Tag Archives: Hacking

FPPad Bits and Bytes for January 23

Posted on January 23, 2015 by in Bits & Bytes

On today’s broadcast, Riskalyze enhances its best client facing technology with a fresh new interface, Advicent adds new integrations for Schwab Intelligent Technologies, and, get my best cybersecurity tips to protect your business from hacking, phishing, and spoofing attacks.

So get ready, FPPad Bits and Bytes begins now!

(click to watch FPPad Bits and Bytes on YouTube)

But first, if you are interested in supporting future episodes of FPPad Bits and Bytes, find out how you can become a sponsor to reach a fantastic audience of advisors looking to grow their business with technology. Visit fppad.com/advertise for more information on how you can help support this show.

Oh, and check out the #baconjam at Carson Kitchen in Las Vegas. It is to die for!

Here are the links to this week’s top stories:

The Industry’s “Best Client Facing Technology” Just Got Better from Riskalyze

[Now this week’s top story comes from Riskalyze, the provider of risk tolerance assessment tools for advisors, as this week the company announced an all-new dashboard and client profile interface.

The new interface is clean, designed to be easy to navigate, and is overall very user friendly. For example, profiles prominently display the risk number of a client’s existing portfolio, the risk of a portfolio proposed by the advisor, and a probability percentage from the Riskalyze Retirement Map feature I mentioned back in episode 129.

As the winner of my best client-facing technology award in 2013, Riskalyze raises the bar once again with its new look and feel, but the company is also enhancing the nuts and bolts of what goes on behind the scenes. If you’re not yet using a formal risk assessment tool in your business, Riskalyze deserves to have a spot on your list of contenders.] One of the things our customers love the most about Riskalyze is how simple and easy it is to use. Today, we’re doubling down on that with the launch of an all-new Riskalyze dashboard and client profile, the Advisor-Set Risk Number and simpler stress tests.

Advicent Launches Two New Integrations for Schwab Intelligent Technologies™ from PRWeb

[Next up is news on Advicent Solutions, a provider of financial planning and marketing communication tools to advisors. Earlier this week, Advicent announced to new integrations with Schwab Intelligent Technologies™.

First, if you monitor client accounts using the Schwab PortfolioCenter Hosted™ solution, you will be able to import account values into the NaviPlan® financial planning application using the Schwab OpenView Gateway™ integration. If you don’t use Schwab PortfolioCenter Hosted, you can still import values from Schwab Advisor Center using the integration the company announced last year.

Second, a new integration was announced for those of you who use the Profiles™ financial planning software tool from Advicent. Just like NaviPlan, Profiles now supports account information imports from Schwab Advisor Center as well, helping you save time when importing account values into plans built with Profiles.

If you don’t custody assets with Schwab, you’ll be glad to know that Advicent has been busy building integrations with other providers in recent months, including TD Ameritrade Institutional’s Veo Open Access, Redtail CRM, Morningstar Office, Appcrown, and Orion Advisor Services.] Advicent Solutions, a Milwaukee-based SaaS provider, adds two new integrations for Schwab Intelligent Technologies™ to help financial advisors manage their time more effectively.

How to Keep Client Data Safe From Online Attackers from Financial Planning, and

Download my Defend Against Hacking, Phishing, and Spoofing Attacks guide from FPPad.com

[And finally, I traveled to Las Vegas this week where I presented at the AICPA Advanced Personal Financial Planning conference. I gave a room full of CPAs tips and techniques to protect their business from hacking, phishing, and spoofing attacks.

Financial Planning magazine sent Maddy Perkins to cover my session, and she did a terrific job capturing the risks to your business and the defensive strategies you can implement.

Visit fppad.com/151 to get the link to the story in Financial Planning, and while you’re there, you can also link to my free three-page PDF on all the tips, strategies, and resources I covered during my presentation.] Just hours before he was going to give a presentation on online security for advisors, Bill Winterberg lost his phone at the AICPA Personal Financial Planning Conference. Luckily, thanks to a plan he has for just such an occasion, he found it.

