Cybercriminals are perfecting their methods of taking over customer accounts, officials at the Financial Industry Regulatory Authority warned at its annual conference yesterday.

Finra has received an increasing number of reports about account takeover incidents, said agency representatives in a panel discussion at the conference and in a new notice designed to provide broker-dealers with practices to prevent and detect such attacks.

Account takeovers involve bad actors using compromised customer information, such as customers’ log-in credentials, to gain unauthorized entry to their online brokerage accounts.

The methods of attack include phishing emails, fake websites, cell phone apps and fraudsters calling customers pretending to be registered reps from the customers’ firms to acquire personal information.

Scam artists “aren’t just asking for usernames and log-ins, but are taking a more aggressive approach,” said Bob Colby, Finra’s chief legal officer, at the conference. “Once you pick up the phone or click on a link, they ask for names, phone numbers and your mother’s maiden names to mirror real interactions. They’re being super aggressive,” Colby said.

Finra is also seeing instances where firms think their reps are “trading away” or doing business that is not approved or supervised by the broker-dealers. “If you think that your rep may be trading away, it is more often than not a website or communication that your rep is not even aware of,” Colby warned.

The large number of stolen customer log-in credentials available for sale on the “dark web” and the emergence of more sophisticated technology that allows fraudsters to automate large-scale account takeovers may be driving the increase in these attacks. Criminals are also using mobile device emulators to access thousands of online brokerage accounts and have begun using synthetic identities to fraudulently open new accounts.

Firms need to “be proactive,” Colby said. “Explain to clients in advance that these are the scams being used and that you’d never ask them for sensitive data via email or the devices they use.”

The chance investors will be defrauded by such schemes is reduced 80% if they’ve been shown examples of the fraud, said Bari Havlik executive vice president of Finra Member Supervision, at the conference.

To help firms fight account takeover fraud, Finra officials recently met with representatives from 20 broker-dealers to glean their methods of preventing, detecting and responding to these attacks.

One way is by recommending to customers that they use a password manager. These applications protect online accounts by saving strong, unique passwords for each customer account and device. The password manager then automatically fills in the password whenever customers access their accounts online.

Customers often use the same log-in information across multiple accounts, making themselves particularly susceptible to widescale account takeovers, Finra said.

Beefing Up Security
Firms should also think about beefing up their new account opening requirements and verifying customers’ identities when establishing online accounts; that means validating identities on documents that applicants provide, including Social Security numbers, addresses and driver’s licenses.  

Other good approaches, broker-dealer executives told Finra, include asking applicants follow-up questions or requesting additional documents to validate their identities, using information from credit reporting agencies or firms that provide digital identity intelligence.

Some broker-dealers also use multifactor authentication when customers log in. This means going beyond a single password and using two or more levels of account verification when customers sign in—requiring them to present a code sent via a text message, for example, or using an authentication app as a second step to the clients’ passwords. This can significantly reduce fraud, Finra said.

The broker-dealer executives who met with Finra said they also routinely conduct ongoing surveillance for anomalies, such as significant increases in failed log-ins, large purchases made shortly after a customer opens an account or changes in emails followed by a request from a third party.

The firms used a variety of automated processes to detect potential malicious actions by bad actors; these processes included web application firewalls and internally built tools to stop attacks. They also isolated suspicious internet protocol (IP) addresses in a “penalty box” and used geographic limits that disallowed connections from countries where no customers reside.

Firms that discover account takeover schemes or imposter websites mimicking their own sites should contact their Finra risk managers right away. “Finra is also looking for these schemes, and if we find them, we will contact you and work with you,” Colby said.