Fraudulent Email Requests

Greg Wilson, Head of Information Security
October 22, 2018

The threat of receiving a fraudulent wire request because of a client’s compromised email account has not diminished; in fact, the number of these instances continues to increase. Never process any trade or distribution requests received through electronic means, such as email or fax. Always verbally verify all distribution and trade requests directly with your client. You can accomplish this by meeting with the client in person or calling the client at a known number. You should not call a number given to you in an email request to contact the client for verification purposes. 

According to FINRA and other agencies, incidents typically follow a similar pattern. A client’s email account is compromised, and the perpetrator sends an email to the victim’s financial advisor pretending to be the victim. Oftentimes the email sent to the financial advisor is part of a previously legitimate email stream between the client and the financial advisor. The perpetrator may ask for account balances or for copies of the client’s records (e.g., account statement or a signed tax return). Oftentimes a request will be made to change wire or banking information. At times, the perpetrator may even request trades to make cash available. When the initial requests are successful, the perpetrator then sends another email providing a reason why he or she can only communicate via email and asks that a wire transfer be initiated on the individual’s behalf. The excuse is typically based on an illness, death in the family, jury duty or travel abroad, which prevents the account holder from conducting business as usual. The perpetrator then provides a signed document requesting the wire to be sent to a third party at a domestic address. The signature may be copied from an unknown source or from a document that was requested earlier. 

The perpetrators may use both legitimate compromised email accounts and email addresses that are slightly altered. In cases in which the email addresses were adjusted, they may be modified via the top-level domain (e.g., from .com to .net) or by adding an additional letter to the user name (e.g., abcd@abc.com to abcdd@abc.com). These modifications are intended to be very subtle and easily mistaken as the legitimate account holder’s official email address on file. Again, in cases in which email accounts are compromised, the financial advisors may receive replies to emails they previously sent their clients. 

There are basic steps to follow and red flags to be aware of to help protect your firm and your clients:

  • Verbally verify all distribution and trade requests received from any channel other than a direct interaction with your customer. This includes email and fax instructions.
  • Know your customer. You know your customer’s communication habits and financial needs better than anyone. Be skeptical of anything that is out of the ordinary.
  • Do not be fooled by a request to take a distribution from an IRA account that includes tax withholding.
  • Keep in mind that the perpetrators are trying to mimic client behavior, which is why it is critical to verify these requests.
  • Many of these matters are uncovered because of the odd sense of urgency. Be skeptical of any urgent request.
  • Fraudulent emails often include spelling and grammar errors.
  • Do not be fooled by legitimate references made in the communication. This tactic is designed to help gain credibility and is often a result of other information obtained through a compromised email account.
  • Reference “Email Breached? What Steps to Take When Time is Critical,” for tips for responding to a breached email account.

If you ever doubt the legitimacy of any client request, contact the client directly. He or she will appreciate the extra measure to ensure the account is safe. Would you rather call to verify a request verbally or call to report that you wired your client’s money to an unknown third party because you did not call? Remember that email is not a secure communication channel; therefore, you need to avoid sending confidential client information in unencrypted emails. 

Please be aware that neither your E&O policy nor fidelity bond will cover a claim to reimburse the client for money lost resulting from a fraudulent request submitted by your office. The financial advisor will be responsible for this expense; therefore, it is critical that the described requests are verbally verified.

The Emergence of Fee-based Planning

Tips for delivering high-value service and advice in the digital world.