 

Watch FPPad Bits and Bytes for January 23, 2015

Watch FPPad Bits and Bytes for January 23, 2015

FPPad Bits and Bytes for September 5

Posted on September 5, 2014 by in Bits & Bytes

On today’s broadcast, custodians are battling for your business with their technology solutions. Which one is coming out on top? Hacked celebrity photos have been posted all over the Internet. How are you protecting your cloud data so you don’t embarrass yourself in front of clients? And Box is thinking outside of the cloud file storage, uh, box. Find out which new initiatives offer the best efficiency gains for financial advisors.

So get ready, FPPad Bits and Bytes begins now.

(Watch FPPad Bits and Bytes on YouTube)

This week’s episode of Bits and Bytes is brought to you by Total Rebalance Expert, the industry’s largest, privately owned portfolio rebalancing software provider.

Total Rebalance Expert

Now available as a part of the Orion Advisor Services platform, TRX features tax-efficient rebalancing, an easy to use interface, and more, all at an affordable price. Learn how you can gain a half a million dollar return on your technology investment by downloading their latest white paper at fppad.com/trx

Here are the links to this week’s top stories:

Tech Update: What the Big Custodians Now Offer from Financial Planning

[This week’s top story comes from Joel Bruckenstein and his article in Financial Planning magazine. This month, Bruckenstein covered technology updates that the four major custodians have introduced, or are planning to introduce shortly, to financial advisors.
First on the list is Pershing Advisor Solutions, which most recently unveiled a new client portal called NetXInvestor, designed to be the single resource clients can access to view their portfolio holdings, access documents stored in the online vault, and in the near future, collaborate with their advisor through a secure messaging system.

Next is TD Ameritrade Institutional and its rollout of the Veo Open Access dashboard, which Bruckenstein said is poised to have the “most far-reaching impact” for advisors. The dashboard aims to unify your experience when using CRM, portfolio management, document management and other technologies. So instead of bouncing around from window to window, the dashboard leverages deep integrations with over 75 vendor integrations including Redtail CRM, Orion Advisor Services, and MoneyGuidePro to review, edit, and update data without leaving the Open Access dashboard.

Third up is Schwab Advisor Services, as Bruckenstein highlighted incremental updates to its esignature support, streamlined trade uploads from the Tamarac rebalancing soft are, and the integration of Morningstar Office to Schwab’ OpenView Gateway. Of particular interest is Schwab’s upcoming PM squared portfolio management platform, a completely new online solution that, according to Schwab’s Neesha Hathi, should be in limited beta testing as we speak.

And finally, updates on Fidelity Institutional Wealth Services rounded out the review, as the company’s WealthCentral platform will soon offer account-opening integration with Redtail and Skience for Salesforce, single sign on and trade order imports from Tamarac, portfolio imports into Naviplan and MoneyGuidePro, and other enhancements.] Over the last several years, the four major custodians have done a good job of enhancing their technology platforms. While there are some clear differences across the industry, it is fair to say that today’s platforms are far superior to what was being offered a few years ago.

You’re Reacting to Celebgate Wrong from Yahoo! Tech

Download my free Defend against hacking, phishing, and spoofing attacks handout

[Next up is news on cloud security, as I’m sure you might have heard that compromising photos of celebrities were leaked, apparently accessed from mobile device backups in the cloud. The Internet blew up, saying “Apple was hacked” and “iCloud has a security flaw.” Well, maybe not.

Yes, many of the private photos were obtained from the cloud, including Apple iCloud, but the method by which they were obtained is pretty old fashioned. Hackers used brute force attacks to successfully crack passwords and then correctly answered security questions that were far too basic, and the rest is history. So what can you do to prevent the sensitive data you manage from falling into the wrong hands?

Use long passwords, use a unique password for each website, and obfuscate answers to security questions. Instead of answering using Honda Civic as the make and model of your first car, use the word green, which might have been the color of your first car.

I have a lot more tips on keeping your data safe in a free handout you can downloaded, which is linked along with this week’s top stories.] Ever since somebody released nude photos of female movie stars this week, the wild overreactions have been clogging the Interwebs. Most of the hysteria runs along one of a few lines, and a lot of it is plain wrong.

