Email fraud is on the rise, as most people know. What is surprising, though, is how phishing email scams are on the rise amongst financial advisors. These types of phishing attacks are known as business email compromise scams (BEC scams).
According to a 2018 SEC report, business e-mail compromise attacks caused over $5 billion in financial losses for publicly traded companies from 2013-2017. While BEC scams affect a lot of industries, financial advisors are especially targeted because they have access to money. Your money.
In this article, we will:
- Explore in depth exactly what a BEC scam is
- Talk about major types of BEC scams
- Cover two actual case studies of clients where BEC scams were attempted
- Outline the best way you and your financial advisor can avoid being taken by a BEC scam.
Let’s start by discussing what a BEC scam is.
What is a BEC scam?
According to the FBI, a BEC scam involves sending an email message that appears to come from a known source making a legitimate request.
This could look like:
- A vendor that a company uses sending an updated mailing address for invoice payments.
- A homebuyer receives a message from his title company with instructions on how to wire the down payment for closing.
- An email from their bank’s finance department asking to verify confidential information.
Or, in the case of financial advisors, posing as the client and sending an email to send money to their bank account. We’ll cover this a little more later, but let’s look at some of the methods that criminals use to carry out BEC scams.
How Criminals Pull off BEC Scams
There are several ways that scammers conduct BEC scams. Here are four of the more common ways criminals pull off BEC attacks.
Phishing campaigns are emails from the attacker’s account designed to trick unsuspecting users into giving the attacker a piece of sensitive information. This piece of information might only be one part of what the attacker needs to complete the scam.
Phishing emails could tailored to obtain any type of information, including:
- Financial information
- Personally identifiable information (PII). PII is a key piece of information that isn’t considered public. Examples include Social Security numbers or driver’s license numbers
- Payment information, like an account number
And the FBI has been warning people about phishing for a long time. In 2018, the FBI’s Internet Crime Complaint Center released a public service announcement about how cybercriminals use social engineering techniques to obtain payroll information from company employees. Here’s the rundown:
- Cybercriminal sends phishing email to targeted employee email account.
- Criminal obtains login credentials to employee’s corporate account.
- Criminal diverts employee’s pay to fraudulent bank accounts.
- Criminal locks employee’s account so the employee no longer has access.
In another example, a USAA member might get an email from USAA asking for them to update some information on file. But it might not be from USAA.
And that’s because it might have been spoofed by the hacker.
Spoof emails happen when the BEC attackers make a slight change to a legitimate email address or a website address.
For example, your friend, John Smith, sends you an email from his account: firstname.lastname@example.org. Except that John doesn’t have a Gmail account. He has a Hotmail account.
The Gmail account is a fake email account set up by the attacker. And responding to this email sends any response directly to the attacker’s email account.
Or sending you to a slightly altered URL to a website you routinely go to. That website ends up looking almost identical to the normal website, so it goes unnoticed.
For example, USAA’s insurance site (hyperlinks removed) is:
which doesn’t look that much different from
Only a discerning eye would notice the extra ‘a’ in the second link. This link would lead the victim to a website the cyber criminal controls.
And many times, the malicious links are hidden in the text. This makes it difficult to figure out if it’s the real thing.
Spearphishing is similar to spoofing, except it’s a message that appears to be from a trusted sender, asking the victim for sensitive information.
Unlike phishing, which is simply a game of numbers, spear-phishing is a targeted attack.
This attack could be against a company’s employees. But instead of stealing personal information, the intent might be to obtain company files.
Spearphishing is becoming a common way for criminals to infiltrate companies.
Using social media and publicly available information, scammers already know a LOT about most people.
That spear-phishing email, like “We’re reviewing our records, please verify your account,” is simply an attempt to get that last piece of information that might not be publicly available.
Just like regular phishing campaigns, this could be account numbers, PINS, passwords, user names, or other information.
Whalefishing is a highly targeted form of spearphishing.
Whalephishing focuses on senior executives, like a company CEO, who might have the highest level of access within an organization.
Malware, or malicious software, is often used to get into company networks and gain access to records. This usually comes in the form of a malicious attachment
In many cases, this information might be used to time requests or messages so that access persons don’t question payment requests. Within an organization, malware can also be used to gain access to individual employee’s email account or client data, which can be used in future attacks.
BEC Scams Against Financial Advisors
The most troubling trend is where cybercriminals focus their business email compromise schemes against financial advisors. A successful BEC attack against an unsuspecting advisor can wipe out their clients’ accounts, without the client having done anything wrong!
