Tag Archives: Fraud

Client spoofing strikes again, RIA loses $290,000 of client funds

An RIA’s poor compliance procedures let hackers steal $290,000 of client funds

Financial advisers who aren’t prepared to defend against client spoofing attacks not only stand to lose client funds, but also face steep penalties from regulators.

FPPad readers have known since April 2012 that hackers are targeting financial advisers, masquerading as clients via email in a ruse to steal client funds.

Go read Why advisers can’t trust their clients anymore for a refresher of what spoofing attacks are and steps to defend them.

Spoofing Strikes Again

This week, several of the industry trade magazines broke the story about GW & Wade, a registered investment adviser based in Wellesley, Mass., regarding how hackers were able to steal $290,000 of client funds from the company. See RIA Fined By SEC After Hacker Uses E-Mails To Steal Client Funds from Financial Advisor magazine and SEC Sanctions 3 RIAs for Custody Rule Violations from Financial Planning magazine.

The lapse in compliance policies and procedures at the company also resulted in a civil penalty assessed by the SEC in the amount of $250,000.

Full details of the SEC Administrative Proceeding can be viewed here (opens a PDF in a new window).

Hackers Target Advisers

Hackers continue to target investment advisers because they’re the ones with the ability to direct fund transfers.

Solo advisers might not fall victim to a client spoofing attack so easily because they may detect right away that something about the client’s communication is just “not right.”

But when the same attack is deployed in a multi-billion dollar RIA with dozens of administrative employees, hackers have much better odds of success.

Convenience Creates Risk

Once again, according to the Administrative Proceeding, GW & Wade had hundreds of blank Letters of Authorization (“LOAs”) forms on file with only client signatures.

Only after a request was received would the company fill in the pertinent details on a pre-signed LOA and route it for processing.

The convenience of pre-signed LOA forms decreased the chances the company would suspect something wasn’t right with a client wire request. Instead of verifying the authenticity of the request, the company simply routed the pre-signed LOA forms with wire instructions included.

Although, one could argue that if GW & Wade DID try to obtain a client signature via email, following the spoofed client’s instructions, the attack still would have succeeded.

So assume for a moment that no pre-signed LOA forms existed, GW & Wade likely still would have fallen prey to client spoofing because the company would have tried to obtain a client signature via email. The hacker likely would have quickly complied using a signature cut and pasted from another document in the hacked email account.

Clearly, a separate factor of authentication is required to properly authenticate wire requests from clients (a secret phrase, a video chat, Why advisers can’t trust their clients anymore has more details).

Calculating Fees With Spreadsheets Is Hard

Also buried in the Administrative Proceeding is a note about excess fees charged by GW & Wade.

Allegedly since January 1, 2005, the company failed to exclude mutual fund class C share holdings in assets subject to the company’s advisory fee schedule.

The company likely was already receiving 12b-1 fees from the C share holdings, but evidently was “double dipping” by charging the firm’s advisory fee on the same C shares once again.

I have no additional details on the matter, but let’s assume that advisory fees were calculated using a spreadsheet loaded with the value of client holdings for each quarter.

If that spreadsheet isn’t designed to specifically recognize C share mutual fund holdings (which, quite frankly, opens up a Pandora’s box of trouble on its own) and exclude them from the advisory fee calculation, then it’s far too easy to roll up those C share holdings among all the other assets and calculate the fee due.

For GW & Wade, the company now has one year to reimburse in full every client affected by the excess advisory fees charged. That means going back over more than eight years of billing history to determine what the amount of excess fee was charged to each client, quarter by quarter, and credit each client accordingly. That applies to both current and former clients!

So for former clients, how many of you retain holding balances and pricing information indefinitely?

Talk about a huge big data challenge.

FPPad Bits and Bytes for February 8

The 2013 T3 ConferenceToday I’m headed out early to the T3 conference in Miami, FL. Stop by and say hi if you’re attending; I’m speaking on Tuesday at 1:15pm (Defending Your Business from Hackers) and 2:40pm (Current Technology Trends) and again on Wednesday at 8am (File Sharing and Collaboration Software).