Box’s Next Act: Box for Industries, Introducing Box Workflow, and BoxWorks 2014: New Ways to Collaborate in the Cloud from Box

[And finally, the online cloud file storage market is getting very crowded, so some of the top players are looking to set themselves apart from the competition. Case in point is Box, who this week announced several new initiatives, including Box for Industries, Box Workflow, and Box for Office 365.

Box for Industries expands on the Box OneCloud application marketplace and now highlights integrated solutions for verticals such as health care, education, and more, but notable absent is financial services. Box Workflow adds business process capabilities to firms by leveraging automation and document metadata. And Box for Office 356 better integrates Box with Microsoft’s online office suite which, if you’re not satisfied with OneDrive, opens up another cloud storage alternative.] Today… we’re announcing Box for Industries, a new initiative to accelerate business transformation in every business by combining tailored solutions leveraging Box’s metadata, workflow, compliance, and platform capabilities; industry-specific applications from curated third-party developers and partners; and world-class implementation services from Box and key system integrator partners.

Here are the stories that didn’t make this week’s broadcast:

Worth The Wait from Financial Advisor Magazine

It has taken much longer than anticipated, but Junxure CRM (www.junxure.com), a firm that integrates CRM technology, consulting and training for financial advisors, has finally announced the general release of “Junxure Cloud,” its comprehensive, cloud-based suite of CRM/office management products for financial advisors. After trying the application out for a few days, I’m happy to report that it was well worth waiting for.

Riskalyze announces Compliance Cloud to pinpoint risky portfolios from FPPad

Riskalyze Compliance Cloud aims to single out portfolios that drift outside a client’s risk tolerance

Online Adviser’s New Target: Investors With $1 Million or More from the Wall Street Journal

One of those online firms, sometimes dubbed “robo advisers,” is edging into the business of providing wealth-management services to people with $1 million or more.

FPPad Bits and Bytes for September 5, 2014

FPPad Bits and Bytes for September 5, 2014

FPPad Bits and Bytes for March 28

Posted on March 28, 2014 by in Bits & Bytes

On today’s broadcast, cybersecurity takes center stage at FINRA and the SEC, what you need to do to protect your business from attacks. Amazon launches its cloud desktop service to the public. Does this mark the end of plain old desktop in your business? And two growing providers form a new joint venture to take your portfolio management efficiency to the next level.

So get ready, FPPad Bits and Bytes begins now.

(Watch FPPad Bits and Bytes on YouTube)

Today’s episode is brought to you by Orion Advisor Services, the nation’s largest privately held portfolio accounting service bureau.

Orion Advisor Services

Providing full-service data reconciliation, advisory fee billing, Salesforce integration, mobile apps and more, Orion believes it’s time for you to enjoy your business again. Visit fppad.com/orion for more information.

Here are the links to this week’s top stories:

Top Cybersecurity Threats for BDs, Advisors from ThinkAdvisor, and

SEC Cybersecurity Roundtable Webcast from SEC.gov

[Leading off today’s broadcast is an update from FINRA and the SEC highlighting cybersecurity threats faced by advisors and broker-dealers. In a roundtable event held in Washington DC this week, regulators and industry representatives acknowledged that the number one cybersecurity threat to firms of all sizes is the unauthorized account takeover.

This happens when a hacker compromises an investor’s username and password credentials, or manages to take control of an investor’s email account. The hacker then proceeds to liquidate holdings and transfer money to outside accounts, or even poses as a client with a convincing story to get advisors to transfer funds to an outside account, a clever tactic known as spoofing.

Both FINRA and the SEC acknowledge they must play a role in this area, but neither provided details on what exactly that role should be, and if any advisor exams are to include cybersecurity audits, they are likely to start in the fall of 2014 at best.

Until then, here’s what I recommend you do: First, update your compliance manual with policies for what you do when faced with a cybersecurity attack.

Second, train everyone in your organization so they’re familiar with the common tactics from hackers, including phishing, spoofing, and reverse social engineering. And finally, invest in technology to boost your security, like activating multi-factor authentication, deploying firewalls, and even using phishing simulation software that I highlighted in episode number 115.] The top risks broker-dealers face in dealing with cybersecurity threats are operational risk, “insider” risks posed by rogue employees and hackers penetrating BD systems, Daniel Sibears of the Financial Industry Regulatory Authority said Wednesday at the Securities and Exchange Commission’s cybersecurity roundtable.

