Financial advisors often get so caught up in trying to ‘add value’ to their clients that they sometimes overlook something that could cause financial catastrophe. Amidst the discussion about diversification, superior investment returns, and other neat-sounding things, what really counts to a client is peace of mind. And that peace of mind usually starts with the following assumption:
- If I invest my money with my advisor, I accept that my accounts might go up or they might go down. But at least the money stays in my account until I decide to take it out.
And advisors often make that same assumption as well. Below is a real-life story about:
- What happened to one of our clients
- Our response
- What we learned
- What you can learn from our experience
The Email Hack
It all started when Julie received the following email:
I would like you to move some of $20,000 from my Schwab money market fund into cash. i need you to make a wire transfer to my Relative, What details do you need for the wire transfer.
Of course, it might seem that this is a little odd. Our client is fairly particular in her grammar, while several things indicate that this email was written by someone whose first language was not English. Moreover, the vague reference to a ‘relative’ made this email suspicious. And finally, knowing our client, whom we had recently talked with, we suspected that a major money transfer like this might have been discussed during our conversation.
But what if the email had been written in a crisp, convincing manner? What if the email actually could have come from our client?
Fortunately, our firm has a standard procedure:
Any time we receive an email request for funds from any client, we always follow up with a phone call to the client. We move no money nor do we make any changes in anticipation of moving money, until we have confirmed with the client verbally that they actually sent the email.
When we called, we actually confirmed that the client did not send the email. Moreover, she noticed some suspicious activity on her account, at around the same time the email went out. The hacker had actually deleted the fake email from her ‘Sent Items’ folder to make it look like she had never sent the email.
What we did next
During our phone conversation, I advised the client that I believed her email address to be compromised. She told me that she could discuss next steps with her son, who works in the IT field. A son who is also an IT professional would be more likely to give expert technical advice on how she could set up a new email address, check (or replace) her computer, and all the other tech-related to-do items.
However, there were things that we could to, to help give some financial ease of mind. So while on the phone, I did the following:
- Verified that zero activity had occurred in her investment accounts—I simply logged in, did a scan of her accounts, and reassured her that no money was missing.
- Gave her instructions on how to pull a recent copy of her credit report. Not credit score, credit report. We walked through the difference, and why I wanted her to get a copy of her credit report when she had access to a clean computer. I told her that since her email had been hacked, I would assume that her computer has been compromised with keyboard tracking software—at least until an IT professional says otherwise. Since a credit report requires putting in a Social Security number, I would not want her to be unwittingly giving away her most important information. However, once she had a secure computer, she would be looking for any recent accounts that had been opened in her name, and would be on the look out for any other suspicious activity.
- Gave her guidance to check her other accounts (checking, credit card, etc.), that we cannot monitor for her.
Internally, we also documented this incident and updated our system so that everyone knows not to contact her using that email address. We also ran this past our compliance expert and our errors and omissions insurance company to ensure we did everything that was expected (we had). Finally, we had staff training to ensure everyone knows what to look for, and what to do when they receive a suspicious email.
What to ask your advisor
If you’re an advisor reading this article, you might consider reading up on wire fraud schemes to ensure that your procedures are current.
If you’re a client, here are some questions you may consider asking your advisor:
- If you were to receive an email instructing you to wire money, how would you respond?
- What do your procedures look like for verifying that your client’s email has not been hacked if you get an email request (or a fax request, which can also happen)?
- How do you verify that the person responding to a phone call is actually the client?
In our firm’s case, we’re small enough to where each of our staff knows each of our clients. However, in larger firms, it might be possible for an advisor to have so many clients that they might not know them personally or recognize whether something is out of character. Because we’re in Florida, we’re also on the look out for signs of elder abuse (where family members, friends, or other people with access might take advantage of the client), so we might be a little more on the look out for signs that things aren’t right.
In the vast majority of client-advisor relationships, there are documented procedures that the advisor can take to safeguard against email fraud. However, the best protection is to have proven procedures implemented by trustworthy people who know you, and are likely to notice when something’s awry.
Ask your advisor and make sure they’re taking proactive measures to protect you and your family. And if you don’t have an advisor (or don’t feel confident), contact us. We’d be more than happy to see how we might be able to serve you.