Here are this week’s stories of interest:

Ten Tips That Could Prevent Cyber Criminals from Hijacking Client Data from WealthManagement.com

[Remember the Phishing, Hacking, and Spoofing article I wrote here last year? See: Why advisers can’t trust their clients anymore. Now a bunch of the major financial trade publications are picking up the story on ways advisers need to protect their business and their clients’ personal information, because hackers are exploiting holes in security and are stealing money.] As tablet ownership continues to grow—doubling since 2011—and more than half of U.S. consumers owning a smartphone, according to a 2013 Forrester Research report, advisors need to be more vigilant about data security now more than ever. Below are 10 easily implemented safeguards that could prevent advisors becoming an easy target for cyber thieves.

Windows 8 Review: 5 Things to Know from Financial-Planning.com

[Joel Bruckenstein wrote this good review of Windows 8 and the pros and cons the new operating system offers to financial advisers (See: Windows 8 for financial advisers: Pros and cons from FinFolio CEO Matt Abar). I admit, I couldn’t convince myself to personally buy a copy of Windows 8 to try it on my own. I know, I know, I’m a technology consultant, and I should have experience with ALL software systems available, but still… it’s a Microsoft product, and I stopped using their OS in 2011. Nevertheless, you will likely need to replace an aging Windows machine, and Windows 8 is about your only reasonable option for the OS.] Whenever Microsoft releases a new operating system, it is a significant event. And the latest edition of its operating system, Windows 8 – designed to work on desktop computers, laptops, tablets and smartphones – is much more than a PC operating system.

Why advisers can’t trust their clients anymore

“Spoofing” is on the rise and RIAs are becoming targets of clients that are not who they appear to be.

What seemed like ordinary correspondence from a client quickly became a compliance nightmare for one Dallas-based wealth management firm.

I recently spoke with an executive from the Dallas-based firm who asked to remain anonymous due to ongoing investigations about the incident. This person described how the firm received a wire request from a client via email, so the firm replied by sending the appropriate form for a client signature. A few hours later the form was returned and the signature was compared with another from a prior wire request already on file. Everything looked to be in good order.

But unfortunately for all parties involved, the wire request was not from the actual client, but from someone who had broken in to the client’s email account.

Client Spoofing 

It turns out this scenario is not unique, as over a half-dozen cases involving Dallas/Ft. Worth-based RIAs have been reported since the beginning of the year.

In the latest scheme to defraud individuals, hackers are using “spoofing” techniques to impersonate others who have relationships with professional financial advisers. Spoofing is commonly accomplished by obtaining a client’s email account password through keylogging software or by substituting indistinguishable characters in valid email address (e.g. lower-case “l” and a capital “I”). In either case, the hacker attempts to exploit the existing trusted relationship with the adviser who has no reason to be suspicious of a request to transfer funds.

In addition to client impersonation through email, some hackers are going so far as to activate call forwarding on a client’s personal cell phone account, meaning that confirming a client’s wire instructions via phone may not always guarantee the person on the other end is who they say they are. The boldest of hackers are calling in directly to advisory firms, spoofing Caller ID, and verbally requesting wire transfers.

If a firm’s back office staff has little or no contact with certain clients, employees have little opportunity to properly validate the identity of the individual calling in.

Combating Spoofing

Since you can no longer trust the authenticity of all correspondence received from clients, either by email or phone, what can you do to protect yourself and your clients from spoofing activity?

There’s no clear consensus on best practices to combat client spoofing. Remember that verifying instructions by placing a phone call can be insufficient if the hacker is able to activate call forwarding on a victim’s phone.

One recommendation is to follow the authentication practices of large banks and credit card companies. When you call in as a customer, you’re asked for a secret word or phrase in addition to your account information to proceed with any assistance. While one’s mother’s maiden name is often the typical security word, I would advise against using it for your authentication process.

You may want to update your policies and procedures to ask for clients’ secret phrase before processing fund transfers of any kind. Keep this secret phrase secure and confidential, likely included in your password-protected CRM software next to your client’s contact record.

Also, in the age of camera-equipped mobile devices, a video chat to confirm wire instructions is a better way to verify a client’s identity versus a standard phone call. Still, the employee at the advisory firm must know what the client looks like before contacting him/her to verify instructions!

If You’re Targeted

If you believe your firm is the target of client spoofing, one good place to report the incident is the Internet Crime Complaint Center, or IC3 (http://www.ic3.gov/). IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) and aggregates incident reports to allocate investigative resources accordingly. Often, the FBI or the Secret Service will get involved in cases involving spoofing of investment adviser clients.