Amazon WorkSpaces, Amazon’s Cloud Desktop Service, Launches To Public Along With New Sync Client from TechCrunch, and

Amazon WorkSpaces from Amazon

[Next up is news from Amazon, as the company announced the general release of its virtual desktop solution to the public called WorkSpaces.

WorkSpaces is squarely aimed to take on other virtual desktop providers like Citrix, VMWare, and Microsoft, and with pricing ranging from $35 to $75 per month for each user, WorkSpaces is roughly half the price of the competition. If you’re looking to get rid of your aging server and move all of your core software to the cloud, Amazon WorkSpaces just became a very compelling option.

Plus, with the introduction of a new WorkSpace Sync application, you can backup and synchronize up to 10GB of documents between your WorkSpaces, the Amazon Simple Storage Service, and even your local desktop computer. This gives you a secure and reliable document storage alternative to consumer services like Dropbox, Box, Google Drive, and Microsoft OneDrive that you might be using today.] Amazon WorkSpaces, the company’s virtual desktop computing environment introduced last fall at the AWS re:Invent conference, is today available to the public.

Orion Advisor Services, LLC and Total Rebalance Expert (TRX) Form Joint Venture; Announce Technology Integration from PRNewswire.com

[And finally, two popular providers in portfolio management and rebalancing software, Orion Advisor Services and Total Rebalance Expert, announced a new joint venture this week called the “Total Technology Platform.”

The two companies first integrated their solutions back in October of 2012, enabling the import of account, transaction, and tax lot data from Orion directly into TRX with a single click.

But this latest venture goes beyond bidirectional integration, as users of Orion will now be able to access TRX directly from within the Orion platform. At the same time, both companies said they are committed to maintaining open-architecture platforms rather than hold advisors captive to one bundled solution.

Orion users can still take advantage of integrations with Blaze Portfolio, iRebal from TD Ameritrade Institutional, and Rebalance Express from RedBlack Software, and TRX users can continue to import data from Morningstar Office, Portfolio Center from Schwab Performance Technologies®, Advent’s Black Diamond Performance Reporting and more.] Total Rebalance Expert (TRX) and Orion Advisor Services, LLC (Orion) announced today a joint venture between the two companies to provide a “Total Technology Platform” designed to simplify and streamline the portfolio management process.

Here are stories that didn’t make this week’s broadcast:

Box Unveils First Standalone Product And New API Pricing At Inaugural Dev Conference from TechCrunch

New Kitces Network to Target Planners for Gen X & Y from Financial Planning

Office 2 HD for iPad is now Citrix ShareFile QuickEdit, drops $7.99 price to become free via iTunes

 

Watch FPPad Bits and Bytes for March 28, 2014

Watch FPPad Bits and Bytes for March 28, 2014

Client spoofing strikes again, RIA loses $290,000 of client funds

Posted on October 29, 2013 by in Compliance

An RIA’s poor compliance procedures let hackers steal $290,000 of client funds

Financial advisers who aren’t prepared to defend against client spoofing attacks not only stand to lose client funds, but also face steep penalties from regulators.

FPPad readers have known since April 2012 that hackers are targeting financial advisers, masquerading as clients via email in a ruse to steal client funds.

Go read Why advisers can’t trust their clients anymore for a refresher of what spoofing attacks are and steps to defend them.

Spoofing Strikes Again

This week, several of the industry trade magazines broke the story about GW & Wade, a registered investment adviser based in Wellesley, Mass., regarding how hackers were able to steal $290,000 of client funds from the company. See RIA Fined By SEC After Hacker Uses E-Mails To Steal Client Funds from Financial Advisor magazine and SEC Sanctions 3 RIAs for Custody Rule Violations from Financial Planning magazine.

The lapse in compliance policies and procedures at the company also resulted in a civil penalty assessed by the SEC in the amount of $250,000.

Full details of the SEC Administrative Proceeding can be viewed here (opens a PDF in a new window).

