Tag Archives: Phishing

Ambush Phishing: Don’t let it happen to you

Inspired by nature, hackers have developed a new stealthy technique to dupe their victims: “Ambush phishing”

Some of the most successful predators in the animal kingdom are not the biggest, strongest, or the fastest. Rather, these predators have evolved techniques to conceal their presence by laying motionless, patiently wait for prey to wander within striking range before launching their attack.


These predators are known as ambush predators, and online hackers are turning to such techniques to attack their victims.

Phishing Tactics

Phishing techniques are now fairly well-known among the internet community. Attackers attempt to obtain sensitive information such as bank account numbers, credit card information, or online passwords by sending requests disguised as legitimate correspondence from a trusted entity. Attackers then use the information they receive from victims to gain access to email and/or financial accounts to continue their attack, often stealing money from their victims.

To increase the efficacy of phishing techniques, attackers have targeted specific individuals with a practice called spear phishing by leveraging specific details learned about the targeted individual to make the fraudulent request appear to be just as legitimate as standard requests victims typically encounter.

As victims become more aware of phishing and spear phishing techniques, attackers are now implementing techniques I call ambush phishing.

Ambush Phishing

Ambush phishing has rapidly increased in prevalence this year among individuals buying homes in the United States. The majority of home purchases are funded with some kind of cash down payment, and that down payment is frequently sent by a wire transfer between the buyer’s bank and an escrow company.

Attackers exploit this known process of wiring funds to an escrow company by targeting individuals involved in the home buying process, specifically the real estate agent representing the buyer and/or the escrow company involved in supervising the transaction. Ambush phishing is the second step of the attack, as hackers first need to compromise communication channels by gaining access to the buyer’s agent’s email account or that of the escrow company.

Ambush phishers monitor correspondence in the compromised email accounts and wait until the day the down payment is expected to be wired. Typically, the escrow company sends its wire instructions and account information to the buyer, who then instructs his/her bank to wire money to a specific destination, but real estate agents can also provide the information as a courtesy to their clients.

Shortly after seeing the legitimate wire instruction correspondence sent to the buyer, attackers will send a new message to the buyer masquerading as a follow up message. In the forged follow up message, attackers apologize for originally sending incorrect wire instructions for the transfer, and instead offer new wire instructions that are the ones to be used.

To increase the efficacy of the ambush phishing, attackers will often add language about the time sensitive nature of the wire transfer and that the transfer needs to be completed immediately or the entire home transaction may be jeopardized, resulting in the buyer losing the home of his/her dreams.

Due to the time-sensitive nature of the email communication, victims often do not think to verify the wire instructions by first contacting the escrow company or real estate agent by phone or in person. In addition, attackers will likely wait until a few minutes before the cutoff times for wire transfers for the day (information that is generally available on most major bank websites). If wire transfer cutoff times coincide with the closing business hours of the escrow company, buyers may not successfully reach an employee of the escrow company to authenticate the instructions they receive even if they do try and contact someone at the company!

The odds of recovering funds wired to the attacker’s bank significantly decrease as time goes by, and the options to interrupt or reverse wire transfers vary widely across financial institutions. Ideally, the best odds against an ambush phishing attack are to identify and thwart the attack before a wire transfer is submitted.

I found several examples of ambush phishing exploits covered in recent publications:

Defending Against Ambush Phishing

I see two main methods to defend against ambush phishing: Two-factor/multi-factor authentication (2FA or MFA) and outbound verification.

Generally, ambush phishing is carried out by first exploiting the email accounts of real estate agents or escrow companies. One of the better defenses for email accounts is to enable two-factor authentication. Not only do the login credentials need to be correct to access the account, users also need to enter a one-time code obtained through a second method, typically a mobile device. A popular two-factor authentication solution is Google Authenticator app for iOS and Android.

Google Authenticator is arguably a better verification solution than codes delivered via SMS, as attackers have reportedly been successful in gaining control of mobile phone numbers by tricking cellular carriers to port phone service to another SIM card. Google Authenticator is a software-based token app that, while it runs on a mobile device, does not verify a user’s identification using SMS communication. So wherever possible, enable two-factor authentication using a software token app such as Google Authenticator for your accounts that contain sensitive information.

The second method to defend against ambush phishing is developing a habit of making outbound verification. In the home buyer example cited above, customers who make an outbound phone call to the real estate agent or escrow company involved in the transaction should be able to verify wire instructions verbally over the phone.

