Email fraud is on the rise, as most people know. What is surprising, though, is how phishing email scams are on the rise amongst financial advisors. These types of phishing scams are known as business email compromises (BEC) scams.
According to a 2018 SEC report, BEC scams caused over $5 billion in losses to publicly traded companies from 2013-2017. While BEC scams affect a lot of industries, financial advisors are especially targeted because they have access to money. Your money.
In this article, we will:
Explore in depth exactly what a BEC scam is
How scammers actually pull off a BEC scam
Cover two case studies of actual clients where BEC scams were attempted
Outline what you and your financial advisor should be doing to avoid being taken by a BEC scam.
What is a BEC scam?
According to the FBI, a business email compromise (BEC) scam involves sending an email message that appears to come from a known source making a legitimate request. This could look like:
A vendor that a company uses sending an invoice with an updated mailing address.
A homebuyer receives a message from his title company with instructions on how to wire the down payment for closing.
Or, in the case of financial advisors, posing as the client and sending an email to send money to their bank account. We’ll cover this a little more later, but let’s look at some of the methods that criminals use to carry out BEC scams.
How Criminals Pull off BEC Scams
There are several ways that scammers conduct BEC scams
Making a slight change to a legitimate email address. For example, your friend, John Smith, sends you an email account: account—firstname.lastname@example.org. Except that John doesn’t have a Gmail account, he has a Hotmail account. Responding to this email sends any response directly to the scammer. Or sending you to a slightly altered URL to a website you routinely go to. That website ends up looking almost identical to the normal website, so it goes unnoticed.
For example, USAA’s insurance site (hyperlinks removed) is:
which doesn’t look that much different from
Only a discerning eye would notice the extra ‘a’ in the second link, which could lead someone to a website the criminal controls. And many times, the hyperlink is hidden in the text so it’s difficult to figure out if it’s the real thing.
Spearfishing is similar to spoofing, except it’s a message that appears to be from a trusted sender, asking the victim for sensitive information. Unlike phishing, which is simply a game of numbers, spear-phishing is a targeted attack against someone (like a company employee), with the intent of infiltrating company files.
This is becoming a common way for criminals to infiltrate companies. Using social media and publicly available information, scammers already know a LOT about most people. That spear-phishing email, like “We’re reviewing our records, please verify your account,” is simply an attempt to get that last piece of information that might not be publicly available. This could be account numbers, PINS, passwords, user names, or other information.
There’s even a form of spear-phishing, known as whale-phishing. Whale-phishing is targeted at high-level executives, like CEOs, who might have the highest level of access within an organization.
Malware, or malicious software, is often used to get into company networks and gain access to records. In many cases, this information might be used to time requests or messages so that access persons don’t question payment requests. Of course, within an organization, malware can also be used to gain access to individual employee or client data, which can be used in future attacks.
Case Study #1
We received an email from a client who requested a large sum of money to be wired from her investment account to her ‘relative.’ It gave us information on how we were supposed to send the wire (even though we normally have bank account transfers on file).
We were skeptical, because we know our client’s personality, and this email seemed out of the norm. As part of our normal verification procedures, we called to verify that this was indeed what she wanted. The client said, “No. I didn’t send you this email. Thank you for letting me know, I’ll look into it.”
When she looked into it, it appeared that someone gained access to her email and was watching her emails for a while. The perpetrator crafted an email that looked like similar emails from the past, thinking that we would simply honor the request. Then, the perpetrator deleted that spam email from the ‘Sent Emails’ folder in the hopes that our client wouldn’t see it.
Had our staff not been on the look out or if our firm did not have procedures in place to verify email requests, this client would have lost a lot of money.
Case Study #2
This attempt was a little more subtle, a little more complicated, and a little sneakier.
Another client, who occasionally asks for $5,000 or $10,000 here and there, sent an email asking for $5,000 to be transferred to his bank account. Simultaneously, he received an email from his wife asking him to transfer $5,000 to another account.
In this case, the client actually wanted the money-we called, verified, and processed the request as our normal procedures allow.
However, his wife’s email had been hacked, unbeknownst to either spouse. As she was copied on the email correspondence about the first money transfer, the scammer was seeing his normal process play out. After the scammer saw that the first transfer had been completed, that’s when the scammer sent the second email.
Our client was concerned that we had been copied on that email (we had not) and directed to process a transfer to an unfamiliar bank account. Because we had called to verify his request, he felt assured that we would have called to verify the second request as well.
In this case, our firm’s procedures and our client’s awareness prevented that email hack from turning into something more serious.
