings, but evidently was “double dipping” by charging the firm’s advisory fee on the same C shares once again.

I have no additional details on the matter, but let’s assume that advisory fees were calculated using a spreadsheet loaded with the value of client holdings for each quarter.

If that spreadsheet isn’t designed to specifically recognize C share mutual fund holdings (which, quite frankly, opens up a Pandora’s box of trouble on its own) and exclude them from the advisory fee calculation, then it’s far too easy to roll up those C share holdings among all the other assets and calculate the fee due.

For GW & Wade, the company now has one year to reimburse in full every client affected by the excess advisory fees charged. That means going back over more than eight years of billing history to determine what the amount of excess fee was charged to each client, quarter by quarter, and credit each client accordingly. That applies to both current and former clients!

So for former clients, how many of you retain holding balances and pricing information indefinitely?

Talk about a huge big data challenge.

Live chat for advisers: chat your way to business growth

Posted on June 13, 2013 by in Compliance, Social Media, Technology

Financial advisers can use live chat tools provided they first address compliance and productivity issues

Financial advisers can use live chat tools provided they first address compliance and productivity issues

Financial adviser websites can offer live chat tools for client and prospect communication.

As you visit more business websites online, you’ve likely noticed those pop-up windows in the bottom corner inviting you to a live chat. You can use live chat features for all sorts of things, including asking questions about a product, getting help from customer service, or simply submitting general feedback about a recent service experience.

Financial advisers can also leverage this trend in live chat communication with website visitors of all kinds, including clients and prospects.

This month’s column at Morningstar Advisor covers this trend that few advisers are taking advantage of today, but has the potential to be used by a much larger audience in the near future.

Read Live Chat for New Clients now to learn about out the compliance concerns of live chat as well as the issues of maintaining personal productivity in the face of potential distractions.

ShareFile adds SEC and FINRA compliance capabilities with Archiving for Financial Services

Posted on April 2, 2013 by in Compliance, Technology

The popular online file sharing service meets regulatory record-keeping requirements with latest archiving functionality

ShareFile Archiving for Financial Services

In a press release today, ShareFile, the online file sharing service owned by Citrix, announced the availability of its Archiving for Financial Services compliance feature.

ShareFile, my 2012 Morningstar Advisor Best Back-Office Technology award winner, has been popular among financial advisers for its online file storage functionality much like Dropbox, Box, SugarSync, Google Drive, Microsoft SkyDrive, and many more.

But ShareFile’s focus on the specific needs and regulatory requirements of professionals in financial services has helped the company gain a sizable following relative to the generic competition.

According to the press release, ShareFile Archiving for Financial Services helps financial advisers satisfy SEC and FINRA record-keeping requirements “by offering retained, indexed, auditable and searchable records of client communications for the period required or longer.”

Below is a video from ShareFile with an overview of Archiving for Financial Services.

(Click to watch on YouTube)

Consolidating Two Systems

Typically, advisers who use online file sharing services to exchange documents with clients and prospects maintain two separate systems in their back office.

One system is the online file sharing service that does just that; facilitates file sharing with individuals outside the adviser’s network infrastructure.

But most advisers then maintain a second system that satisfies the record-keeping requirements imposed by the SEC and FINRA. Two systems are necessary, because consumer file sharing services (i.e. Dropbox) just aren’t built with the regulatory record-keeping requirements in mind.

For advisers using ShareFile Archiving for Financial Services, two systems should no longer be necessary to satisfy the record-keeping requirements.

A Document Management Solution?

With the addition of Archiving for Financial Services, is ShareFile now a contender among document management providers?

I believe the answer is no.

Archiving for Financial Services is a very useful addition, and it will eliminate the need to run two separate systems to facilitate file sharing and to maintain adequate record-keeping systems. But document management requires more than just indexed, auditable, and searchable records of client communications.

Document management systems offer metadata tagging and document profiling for every record stored in the system, and automated workflow is also frequently supported.

So for advisers who lack a true document management system (and surveys consistently show that there are a large number of such firms), ShareFile combined with Archiving for Financial Services is a convenient way to get two features from the same product.

But for firms already using document management systems with native record-keeping compliance, Archiving for Financial Services is unnecessary.

Nevertheless, ShareFile’s ease of use and mobile device compatibility still makes it a strong contender for online file sharing with clients, prospects, and colleagues.

For more details about Archiving for Financial Services, visit the ShareFile Blog and read New feature allows ShareFile to help financial firms achieve compliance

How to hide LinkedIn Endorsements on the new LinkedIn profile design

Posted on December 19, 2012 by in Compliance, Social Media

Financial advisers now have two easy ways to hide LinkedIn Endorsements and reduce compliance risks.

Several weeks ago I raised concern over the new LinkedIn profile design, as there appeared to be no way to hide LinkedIn Endorsements from your public profile (see: New LinkedIn profiles raise compliance concerns as there appears to be no way to hide endorsements).

This was especially problematic for my audience of financial advisers, as FINRA and SEC regulations prohibit the use of information that can be construed as a testimonial.

Fortunately, LinkedIn’s new profile design now offers two options to hide endorsements from your public profile. Watch the 2:00 screencast below to see how it’s done.

(click to watch on YouTube)

ArchiveSocial delivers authentic social media capture for financial advisers

Posted on November 26, 2012 by in Compliance, Social Media

Podcast: Play in new window | Download | Embed

Subscribe: RSS

When you get asked by the SEC, FINRA, or your broker-dealer for the last six months of your social media posts, what are you going to provide? How will your auditor make heads or tails out of your social media posts if they look nothing like the ones posted on public sites like Facebook, LinkedIn, or Twitter?

Anil Chawla, founder and CEO of ArchiveSocial

One company wants to simplify the way social media messages are captured and displayed, giving advisers peace of mind knowing their archives can be reviewed easily by auditors.

That company is ArchiveSocial, and I recently connected with ArchiveSocial founder and CEO Anil Chawla to learn more about how they capture social media updates in what Chawla calls their “natural, authentic form.”

Click here to learn more about ArchiveSocial’s solutions for financial services.

In the podcast below, hear Chawla discuss the drawbacks of several existing solutions from vendors, the benefits of a “carbon copy” approach to archives, and an overview of ArchiveSocial pricing.

If you decide to purchase a full-year subscription, you can save 10% by using the code FPPAD12 (not an affiliate code).