Hackers Target Advisers

Hackers continue to target investment advisers because they’re the ones with the ability to direct fund transfers.

Solo advisers might not fall victim to a client spoofing attack so easily because they may detect right away that something about the client’s communication is just “not right.”

But when the same attack is deployed in a multi-billion dollar RIA with dozens of administrative employees, hackers have much better odds of success.

Convenience Creates Risk

Once again, according to the Administrative Proceeding, GW & Wade had hundreds of blank Letters of Authorization (“LOAs”) forms on file with only client signatures.

Only after a request was received would the company fill in the pertinent details on a pre-signed LOA and route it for processing.

The convenience of pre-signed LOA forms decreased the chances the company would suspect something wasn’t right with a client wire request. Instead of verifying the authenticity of the request, the company simply routed the pre-signed LOA forms with wire instructions included.

Although, one could argue that if GW & Wade DID try to obtain a client signature via email, following the spoofed client’s instructions, the attack still would have succeeded.

So assume for a moment that no pre-signed LOA forms existed, GW & Wade likely still would have fallen prey to client spoofing because the company would have tried to obtain a client signature via email. The hacker likely would have quickly complied using a signature cut and pasted from another document in the hacked email account.

Clearly, a separate factor of authentication is required to properly authenticate wire requests from clients (a secret phrase, a video chat, Why advisers can’t trust their clients anymore has more details).

Calculating Fees With Spreadsheets Is Hard

Also buried in the Administrative Proceeding is a note about excess fees charged by GW & Wade.

Allegedly since January 1, 2005, the company failed to exclude mutual fund class C share holdings in assets subject to the company’s advisory fee schedule.

The company likely was already receiving 12b-1 fees from the C share holdings, but evidently was “double dipping” by charging the firm’s advisory fee on the same C shares once again.

I have no additional details on the matter, but let’s assume that advisory fees were calculated using a spreadsheet loaded with the value of client holdings for each quarter.

If that spreadsheet isn’t designed to specifically recognize C share mutual fund holdings (which, quite frankly, opens up a Pandora’s box of trouble on its own) and exclude them from the advisory fee calculation, then it’s far too easy to roll up those C share holdings among all the other assets and calculate the fee due.

For GW & Wade, the company now has one year to reimburse in full every client affected by the excess advisory fees charged. That means going back over more than eight years of billing history to determine what the amount of excess fee was charged to each client, quarter by quarter, and credit each client accordingly. That applies to both current and former clients!

So for former clients, how many of you retain holding balances and pricing information indefinitely?

Talk about a huge big data challenge.

Simulated phishing attacks can protect your business before a real phishing attack strikes

Posted on May 10, 2013 by in Software

Simulated Phishing

Phishing attacks are more sophisticated than ever. Don’t fall for them by simulating your own attacks to increase awareness of the latest phishing techniques.

Financial advisers underestimate today’s sophisticated phishing attacks, but simulating attacks helps avoid becoming the next victim.

Phishing attacks used to be very simple to identify: random email messages appeared in your inbox, littered with poor grammar and spelling, and urged you to click a link that was obviously fake.

But today, hackers and attackers are using much more sophisticated techniques to get you to lower your guard and volunteer your personal information online, including account logins and passwords.

So how do you reduce the odds of falling victim to these sophisticated attacks?

Simulate your own sophisticated phishing attack.

In a classic example of Benjamin Franklin’s “an ounce of prevention is worth a pound of cure” idiom, you can deploy your own phishing attack across your business to determine what might happen should a real attack be encountered.

And in the spirit of operational efficiency, avoid spending your time creating your own simulated phishing campaign.

Outsource your simulated phishing attacks to one of the several providers that will test how well your business evades such schemes.

Learn more about who simulates phishing attacks and how much these services cost, covered in this month’s Morningstar Advisor column.

Read Protect Against Phishing Attacks at Morningstar Advisor.

While the services mentioned may seem expensive at first, consider how expensive correcting a real attack might be.

Not only can you potentially lose tens or hundreds of thousands of dollars, but you can also significantly tarnish the trust clients have in your organization.

