There are two things cybercriminals want to steal from wealth managers: client assets and client information. As part of this ongoing series on cybersecurity, let’s explore what advisory firms can do to thwart these lawbreakers before they cause irreparable damage.
One of their methods is to pose as an employee of a wealth manager and direct a client’s custodian to wire funds out of an account. Accomplishing this first requires penetrating a wealth management firm’s systems, stealing the user IDs and passwords issued by the custodian and then, after initiating a fraudulent transaction, intercepting the custodian’s confirmation call.
Unfortunately, accomplishing this is not particularly difficult with malware—i.e., software that gets behind cyber defenses and exports information and allows outsiders to take control of computers. Cybercriminals can gain access to the devices of a wealth management firm’s employees through phishing emails, through “smishing” texts (phishing through direct text messages) or through home networks. Should a personal device be connected to an advisory firm’s systems, every other attached device connected will likewise be compromised by malware. Once this is in place, criminals can quickly identify and steal information.
It’s even less challenging to intercept a call from the custodian. For more than a decade, criminals have been able to use technology that allows them to walk by someone and “spoof” or copy their cell phone. They can also use employee work voicemail or downloaded videos of targeted individuals from unprotected social media accounts to create incredibly accurate clones of victims’ voices with the help of artificial intelligence software. With a copy of the phone and a clone of its owner’s voice, criminals can intercept confirmation calls and convince a custodian that a transaction is legitimate.
Fortunately, there’s a relatively simple—albeit cumbersome—way to reduce the risk of this happening. It requires insulating the interaction point between a wealth manager and a custodian.
The first step is for the wealth manager to allow only a handful of people to access the credentials required to originate a transaction. These credentials should be stored on a single, dedicated device used solely for the purpose of initiating transactions. It connects to the web solely using a cellular connection and is encrypted with a virtual private network (or VPN). No other devices should be allowed in the room while it is being used, and the device should never be connected to a company’s network or any other Wi-Fi, lest it be exposed to malware infection. Additionally, because they are using shared credentials, the authorized users should be required to maintain a log.
When it’s not in use, the dedicated device should be locked in a safe that few people have access to and be kept in a Faraday cage (an enclosure that blocks electromagnetic fields) so that bystanders can’t copy its memory. Certainly, large organizations with several locations could utilize multiple teams, each for different accounts and each with its own secure device locked in a separate safe.
This structure creates an “air gap” that physically separates the origination of transactions from company systems and blocks cybercriminals, even those who have otherwise managed to compromise an organization’s cyber defenses.
Fake Clients And Employees
It’s far more complicated to fight the next threat, which is to keep criminals from duping a wealth manager into originating fraudulent transactions by posing as a client or employee. Again, criminals can now accurately clone voices using AI software. Many people these days work remotely and have abysmal personal cybersecurity habits, making them easy targets.
Cybercriminals can initiate fraudulent transactions by breaching either clients or company employees when they’re at home or on vacation. A compromised client email account might be used to direct an advisor to wire funds to a fraudster. Criminals can also breach employee work devices or personal email and send instructions to other employees that direct money to and from client accounts. When the firm calls either the client or employee to confirm the transaction, the cybercriminals can intercept the calls and pose as the clients.
Unfortunately, there is no foolproof system to prevent any of these things from happening. That said, firms can mitigate their risk in a couple of ways. The first involves creating a separate identity system for confirming transactions. One method is to provide both clients and employees with an anonymous private email account not linked to any of their other online accounts. A code can be sent to the account to confirm the identity of the party. An alternative is to use authenticator apps with algorithms that randomly generate numbers and characters. These can then be used to confirm a counterparty’s identity.
To be sure, every email account at some point can be identified and hacked, and there’s already malware that can breach authenticator apps. Thus, another strategy to fight off fraudulent transactions is to have an automatic delay that keeps funds from being wired from a client’s account until the firm can be certain that the transaction is legitimate.
Fraudulent transactions are most successful when they are presented as being “urgent.” Certainly, delaying one is less convenient for clients. But a slower, more deliberate process allows wealth managers to more fully diligence the request and avoid fraud.
Any organization with access to large amounts of liquid financial assets now has a cyber bull’s-eye on its back—and is a likely target of cybercriminal enterprises across the globe. It is only a matter of time before every firm is victimized. Taking the steps described here will reduce both the frequency of these events and the likely resulting damage.
Mark Hurley is CEO of Digital Privacy and Protection (DPP). Carmine Cicalese, COL, U.S. Army Retired, is senior advisor and partner at DPP.