A problem with inbound phone calls for verification is that attackers, once again, can spoof the caller ID displayed on the incoming call and pretend to be an employee of the real estate agency or the escrow company. Here, too, information about company employees is often accessible through the company’s website or by conducting a quick LinkedIn search. Note that inbound calls are also used by attackers that claim to be representing Microsoft or other computer companies to get victims to install malware on their computer.

Be Prepared

Now that you are familiar with the technique of ambush phishing, you are better prepared to resist becoming a victim of these clever attacks.

Have you encountered an ambush phishing attack in your work? Also, what other ways do you recommend protecting accounts from ambush phishing? Share your insights in the comments below or reach out to me on Twitter, I’m @billwinterberg.

See Kevin Mitnick, the World’s Most Famous Hacker, teach RIAs a thing or two about cybersecurity

Win a free ticket to see Kevin Mitnick

Here is a great opportunity to get schooled in cybersecurity from the World’s Most Famous Hacker, Kevin Mitnick.

Envision Consulting, a Washington DC-based provider of IT services and support to financial advisory businesses, has hired me to be the master of ceremonies for a unique event to be held Wednesday October 19 in Tysons Corner, VA from 11am to 2pm.

The World’s Most Famous Hacker

Envision Consulting is brining Mitnick in to demonstrate his skills in front of our live audience and reveal just how vulnerable many of us are to sophisticated (and sometimes shockingly basic) phishing, spoofing, and social engineering attacks.

For more about Mitnick’s story and how he became known as The World’s Most Famous Hacker, watch the interview segment below with Stephen Colbert on the Cobert Report

See Kevin Mitnick for Free

So let’s get to the good stuff. You can enter to win a free ticket to this event, a $184.99 value, now through September 22nd.

Simply visit https://envisionconsulting.leadpages.co/fppad-cybersafe/ and use the Tweet button to post your entry via Twitter, or (since I’m all about efficiency) use the same Tweet button embedded below. All the rules for the contest, including notification information for the winner, are on the contest landing page, so be sure to review them to determine your eligibility.

Good luck, and I hope to see you in Washington DC on the 19th of October!

Tweet: Register today! Watch World's Most Famous Hacker school #RIAs on #cybersecurity Oct 19 McLean, VA @EnvisionITCloud http://bit.ly/29yV0yx

Client spoofing strikes again, RIA loses $290,000 of client funds

An RIA’s poor compliance procedures let hackers steal $290,000 of client funds

Financial advisers who aren’t prepared to defend against client spoofing attacks not only stand to lose client funds, but also face steep penalties from regulators.

FPPad readers have known since April 2012 that hackers are targeting financial advisers, masquerading as clients via email in a ruse to steal client funds.

Go read Why advisers can’t trust their clients anymore for a refresher of what spoofing attacks are and steps to defend them.

Spoofing Strikes Again

This week, several of the industry trade magazines broke the story about GW & Wade, a registered investment adviser based in Wellesley, Mass., regarding how hackers were able to steal $290,000 of client funds from the company. See RIA Fined By SEC After Hacker Uses E-Mails To Steal Client Funds from Financial Advisor magazine and SEC Sanctions 3 RIAs for Custody Rule Violations from Financial Planning magazine.

The lapse in compliance policies and procedures at the company also resulted in a civil penalty assessed by the SEC in the amount of $250,000.

Full details of the SEC Administrative Proceeding can be viewed here (opens a PDF in a new window).

Hackers Target Advisers

Hackers continue to target investment advisers because they’re the ones with the ability to direct fund transfers.

Solo advisers might not fall victim to a client spoofing attack so easily because they may detect right away that something about the client’s communication is just “not right.”

But when the same attack is deployed in a multi-billion dollar RIA with dozens of administrative employees, hackers have much better odds of success.

Convenience Creates Risk

Once again, according to the Administrative Proceeding, GW & Wade had hundreds of blank Letters of Authorization (“LOAs”) forms on file with only client signatures.

Only after a request was received would the company fill in the pertinent details on a pre-signed LOA and route it for processing.

The convenience of pre-signed LOA forms decreased the chances the company would suspect something wasn’t right with a client wire request. Instead of verifying the authenticity of the request, the company simply routed the pre-signed LOA forms with wire instructions included.

Although, one could argue that if GW & Wade DID try to obtain a client signature via email, following the spoofed client’s instructions, the attack still would have succeeded.