Here are three reasons why BEC Scams are starting to target financial advisors.
Trust has already been established.
It takes a lot of trust for investors to turn their money over to an advisor. We spend a lot of time discussing the technical aspects of financial planning, like investments, Roth conversions, or tax planning.
But the truth is, trust goes both ways. So a financial advisor might be quick to trust that email about wire transfer payments from their client’s email. Even if they should be on guard.
And that’s because most financial advisors are very busy. Running their own small business.
Many financial advisors are small business owners.
Small business owners know how much time it takes to successfully run a business. When you’re the CEO and the chief janitor, you’re probably also in charge of compliance.
Most financial advisors stay on top of their compliance programs. Otherwise, the SEC or their state’s regulatory office would shut them down.
And cyberprotection is becoming more of a focus item for auditors. But not all financial advisors are quite getting the message.
And finally, the last reason criminals are going after the accounts your advisor is managing.
That’s where all the money is!
According to numbers reported by the Investment Advisory Association, SEC-registered investment advisors managed over $110 trillion in 2020. That’s up from $43 trillion in 2010.
So there’s a lot of incentive for criminals to go after the accounts that your advisor is managing for you.
When I was a financial advisor, we had several attempted BEC scams. Fortunately, we didn’t fall for them, and our clients didn’t lose their money.
Let’s go through them so you can be on the look out for what these people are doing.
BEC Scam Case Study #1
We received an email request from a client who requested a large sum of money to be wired from her investment account to her ‘relative.’ It gave us information on how we were supposed to send the wire.
It was weird for our client to ask for wire transfers, because we normally had bank account transfer information on file for this client. And we were skeptical, because we know our client’s personality. This email seemed out of the norm.
As part of our normal verification procedures, we called to verify that this was indeed what she wanted. The client said, “No. I didn’t send you this email. Thank you for letting me know, I’ll look into it.”
When she looked into it, it appeared that someone gained access to her email and was watching her emails for a while. The perpetrator crafted an email that looked like similar emails from the past, thinking that we would simply honor the request.
Then, the perpetrator deleted that spam email from the ‘Sent Emails’ folder in the hopes that our client wouldn’t see it.
Had our staff not been on the look out or if our firm did not have procedures in place to verify email requests, this client would have lost a lot of money.
BEC Scam Case Study #2
This attempt was a little more subtle, a little more complicated, and a little sneakier.
Another client sent an email asking for $5,000 to be transferred to his bank account. This client occasionally asks for $5,000 or $10,000 here and there, so it didn’t appear suspicious at first.
Simultaneously, he received an email from his wife asking him to transfer $5,000 to another account. In this case, the client actually wanted the money-we called, verified, and processed the request as our normal procedures allow.
However, his wife’s email had been hacked, unbeknownst to either spouse. As she was copied on the email correspondence about the first money transfer, the scammer was seeing his normal process play out.
After the scammer saw that the first transfer had been completed, that’s when the scammer sent the second email. Our client was concerned that we had been copied on that email (we had not) and directed to process a transfer to an unfamiliar bank account.
Because we had called to verify his request, he felt assured that we would have called to verify the second request as well.
In this case, our firm’s procedures and our client’s awareness prevented that email hack from turning into something more serious.
Your advisor should always be on the alert against fraud.
What YOU Can Do to Dodge BEC Scams
There are always going to be people out to scam you. Perhaps you keep a low online profile. Even so, it’s likely that there is enough publicly available information for a sufficiently motivated person to work with.
However, BEC scams only work when the scammer can grab that piece of crucial information not available online. For example, a password here, PIN code there, verification questions (like what color was your first car?).
Fortunately, there are things you can do to protect yourself. A lot of these security measures are commonly known, but they’re still worth mentioning:
Keep your antivirus and anti-malware software up to date.
The easiest way to do this is to regularly download and install updates. Updating software might be inconvenient, but it’s also the best way to keep your antivirus software working for you.
It’s not enough to just keep your password to yourself. Hackers are getting smart nowadays. Here are some tips on proper password management.
Use complex passwords
Everyone knows that you should use a combination of letters, numbers, and special characters. Years ago, 8 to 10 character passwords were common. Now, it’s not rare to see security consultants recommend passwords containing 16, 20, even 25 letter, number, and character combinations.
Use a different password for different websites
What if one account gets hacked? Odds are, your hacker will try your login information elsewhere.
And if you’re using the same combination everywhere, you’re toast.
Use a password manager to help keep passwords secure
It’s easier to keep on top of password maintenance if there’s a manager that remembers everything for you.