FPPad Bits and Bytes for February 8

Posted on February 8, 2013 by in Bits & Bytes

The 2013 T3 ConferenceToday I’m headed out early to the T3 conference in Miami, FL. Stop by and say hi if you’re attending; I’m speaking on Tuesday at 1:15pm (Defending Your Business from Hackers) and 2:40pm (Current Technology Trends) and again on Wednesday at 8am (File Sharing and Collaboration Software).

Here are this week’s stories of interest:

Ten Tips That Could Prevent Cyber Criminals from Hijacking Client Data from WealthManagement.com

[Remember the Phishing, Hacking, and Spoofing article I wrote here last year? See: Why advisers can’t trust their clients anymore. Now a bunch of the major financial trade publications are picking up the story on ways advisers need to protect their business and their clients’ personal information, because hackers are exploiting holes in security and are stealing money.] As tablet ownership continues to grow—doubling since 2011—and more than half of U.S. consumers owning a smartphone, according to a 2013 Forrester Research report, advisors need to be more vigilant about data security now more than ever. Below are 10 easily implemented safeguards that could prevent advisors becoming an easy target for cyber thieves.

Windows 8 Review: 5 Things to Know from Financial-Planning.com

[Joel Bruckenstein wrote this good review of Windows 8 and the pros and cons the new operating system offers to financial advisers (See: Windows 8 for financial advisers: Pros and cons from FinFolio CEO Matt Abar). I admit, I couldn’t convince myself to personally buy a copy of Windows 8 to try it on my own. I know, I know, I’m a technology consultant, and I should have experience with ALL software systems available, but still… it’s a Microsoft product, and I stopped using their OS in 2011. Nevertheless, you will likely need to replace an aging Windows machine, and Windows 8 is about your only reasonable option for the OS.] Whenever Microsoft releases a new operating system, it is a significant event. And the latest edition of its operating system, Windows 8 – designed to work on desktop computers, laptops, tablets and smartphones – is much more than a PC operating system.

FPPad Bits and Bytes for February 1

Posted on February 1, 2013 by in Bits & Bytes

With the TD Ameritrade Institutional 2013 National Conference wrapping up today, I got a late start on aggregating the best tech news from around the industry this week.

Nevertheless, you still have Saturday and Sunday to review this week’s stories of interest:

On Guard: Stopping Data Thieves from Financial-Planning.com

[This is a video filmed at the TD Ameritrade conference right after I presented about hacking and spoofing attacks targeted at financial advisers. I cover some of the popular schemes out there and a few clever ways to authenticate the identity of your clients.] Tech consultant Bill Winterberg recommends steps to help protect clients from hacking, phishing and spoofing.

TD Ameritrade adds iRebal to the cloud and offers it for free to affiliated advisers from FPPad.com

[The big tech news out of TD Ameritrade’s conference was the announcement that iRebal will soon be free for advisers who custody with TD Ameritrade, and the software will be delivered over the cloud.] TD Ameritrade’s rebalancing software will soon be available online via the cloud and at no additional cost to affiliated advisers.

RedBlack Software Announces First Third-Party Rebalance Solution and Trading Integration with TD Ameritrade Institutional’s Veo® Platform from PRWeb.com

[Yes, TD will soon offer iRebal for free to advisers, but that doesn’t mean all advisers are going to use it. There are still other rebalancing solutions out there are a variety of price points with different functionality. So here’s a move from RedBlack to get onboard with Veo Open Access and streamline trading for advisers using a multi-custodial rebalancing system.] RedBlack Software, LLC, the largest independent provider of portfolio rebalancing software for the investment management industry, today announced the successful integration with TD Ameritrade Institutional through their Veo® platform.

Learn how to protect your business from hacking attacks at FPA Business Solutions 2013

Posted on January 11, 2013 by in On Air

One session at FPA Business Solutions 2013 will expose advisers to security threats their business is likely to face

I’m on the task force for FPA Business Solutions 2013 and helped put together a great lineup of speakers and thought leaders for financial advisers.

One speaker I invited is Peter Giza, founder of Spitbrook Consulting and former CTO of RedBlack software.

FPA Business Solutions is scheduled for March 7-9 in Chicago, IL. In his session, Giza will address threats advisers face from hackers and social engineering and identify things to do to deflect such attacks.