Educate Clients

Finally, one weak link in most spoofing scenarios is a client’s password credentials to web-based email accounts. A value-add service you can provide to clients is education on how to best protect login and password credentials. Sage advice includes never entering credentials using an unknown computer, such as a public computer in a hotel business center.

Also, an increasing number of web-based email providers allow users to enable multi-factor authentication to the login process. I addressed multi factor authentication in this Morningstar Advisor column, which requires users to authenticate their login activity through a second device, typically via SMS text messages. Even many credit card companies are employing this additional verification process to their systems.

So don’t fall victim to the next spoofing attack your firm encounters. It’s not a question whether if an attack will occur, but rather when.

More resources on spoofing:

 

Weitzman Sentenced To 97 Months In Prison; Be Vigilant Against Fraud

FPPad has followed the story of Matthew Weitzman beginning in April 2009 when charges of “certain irregularities in a limited number of client accounts” were brought against him.

See our previous entries:

According to Ron Leiber at the New York Times (Ron and his family were former clients of Weitzman), Weitzman was  sentenced to 97 months in prison yesterday.

Click here to read the entry in the New York Times Bucks blog.

Again, I can only stress how important it is to have clearly defined processes as to how your firm fights fraud. Take the opportunity to tell clients what you do and how you keep staff responsible for the safeguarding of client assets. A dose of proactive communication can go a long way when so many stories are being published about advisers accused of stealing from their clients.

Weitzman’s Right to Use CFP® Certification Mark Suspended

Several months ago FPPad chronicled the activities of Matthew Weitzman (Anti-Fraud Measures Your Practice Needs and Follow Up to Fraud Prevention Practices) after the SEC alleged that Mr. Weitzman misappropriated client funds through a series of unauthorized transfers.

Today, CFP Board announced that it issued an Interim Suspension Order to Mr. Weitzman suspending his right to use the CFP® certification marks. The suspension was issued because “Mr. Weitzman failed to respond to CFP Board’s Order to Show Cause within 20 calendar days, as required by CFP Board’s Disciplinary Rules and Procedures,” according to CFP Board.

CFP Board’s will complete further investigation on the claims and likely issue further action, but until then, Mr. Weitzman is no longer able to use the CFP® certification marks in any literature, advertisements, or correspondence.

NAPFA Addresses Former Member Accusations in Open Letter

In an open letter to NAPFA members and friends, Diahann Lassus, National Chair of NAPFA, addresses what the organization of fee-only planners is doing in light of recent accusations brought against several former members.

In the letter, Lassus writes:

Rest assured, NAPFA is not ignoring the accusations made against our former members, and we will continue to do what is right for our members, for our industry, and for the consumers we all serve. This commitment has guided us for more than 26 years and will continue to guide us well into the future.

See the entire letter by clicking here (PDF at NAPFA.org).

Follow Up to Fraud Prevention Practices

This is a quick follow up to my post Anti-Fraud Measures Your Practice Needs where news of “irregularities” in accounts managed by Matthew Weitzman of AFW Wealth Advisers was highlighted in the New York Times.

It turns out the Mr. Weitzman is facing very serious charges. Here’s a snip from an InvestmentNews article released today:

Earlier today, the U.S. attorney’s office for the Southern District of New York in Manhattan and the New York office of the FBI said they charged Matthew Weitzman, 43, of Armonk, N.Y., with one count of investment adviser fraud and six counts each of securities fraud and wire fraud.

He also faces charges from the Securities and Exchange Commission over the alleged theft of client funds.

Click here to view the full story at InvestmentNews.

It’s unfortunate to see anyone take advantage of clients, and it’s even worse when the individual in this case once had an affiliation with NAPFA, a group of respected fee-only financial advisers.

So again, take this opportunity to communicate to your clients about the processes and procedures you have in place to prevent fraud and protect your clients’ interests.

Anti-Fraud Measures Your Practice Needs

A story from New York Times personal finance columnist Ron Lieber quickly traveled through the Twitter universe and landed in my inbox.  Lieber is a client of NAPFA-member AFW Wealth Advisors and was informed by the firm that one of their advisers, Matthew Weitzman, is under investigation for “certain irregularities in a limited number of client accounts.”

See the NYTimes article here.

Also, see coverage from Roger at The Passionate Planner and Andrew Gluck at Advisor Blog Central.

Let’s face it. Your clients may very likely see this article. Once they do, they’re going to ask you what you are doing to protect their accounts from this kind of fraud.

How Advisers Can Steal Funds

Read More…