As described in an earlier article in this series, cybercriminals want to steal two things from wealth managers: client assets and client information. This article looks at the steps that firms will need to take to protect client assets from external threats.
One path used by cybercriminals is to pose as an employee of the wealth manager and direct the custodian to wire funds out of an account. Accomplishing this first requires penetrating the wealth management firm’s systems, stealing the user IDs and passwords issued by the custodian and then, after initiating a fraudulent transaction, intercepting the confirmatory call from the custodian.
Unfortunately, accomplishing this is not particularly difficult using malware—i.e., software that gets behind cyber defenses and exports information and allows outsiders to take control of systems. Cybercriminals can infect a wealth manager employee’s device through a phishing email, smishing text or on a home network. Should that device be connected to the firm’s systems, every other attached device connected will likewise be infected with malware. Once this is in place, criminals can quickly identify and steal the necessary information.
As described in an earlier article, intercepting a confirmatory call from the custodian would likely be even less challenging. Technology that allows a criminal to walk by someone and “spoof” or copy their cell phone has been around for more than a decade. Additionally, criminals can use either employee work voicemails or downloaded videos of targeted individuals from unprotected social media accounts to create incredibly accurate clones their voices with the help of AI-software. Then with a copy of the cell phone and a clone of its owner’s voice, criminals can intercept the confirmatory call and convince the custodian the transaction is legitimate.
Fortunately, there is a relatively simple—albeit, potentially cumbersome—way to reduce the risk of this happening. It requires insulating the interaction point between the wealth manager and the custodian from cybercriminals.
More specifically, the first step is for the wealth manager to allow only a handful of people to access the credentials required to originate a transaction and storing those credentials on a single, dedicated device that is used solely for the purpose of originating transactions. When in use, it connects to the Web using cellular and it encrypts its online traffic using a virtual private network or VPN. No other devices should be allowed in the room while it is being used and the device should never be connected to the company’s network or any other WI-FI to preclude the risk of being infected with malware. Additionally, because they are using shared credentials, the authorized users should be required to maintain a log.
When not in use, the dedicated device should be kept locked in a safe with limited access and for reasons that we will further elaborate on in a subsequent article about internal threats, be kept in a Faraday cage that prevents someone proximate from copying its memory. Certainly, large organizations with several locations could utilize multiple teams, each for different accounts and each with their own secure device locked in a separate safe.
This structure creates an air gap that physically separates the origination of transactions from company systems and blocks cybercriminals even if they have managed to compromise them.
Far more complicated is preventing criminals from duping a wealth manager into originating fraudulent transactions by posing as either a client or an employee. More specifically and as noted earlier, criminals can now accurately clone voices using AI software. Additionally, many employees routinely work remotely, and both employees and clients often have abysmal personal cybersecurity.
Consequently, cybercriminals can initiate fraudulent transactions by breaching either company employees or clients when they are at home or on vacation. A compromised client email account can be used to direct the adviser to wire funds. Similarly, cybercriminals can breach an employee’s work device or personal email and then send instructions to another employee directing that money be sent from client accounts. As described earlier, when the firm calls either the client or employee to confirm the transaction, the cybercriminals can intercept the call and pose as that individual.
Unfortunately, there is no foolproof system to prevent this from happening. That said, firms can mitigate their risk in a couple of ways. The first involves creating a separate identity system for confirming transactions. One alternative is to provide both clients and employees with an anonymous private email account that is not linked to any of their other online accounts. A code can be sent to the account to confirm the identity of the party. Another alternative is to use authenticator apps with algorithms that randomly generate numbers and characters. They would be used to confirm a counterparty’s identity.
To be sure, every email account at some point can be identified and hacked and there already is malware that can breach authenticator apps. Consequently, a second, equally important way to mitigate the risk of fraudulent transactions is to have an automatic delay before funds can be wired from a client’s account until the firm can be certain that the transaction is legitimate.
Fraudulent transactions are most successful when they are presented as being “urgent”. Certainly, delaying one is less convenient for clients. But a slower, more deliberate process allows wealth managers to more fully diligence the request and reduce the likelihood of being defrauded.
Any organization that has access to large amounts of liquid assets now has a cyber bullseye on its back from cybercriminal enterprises across the globe. It is only a matter of time before every firm is victimized. Taking these steps will reduce both the frequency of such events and the likely resulting damage.
Mark Hurley is CEO of Digital Privacy and Protection (DPP). Carmine Cicalese, COL, U.S. Army Retired, is senior advisor and partner at DPP.