I asked Giza for a preview of his session for FPA Business Solutions which was broadcast in the lastest episode of FPPad On Air.

Watch the interview below, and be sure to register today for FPA Business Solutions to learn more from Giza and the rest of the excellent speakers on the agenda. The FPA member early bird rate of $399 expires this January 25!

(click to watch on YouTube)

 

Why advisers can’t trust their clients anymore

Posted on April 11, 2012 by in Practice Management

“Spoofing” is on the rise and RIAs are becoming targets of clients that are not who they appear to be.

What seemed like ordinary correspondence from a client quickly became a compliance nightmare for one Dallas-based wealth management firm.

I recently spoke with an executive from the Dallas-based firm who asked to remain anonymous due to ongoing investigations about the incident. This person described how the firm received a wire request from a client via email, so the firm replied by sending the appropriate form for a client signature. A few hours later the form was returned and the signature was compared with another from a prior wire request already on file. Everything looked to be in good order.

But unfortunately for all parties involved, the wire request was not from the actual client, but from someone who had broken in to the client’s email account.

Client Spoofing 

It turns out this scenario is not unique, as over a half-dozen cases involving Dallas/Ft. Worth-based RIAs have been reported since the beginning of the year.

In the latest scheme to defraud individuals, hackers are using “spoofing” techniques to impersonate others who have relationships with professional financial advisers. Spoofing is commonly accomplished by obtaining a client’s email account password through keylogging software or by substituting indistinguishable characters in valid email address (e.g. lower-case “l” and a capital “I”). In either case, the hacker attempts to exploit the existing trusted relationship with the adviser who has no reason to be suspicious of a request to transfer funds.

In addition to client impersonation through email, some hackers are going so far as to activate call forwarding on a client’s personal cell phone account, meaning that confirming a client’s wire instructions via phone may not always guarantee the person on the other end is who they say they are. The boldest of hackers are calling in directly to advisory firms, spoofing Caller ID, and verbally requesting wire transfers.

If a firm’s back office staff has little or no contact with certain clients, employees have little opportunity to properly validate the identity of the individual calling in.

Combating Spoofing

Since you can no longer trust the authenticity of all correspondence received from clients, either by email or phone, what can you do to protect yourself and your clients from spoofing activity?

There’s no clear consensus on best practices to combat client spoofing. Remember that verifying instructions by placing a phone call can be insufficient if the hacker is able to activate call forwarding on a victim’s phone.

One recommendation is to follow the authentication practices of large banks and credit card companies. When you call in as a customer, you’re asked for a secret word or phrase in addition to your account information to proceed with any assistance. While one’s mother’s maiden name is often the typical security word, I would advise against using it for your authentication process.

You may want to update your policies and procedures to ask for clients’ secret phrase before processing fund transfers of any kind. Keep this secret phrase secure and confidential, likely included in your password-protected CRM software next to your client’s contact record.

Also, in the age of camera-equipped mobile devices, a video chat to confirm wire instructions is a better way to verify a client’s identity versus a standard phone call. Still, the employee at the advisory firm must know what the client looks like before contacting him/her to verify instructions!

If You’re Targeted

If you believe your firm is the target of client spoofing, one good place to report the incident is the Internet Crime Complaint Center, or IC3 (http://www.ic3.gov/). IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) and aggregates incident reports to allocate investigative resources accordingly. Often, the FBI or the Secret Service will get involved in cases involving spoofing of investment adviser clients.

Educate Clients

Finally, one weak link in most spoofing scenarios is a client’s password credentials to web-based email accounts. A value-add service you can provide to clients is education on how to best protect login and password credentials. Sage advice includes never entering credentials using an unknown computer, such as a public computer in a hotel business center.

Also, an increasing number of web-based email providers allow users to enable multi-factor authentication to the login process. I addressed multi factor authentication in this Morningstar Advisor column, which requires users to authenticate their login activity through a second device, typically via SMS text messages. Even many credit card companies are employing this additional verification process to their systems.

So don’t fall victim to the next spoofing attack your firm encounters. It’s not a question whether if an attack will occur, but rather when.

More resources on spoofing: