The Financial Industry Regulatory Authority (Finra) says email hack attacks against investors are rising.
An investor alert titled Email Hack Attack? Be Sure to Notify Brokerage Firms and Other Financial Institutions outlines how investor funds are stolen by fraudsters who gain access to an investor's email account and then email instructions to the firm to transfer money out of his or her brokerage account. The alert also provides investors with tips to safeguard their account assets.
Finra's investor alert also explains how investors can tell when their email account has been hacked and what steps to take if their personal financial information is stolen. The alert also links to a joint fraud alert issued by the Federal Bureau of Investigation (FBI), Financial Services Information Sharing and Analysis Center (FS-ISAC) and Internet Crime Complaint Center (I3C) that describes a similar trend where hacked email accounts are being used to facilitate illegal wire transfers.
"Investors who suspect that their email account has been hacked should immediately notify their brokerage firm and other financial institutions, and anyone who suspects they have been defrauded should file a complaint with Finra," says Gerri Walsh, vice president of investor education for Finra.
Finra, the independent regulator for securities firms doing business in the U.S., also issued a regulatory notice that outlines the risks of accepting instructions to transmit or withdraw funds via email. The notice recommends that firms reassess their policies and procedures to protect customer assets from such risks.
FBI officials say cyber criminals compromise e-mail accounts of U.S. citizens and businesses, and by using variations of legitimate email addresses connected to a victim's account, request and authorize overseas transactions. Wire transfers are sent to the bank accounts of individuals typically located in the U.S. or in Australia and the funds are then being sent directly to Malaysia.
As of December 2011, attempted email fraud reached the $23 million mark, says Finra, with actual victim losses estimated at $6 million. Cyber criminal victims include banks, broker-dealers, credit unions and other institutions that engage with clients through e-mail channels.
In a typical scenario, a cyber criminal sends an e-mail to a financial institution, brokerage firm employee or the victim's financial advisor pretending to be the victim and requests the balance of the victim's account. When a request for an investor's balance amount proves successful, a cyber criminal will send another email to the institution indicating that they can only communicate via email and requests a wire transfer be made on their behalf. The cyber criminal's excuse is typically an illness or death in the family which prevents the account holder from conducting business as usual.
Victims of schemes typically include individual citizens or businesses that invest significant amounts of money with their financial advisor or financial institution. Individual unauthorized wire transfers range from $17,500 to $183,000, says Finra.