Advisors and RIAs are prime targets for internet “phishing” schemes, according to Chris Roach, managing director at CBIZ Risk and Advisory Services, a business consulting firm based in Cleveland.
When crooks try to get private information by posing as a trusted entity on the internet, that’s phishing, and it is growing worse, Roach said. At first limited to e-mail, it has spread to text messages and Facebook Messenger, as well as telephone calls.
Financial advisors and firms, who hold so much private information about clients, are often targets of phishing, he said.
“Phishing is often the precursor to larger data breaches,” he added. “It has become so subtle that often the only warning sign is an out-of-place punctuation mark, a grammatical error or a slightly changed e-mail address.”
When CBIZ recently audited a financial institution for vulnerability, more than 40 percent of its employees fell for a simulated phishing attempt. “Even when employees catch the attempts, the incidents often go unreported because the employees delete the attempt and move on instead of flagging the message for attention,” Roach said.
“Hackers may not even know what they are going to do with the information they are gathering, they just gather it and then see how they can profit off of it,” he added.
In some cases, hackers obtain bank e-mail lists and send out solicitations to the addressees. Or an employee of a firm will get an e-mail that looks as if it is coming from a superior at the firm asking him or her to do some kind of financial transaction.
The holidays are a particularly bad time for these schemes, but there are steps advisors can take to protect themselves and their clients.
For instance, they can check the URL and e-mail addresses on the correspondence they receive carefully and look for any inaccuracies or misspellings, Roach said. Firms should have awareness training for employees about what to look for and what to do if they receive a scam e-mail or text. Employers need to know who to call to investigate bogus messages.
For consumers, the Federal Trade Commission recently issued an alert about what is called “spear phishing,” meaning bogus telephone calls that seem to come from a trusted bank or other financial organization in which the caller already has some personal information. The caller asks for confirmation of the information and asks for additional details. The caller also masks the caller identification to make it look like a local call.
The FTC warned consumers to not trust their caller ID and not to trust someone just because the person has some personal information. Don’t give callers any additional personal information, the FTC warned.
“If you gave a scammer your information, go to IdentityTheft.gov to find out what to do if the scammer masks charges on your accounts,” the FTC said. “Even if you didn’t give personal information to the scammer, report the scam to the FTC. The information helps us understand what’s happening and can lead to investigations and legal action to shut scammers down.”