Upload
chad-ross
View
219
Download
4
Embed Size (px)
Citation preview
For Advisor Use Only — Not For Distribution1
© 2013 LWI Financial Inc. All rights reserved. The material in this communication is provided solely as background information for registered investment advisors and is not intended for public use. Unauthorized copying, reproducing, duplicating or transmitting of this material is prohibited. LWI Financial Inc. (“Loring Ward”) is an investment advisor registered with the Securities and Exchange Commission. Securities may be offered through Loring Ward Securities Inc., an affiliate, member FINRA/SIPC. IRN R 13-134 (Exp 5/15)
E-mail Hacking and Fraud:Why it Matters to Investment Advisors
Cynthia ChuDirector, Advisor Services
Huong NguyenCompliance Analyst, Legal & Compliance
For Advisor Use Only — Not For Distribution2
Agenda
• Overview of the issue
• The Devil is in the Details & Red Flags
• Statistics that will alarm you
• Real life examples
• Ramifications and failures of diligence
• Regulatory reporting
• Best practices
For Advisor Use Only — Not For Distribution3
Overview of the Issue
• Malware
• Phishing
• Social Engineering
• Identity Theft
For Advisor Use Only — Not For Distribution4
Account taken over
and monitored
Advisor forwards to
Loring Ward or custodian
Funds leave client’s
account
or
Fraudster may have access to the client’s:
• Personal documents
• Signature
• Writing style
• Account information
The Devil is in the Details
Understanding How it Works
Fraudster hacks client’s email
account
Fraudster emails advisor wire request
Custodian processes wire
Client & advisor become victims
of wire fraud
Fraudster creates nearly identical email account
For Advisor Use Only — Not For Distribution5
Red Flags
• Originating e-mail address is not the client’s true e-mail.
– Example: [email protected] vs. [email protected], [email protected],
• Wire request is urgent and to a third party, including a sympathy ploy.
• Fraudster states he or she is unavailable by phone.
• Emails are riddled with spelling and grammatical mistakes.
• The signature on the wire letter identically matches a previous LOA.
• Consecutive wire requests in small amounts over a short period of time.
• Email requesting account balance information followed immediately by a request to wire out all or a portion of the cash balance.
For Advisor Use Only — Not For Distribution6
Wire Fraud Statistics
• FBI statistics as of December 2011:– $23 million attempted fraud reported nationwide
– $6 million in actual victim loses
• TD Ameritrade statistics as of September 2012– 741 fraudulent wire instructions reported
– $25 million attempted fraud
• AOL, Yahoo, and Gmail accounts are the most compromised
For Advisor Use Only — Not For Distribution7
Source: TD Ameritrade
Wire Fraud Statistics
For Advisor Use Only — Not For Distribution8
Real Life Examples
• “Unfortunately, I can’t call you. I’m currently heading out of town… and getting online seems to be patchy.”
• “I will like to inform you that am on my way to my nephew’s funeral that passed on yesterday night. I have some outstanding urgent wire transfer which i need you to complete today with an exception, for an urgent business purpose.”
• “I need you to email me all the cash available balances with wiring instruction for domestic and international wire.”
• “I will be very busy today and my phone will not be available but I will frequently check my email for your response.”
For Advisor Use Only — Not For Distribution9
Ramifications
• Monetary
• Reputational
• Security
• Regulatory
For Advisor Use Only — Not For Distribution10
Enforcement Case
• Merrill Lynch, Pierce, Fenner & Smith Incorporated (CRD #7691, New York, New York) submitted a Letter of Acceptance, Waiver and Consent in which the firm was censured and fined $450,000.
– Failed to establish adequate supervisory control system
– Failed to include a policy or procedure requiring a review to detect or prevent multiple transmittals of funds from multiple customers going to the same third-party accounts
– Failed include exception reports that would have identified multiple customer wires going to the same third-party account
– Consequently failed to detect that registered representative had initiated fund transfers totaling approximately $887,931 out of customer accounts to bank accounts he controlled
– Registered representative barred from the industry and firm required to repay each customer (FINRA Case #2010022652202)
For Advisor Use Only — Not For Distribution11
Advisor Regulatory Reporting
• RIAs should be aware of the actions they can take from a regulatory reporting standpoint: – Filing Suspicious Activity Reports (SARs) as
applicable(http://bsaefiling.fincen.treas.gov/main.html)
– Filing reports with iC3 for cyber crimes (http://www.ic3.gov/default.aspx)
– Coordinating filings with authorities as necessary (FBI, IRS, SEC, etc…)
For Advisor Use Only — Not For Distribution12
Third-Party Wire Policy
• Advisor will verify any third-party money-movement requests in person or via phone
• Advisor will sign the Third Party Wire Attestation Form and send to Loring Ward along with the wire request
• Loring Ward will call the Advisor to verbally confirm that the Advisor has spoken to the client
• Loring Ward will forward instructions to the custodian
• Custodians reserve the right to verbally confirm the wire instructions with the client
For Advisor Use Only — Not For Distribution13
What Can I Do?
• Always verify verbally with your client
• Be vigilant in your email correspondence with your clients, particularly for third-party money movement requests
• Educate your clients and position your rationale
• Train staff
– FINRA E-Learning Courses
• Contact Loring Ward if something “doesn’t smell right”
– Immediate cash needs
– Instructions not to call or e-mail
– New or unfamiliar third party check/wire recipients
– Use of outdated or previously used forms
For Advisor Use Only — Not For Distribution14
What Can I Do?
• Utilization of secure email
• Keep software up-to-date and install suitable virus protection
• Educate clients on the potential risks associated with public email and non-public personal information
• Change passwords often, and make them challenging to crack
• Keep an eye on sent mail, the trash folder, and other IP addresses that may be logged into your account
• Don’t write passwords down on Post-It notes or in unprotected folders on your computer
For Advisor Use Only — Not For Distribution15
What Can I Do?
• Maintain your computer security
• Use your own computer & log out completely
• Be prudent when using wireless connections
• Check for secure web sites and be careful downloading
• Don’t respond to emails requesting personal information
• Log into your account from time to time to identify potentially unauthorized trading activity
• Read your statements and trade confirmations promptly
• Secure your confidential documents
• Safeguard your Social Security number
• Do a periodic “Identity Theft” check by reviewing your credit report (http://www.annualcreditreport.com)
For Advisor Use Only — Not For Distribution16
Client Resources
• http://www.finra.org/investors/protectyourself/investoralerts/fraudsandscams/p125460
• http://www.finra.org/Investors/ProtectYourself/InvestorAlerts/FraudsAndScams/P037886
• http://ftc.gov/opa/reporter/idtheft/index.shtml
• http://www.sec.gov/investor/pubs/phishing.htm
• http://www.morganlewis.com/pubs/MatthewsKiesewetter_AntimoneyLaundering-IACForum0107.pdf
• http://fppad.com/2012/04/11/why-you-cant-trust-your-clients-anymore/
• https://www.sifma.org/uploadedfiles/education/consumer_resources/education_consumer%20resources_identity%20theft%20tips%20and%20resources(1).pdf
For Advisor Use Only — Not For Distribution17
Q & A