So assume for a moment that no pre-signed LOA forms existed, GW & Wade likely still would have fallen prey to client spoofing because the company would have tried to obtain a client signature via email. The hacker likely would have quickly complied using a signature cut and pasted from another document in the hacked email account.

Clearly, a separate factor of authentication is required to properly authenticate wire requests from clients (a secret phrase, a video chat, Why advisers can’t trust their clients anymore has more details).

Calculating Fees With Spreadsheets Is Hard

Also buried in the Administrative Proceeding is a note about excess fees charged by GW & Wade.

Allegedly since January 1, 2005, the company failed to exclude mutual fund class C share holdings in assets subject to the company’s advisory fee schedule.

The company likely was already receiving 12b-1 fees from the C share holdings, but evidently was “double dipping” by charging the firm’s advisory fee on the same C shares once again.

I have no additional details on the matter, but let’s assume that advisory fees were calculated using a spreadsheet loaded with the value of client holdings for each quarter.

If that spreadsheet isn’t designed to specifically recognize C share mutual fund holdings (which, quite frankly, opens up a Pandora’s box of trouble on its own) and exclude them from the advisory fee calculation, then it’s far too easy to roll up those C share holdings among all the other assets and calculate the fee due.

For GW & Wade, the company now has one year to reimburse in full every client affected by the excess advisory fees charged. That means going back over more than eight years of billing history to determine what the amount of excess fee was charged to each client, quarter by quarter, and credit each client accordingly. That applies to both current and former clients!

So for former clients, how many of you retain holding balances and pricing information indefinitely?

Talk about a huge big data challenge.

Simulated phishing attacks can protect your business before a real phishing attack strikes

Simulated Phishing

Phishing attacks are more sophisticated than ever. Don’t fall for them by simulating your own attacks to increase awareness of the latest phishing techniques.

Financial advisers underestimate today’s sophisticated phishing attacks, but simulating attacks helps avoid becoming the next victim.

Phishing attacks used to be very simple to identify: random email messages appeared in your inbox, littered with poor grammar and spelling, and urged you to click a link that was obviously fake.

But today, hackers and attackers are using much more sophisticated techniques to get you to lower your guard and volunteer your personal information online, including account logins and passwords.

So how do you reduce the odds of falling victim to these sophisticated attacks?

Simulate your own sophisticated phishing attack.

In a classic example of Benjamin Franklin’s “an ounce of prevention is worth a pound of cure” idiom, you can deploy your own phishing attack across your business to determine what might happen should a real attack be encountered.

And in the spirit of operational efficiency, avoid spending your time creating your own simulated phishing campaign.

Outsource your simulated phishing attacks to one of the several providers that will test how well your business evades such schemes.

Learn more about who simulates phishing attacks and how much these services cost, covered in this month’s Morningstar Advisor column.

Read Protect Against Phishing Attacks at Morningstar Advisor.

While the services mentioned may seem expensive at first, consider how expensive correcting a real attack might be.

Not only can you potentially lose tens or hundreds of thousands of dollars, but you can also significantly tarnish the trust clients have in your organization.

FPPad Bits and Bytes for April 26

Get a lead on the weekend with this week's best stories in technology

Get a lead on the weekend with this week’s best stories in technology

It’s been a slow week with respect to technology news in the financial planning industry. So get your quick update below and get a fast start to your weekend.

Here are this week’s stories of interest:

Fidelity selects External IT for a cloud-based virtual desktop solution for financial advisers from FPPad

[In case you missed it, Fidelity announced it has vetted cloud desktop provider External IT for its advisers, giving them a fast track solution to leave legacy servers behind and move critical resources to the cloud. Pricing is around $150/month/user, so while it may not save advisers tons of money, it will give them greater mobility in business and better backup and disaster recovery.] In a press release today, Fidelity announced it has selected External IT as the exclusive provider of a cloud-based virtual desktop solution to financial advisers.

AP Twitter Hack Preceded By A Phishing Attempt, News Org Says from TechCrunch

[Don’t think Twitter moves the stock market? Think again. One rogue tweet from a hacked AP account sent the Dow plunging nearly 150 points in a matter of seconds. What’s your takeaway from all this? Vigorously guard your online credentials, because attackers will do everything they can to get them and then exploit them for financial gain.] The AP Twitter hack which sent the stock market briefly crashing was caused by a phishing attack, according to the AP. The news organization now says the attack on Twitter was “preceded by a phishing attempt on AP’s corporate network.”