If you use exclusively Apple products, then the iCloud keychain is probably good enough for you. And with biometric data, like face recognition or fingerprint reading on iOS devices, your info is protected if you lose your phone.
For people who navigate between different operating systems, then you may want to invest in a third-party password manager. And having a password manager will allow you to keep your passwords up to date.
Use two-factor verification for your logins.
Two-factor verification is when a log-in requires a code (usually sent by text or email) to be entered before allowing access. Most financial accounts require this to help protect against fraud.
When you receive an email from ‘someone,’ asking you to do something, pause.
Check the sender email address (not the name) for typos. If you receive a prompt to log into a website (like your bank’s website), don’t automatically click the link in the email. Instead, type the URL into your internet browser and log-in that way.
If you see something suspicious from a close friend or family member, call them.
Verify whether they did actually send the email. This also applies to social media, like Facebook and LinkedIn, where similar scams are popping up.
But don’t respond to the email—pick up your phone and call.
Sign up for scam alerts from the Federal Trade Commission.
You can learn more by going to the FTC’s website. From there, you can report scams, learn more, or sign up for email updates.
Hold your trusted professionals accountable.
Most banks have standardized procedures and are probably going to be up to date with the latest banking regulations.
However, your smaller professionals with access to your money and personal information might not have access to corporate resources, IT budgets, or the infrastructure to protect your information.. Think accountant, estate attorney, and financial advisor.
But they should be taking reasonable steps to safeguard your info.
What can my advisor do to protect my information?
Even without corporate budgets, your financial advisor could (and should) be doing more to protect client data.
The SEC and FINRA (Financial Industry Regulatory Authority, which monitors broker-dealers) are both cracking down on advisors who do not have appropriate protections in place. In fact, FINRA has fined financial advisors who have NOT called to verify client information (as mentioned above).
Below are a list of things your financial advisors can do to protect your accounts, and how you can verify them:
Have procedures in place that verify client identity any time there is a request to transfer money out of their investment account.
This should be by phone call, not text messaging, email, or social media.
At some point before your money leaves your account, your advisor should have contacted you personally to verify the request. If not, then you should place a standing order with the advisor that money does not leave the account unless you have given specific permission to do so.
Your advisor should adhere to the same standards (outlined above) as you do, and more.
The above list was a fairly basic list of common safeguards that everyone should have in place to protect their own identity. Your advisor should have MORE.
Your advisor should have procedures documented in their compliance manual.
Every registered investment advisor is required to maintain a compliance manual. Essentially, it’s their ‘rulebook’ on how things are properly done in the firm. And during a surprise audit, it’s the first thing the auditor looks at.
Your advisor’s compliance manual should cover at a minimum:
- Employee training
- Password security
- Data encryption
- Software standards
- Where client data is stored
- How client data is accessed by people outside the office (working from home, public wi-fi areas, etc).
- Physical security
- Website security
- Antivirus/malware protection
Any question should be answered in the same manner by any employee.
During an audit, an auditor checks to make sure that all employees are following the rules and guidelines in the compliance manual. After all, what good is the compliance manual if no one follows the rules?
This isn’t usually a problem for a solo advisor who might do most (if not all) of their own work.
But if you’re the client of a larger firm, then one of the risk areas might not be the advisor, but in how well the staff is trained. And in a larger firm, the person who actually would process your money transfer might not be the advisor, but someone on the supporting staff. If that person isn’t properly trained, then it doesn’t matter what the advisor says to you.
In a properly-managed office, you shouldn’t get two different answers from two different staff members on how to process a money transfer.
If the advisor says, “We call to verify before we move any money,” that should be the exact same answer that you get from anyone else.
And if there are two or more people who might do that work, then each of them should be able to say the exact same thing. That’s a sign of a firm operating with standardized security procedures. That firm is likely going to protect you from cybercriminals and identity theft.
Your advisor should have multiple layers of security.
Good security isn’t any ONE of these. It’s ALL of these, layered on top of each other—password security, physical security, private wi-fi connections, etc. to make your firm a hard target.
Your advisor should provide secure means to send documents back and forth.
This does not include email, which can be hacked. This could be a client portal on the firm’s website, or a third-party vendor that uses high encryption standards.
Your advisor should be helping you stay accountable for your own security.
Cybersecurity is a team game, and you’re only as strong as the weakest link.
BEC scams are real. And they’re especially scary because if your financial advisor falls for a scam, that can directly impact you. So talk with your financial advisor and make sure that you’re comfortable with the steps they’re taking to protect you, your information, and your money.