What YOU Can Do to Dodge BEC Scams
There are always going to be people out to scam you. Even if you keep a low profile online, it’s likely that there is enough publicly available information for a sufficiently motivated person to work with. However, BEC scams only work when the scammer can grab that piece of crucial information not available online: a password here, PIN code there, verification questions (like what color was your first car?).
Fortunately, there are things you can do to protect yourself. A lot of them are commonly known, but they’re still worth mentioning:
Keeping up to date antivirus and malware software
- Download and install updates
- Routinely update passwords
- Use a different password for different websites
- Use complex passwords
- Keep passwords secure
- Use a password manager to help keep track of passwords
- Use two-step verification for your logins. Two-step verification is when a log-in requires a code (usually sent by text or email) to be entered before allowing access.
When you receive an email from ‘someone,’ asking you to do something,
- Check the sender email address (not the name) for typos
- If you receive a prompt to log into a website (like your bank’s website), don’t automatically click the link in the email. Instead, type the URL into your internet browser and log-in that way.
- If you see something suspicious from a close friend or family member, call them. Verify whether they did actually send the email. This also applies to social media, like Facebook and LinkedIn, where similar scams are popping up. But don’t respond to the email—pick up your phone and call.
Sign up for scam alerts from the Federal Trade Commission. You can learn more by going to the URL: https://www.consumer.ftc.gov/features/scam-alerts. From there, you can report scams, learn more, or sign up for email updates.
Hold your trusted professionals accountable. Most banks have standardized procedures and are probably going to be up to date with the latest banking regulations. However, your smaller professionals with access to your money and personal information (think accountant, estate attorney, and financial advisor), might not have access to corporate resources, IT budgets, or the infrastructure to protect your information. But they should be taking reasonable steps to safeguard your info.
What can my advisor do to protect my information?
Even without corporate budgets, your financial advisor could (and should) be doing more to protect client data. In fact, the SEC and FINRA (Financial Industry Regulatory Authority, which monitors broker-dealers) are both cracking down on advisors who do not have appropriate protections in place. In fact, FINRA has fined financial advisors who have NOT called to verify client information (as mentioned above).
Below are a list of things they can do, and how you can verify them:
Have procedures in place that verify client identity any time there is a request to transfer money out of their investment account. This should be by phone call, not text messaging, email, or social media. At some point before your money leaves your account, your advisor should have contacted you personally to verify the request. If not, then you should place a standing order with the advisor that money does not leave the account unless you have given specific permission to do so.
Your advisor should adhere to the same standards (outlined above) as you do, and more. The above list was a fairly basic list of common safeguards that everyone should have in place to protect their own identity. Your advisor should have MORE.
Procedures should be documented in their compliance manual. This should cover at least:
- Employee training
- Password security
- Data encryption
- Software standards
- Where client data is stored
- How client data is accessed by people outside the office (working from home, public wi-fi areas, etc).
- Physical security
- Website security
- Antivirus/malware protection
Any question should be answered in the same manner by any employee. This isn’t a problem for a solo advisor who might do most (if not all) of their own work. But if you’re the client of a larger firm, then one of the risk areas might not be the advisor, but in the staff. If that’s the case, the person who actually would process your money transfer might not be the advisor, but someone on the supporting staff. If that person isn’t properly trained, then it doesn’t matter what the advisor says to you.
In a properly-managed office, you shouldn’t get two different answers from two different staff members on how to process a money transfer. If the advisor says, “We call to verify before we move any money,” that should be the exact same answer that you get from the person who actually processes your transfer. And if there are two or more people who might do that work, then each of them should be able to say the exact same thing. That’s a sign of a firm operating with standardized security procedures, and is likely going to protect you from fraudsters. Also, that’s a sign of a firm that’s striving to keep protecting you from new threats as they come up.
Multiple layers of security. Good security isn’t any ONE of these. It’s ALL of these, layered on top of each other—password security, physical security, private wi-fi connections, etc. to make your firm a hard target.
Your advisor should provide secure means to send documents back and forth. This does not include email, which can be hacked. This could be a client portal on the firm’s website, or a third-party vendor that uses high encryption standards.
For example, we offer our clients ShareFile, which is a service provided and supported by Microsoft. Instead of emailing us a tax return (Yikes!) we ask them to upload it to their specific ShareFile folder, where our staff can access the file and store it in a secure location (We don’t currently share files with clients using this, however).
Your advisor should be helping you stay accountable for your own security. Cybersecurity is a team game, and you’re only as strong as the weakest link.
BEC scams are real. And they’re especially scary because if your financial advisor falls for a scam, that can directly impact you. So talk with your financial advisor and make sure that you’re comfortable with the steps they’re taking to protect you, your information, and your money.
And if you’re not comfortable, then find another financial advisor who will protect you.