Erado Message Control Solutions Reports First Quarter Growth Strongest in Company History from Erado

[Social media archiving provider Erado continues to grow quickly. You’ve read here before about its relationships with firms like LPL, the largest independent broker dealer ranked by revenue as wel as account assets.] Erado, the nation’s leading compliance and archiving firm in electronic communication, announced today their record first quarter growth.  Erado added new services for over 500 offices, and continued hiring due to its continued growth.  The quarter was the strongest in the company’s history.

FPPad Bits and Bytes for February 8

The 2013 T3 ConferenceToday I’m headed out early to the T3 conference in Miami, FL. Stop by and say hi if you’re attending; I’m speaking on Tuesday at 1:15pm (Defending Your Business from Hackers) and 2:40pm (Current Technology Trends) and again on Wednesday at 8am (File Sharing and Collaboration Software).

Here are this week’s stories of interest:

Ten Tips That Could Prevent Cyber Criminals from Hijacking Client Data from WealthManagement.com

[Remember the Phishing, Hacking, and Spoofing article I wrote here last year? See: Why advisers can’t trust their clients anymore. Now a bunch of the major financial trade publications are picking up the story on ways advisers need to protect their business and their clients’ personal information, because hackers are exploiting holes in security and are stealing money.] As tablet ownership continues to grow—doubling since 2011—and more than half of U.S. consumers owning a smartphone, according to a 2013 Forrester Research report, advisors need to be more vigilant about data security now more than ever. Below are 10 easily implemented safeguards that could prevent advisors becoming an easy target for cyber thieves.

Windows 8 Review: 5 Things to Know from Financial-Planning.com

[Joel Bruckenstein wrote this good review of Windows 8 and the pros and cons the new operating system offers to financial advisers (See: Windows 8 for financial advisers: Pros and cons from FinFolio CEO Matt Abar). I admit, I couldn’t convince myself to personally buy a copy of Windows 8 to try it on my own. I know, I know, I’m a technology consultant, and I should have experience with ALL software systems available, but still… it’s a Microsoft product, and I stopped using their OS in 2011. Nevertheless, you will likely need to replace an aging Windows machine, and Windows 8 is about your only reasonable option for the OS.] Whenever Microsoft releases a new operating system, it is a significant event. And the latest edition of its operating system, Windows 8 – designed to work on desktop computers, laptops, tablets and smartphones – is much more than a PC operating system.

FPPad Bits and Bytes for February 1

With the TD Ameritrade Institutional 2013 National Conference wrapping up today, I got a late start on aggregating the best tech news from around the industry this week.

Nevertheless, you still have Saturday and Sunday to review this week’s stories of interest:

On Guard: Stopping Data Thieves from Financial-Planning.com

[This is a video filmed at the TD Ameritrade conference right after I presented about hacking and spoofing attacks targeted at financial advisers. I cover some of the popular schemes out there and a few clever ways to authenticate the identity of your clients.] Tech consultant Bill Winterberg recommends steps to help protect clients from hacking, phishing and spoofing.

TD Ameritrade adds iRebal to the cloud and offers it for free to affiliated advisers from FPPad.com

[The big tech news out of TD Ameritrade’s conference was the announcement that iRebal will soon be free for advisers who custody with TD Ameritrade, and the software will be delivered over the cloud.] TD Ameritrade’s rebalancing software will soon be available online via the cloud and at no additional cost to affiliated advisers.

RedBlack Software Announces First Third-Party Rebalance Solution and Trading Integration with TD Ameritrade Institutional’s Veo® Platform from PRWeb.com

[Yes, TD will soon offer iRebal for free to advisers, but that doesn’t mean all advisers are going to use it. There are still other rebalancing solutions out there are a variety of price points with different functionality. So here’s a move from RedBlack to get onboard with Veo Open Access and streamline trading for advisers using a multi-custodial rebalancing system.] RedBlack Software, LLC, the largest independent provider of portfolio rebalancing software for the investment management industry, today announced the successful integration with TD Ameritrade Institutional through their Veo® platform.

Learn how to protect your business from hacking attacks at FPA Business Solutions 2013

One session at FPA Business Solutions 2013 will expose advisers to security threats their business is likely to face

I’m on the task force for FPA Business Solutions 2013 and helped put together a great lineup of speakers and thought leaders for financial advisers.

One speaker I invited is Peter Giza, founder of Spitbrook Consulting and former CTO of RedBlack software.

FPA Business Solutions is scheduled for March 7-9 in Chicago, IL. In his session, Giza will address threats advisers face from hackers and social engineering and identify things to do to deflect such attacks.

I asked Giza for a preview of his session for FPA Business Solutions which was broadcast in the lastest episode of FPPad On Air.

Watch the interview below, and be sure to register today for FPA Business Solutions to learn more from Giza and the rest of the excellent speakers on the agenda. The FPA member early bird rate of $399 expires this January 25!

(click to watch on YouTube)


Why advisers can’t trust their clients anymore

“Spoofing” is on the rise and RIAs are becoming targets of clients that are not who they appear to be.

What seemed like ordinary correspondence from a client quickly became a compliance nightmare for one Dallas-based wealth management firm.

I recently spoke with an executive from the Dallas-based firm who asked to remain anonymous due to ongoing investigations about the incident. This person described how the firm received a wire request from a client via email, so the firm replied by sending the appropriate form for a client signature. A few hours later the form was returned and the signature was compared with another from a prior wire request already on file. Everything looked to be in good order.

But unfortunately for all parties involved, the wire request was not from the actual client, but from someone who had broken in to the client’s email account.

Client Spoofing 

It turns out this scenario is not unique, as over a half-dozen cases involving Dallas/Ft. Worth-based RIAs have been reported since the beginning of the year.

In the latest scheme to defraud individuals, hackers are using “spoofing” techniques to impersonate others who have relationships with professional financial advisers. Spoofing is commonly accomplished by obtaining a client’s email account password through keylogging software or by substituting indistinguishable characters in valid email address (e.g. lower-case “l” and a capital “I”). In either case, the hacker attempts to exploit the existing trusted relationship with the adviser who has no reason to be suspicious of a request to transfer funds.

In addition to client impersonation through email, some hackers are going so far as to activate call forwarding on a client’s personal cell phone account, meaning that confirming a client’s wire instructions via phone may not always guarantee the person on the other end is who they say they are. The boldest of hackers are calling in directly to advisory firms, spoofing Caller ID, and verbally requesting wire transfers.

If a firm’s back office staff has little or no contact with certain clients, employees have little opportunity to properly validate the identity of the individual calling in.

Combating Spoofing

Since you can no longer trust the authenticity of all correspondence received from clients, either by email or phone, what can you do to protect yourself and your clients from spoofing activity?

There’s no clear consensus on best practices to combat client spoofing. Remember that verifying instructions by placing a phone call can be insufficient if the hacker is able to activate call forwarding on a victim’s phone.

One recommendation is to follow the authentication practices of large banks and credit card companies. When you call in as a customer, you’re asked for a secret word or phrase in addition to your account information to proceed with any assistance. While one’s mother’s maiden name is often the typical security word, I would advise against using it for your authentication process.

You may want to update your policies and procedures to ask for clients’ secret phrase before processing fund transfers of any kind. Keep this secret phrase secure and confidential, likely included in your password-protected CRM software next to your client’s contact record.

Also, in the age of camera-equipped mobile devices, a video chat to confirm wire instructions is a better way to verify a client’s identity versus a standard phone call. Still, the employee at the advisory firm must know what the client looks like before contacting him/her to verify instructions!

If You’re Targeted

If you believe your firm is the target of client spoofing, one good place to report the incident is the Internet Crime Complaint Center, or IC3 (http://www.ic3.gov/). IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) and aggregates incident reports to allocate investigative resources accordingly. Often, the FBI or the Secret Service will get involved in cases involving spoofing of investment adviser clients.

Educate Clients

Finally, one weak link in most spoofing scenarios is a client’s password credentials to web-based email accounts. A value-add service you can provide to clients is education on how to best protect login and password credentials. Sage advice includes never entering credentials using an unknown computer, such as a public computer in a hotel business center.

Also, an increasing number of web-based email providers allow users to enable multi-factor authentication to the login process. I addressed multi factor authentication in this Morningstar Advisor column, which requires users to authenticate their login activity through a second device, typically via SMS text messages. Even many credit card companies are employing this additional verification process to their systems.

So don’t fall victim to the next spoofing attack your firm encounters. It’s not a question whether if an attack will occur, but rather when.

More resources on spoofing: