This week, I'm in San Diego attending an annual conference of financial advisors. There are classes and workshops on the economy, the markets, the ever-increasing crush of regulation, and whatever is new. The biggest surprise so far has been the many discussions about the increasing problem of wire transfer fraud, which is up 100% each year for the last two years.
It works like this: A hacker breaks into your email account. Immediately, he routes all incoming email to an account of his, effectively isolating the client from his own incoming email. The hacker quickly scans your existing emails to find your financial advisor and, copying your writing/spelling/punctuation as much as possible, sends your advisor an email that you have a sudden problem and need to know how much cash is in your account. The hacker explains he needs it quickly, but is unavailable by phone, as he is at a funeral, wedding, deposition, etc. Emails from the advisor to the client are re-routed to the hacker, so the client doesn't know what is happening. Lastly, the hacker provides wiring instructions to a bogus account, where the money is immediately transferred out-of-country as soon as it arrives. I'm both sad and embarrassed by how many advisors try to help their clients and end up hurting them instead.
This problem of wire transfer fraud is much greater in large firms, where the client is just another account number. Because I accept so few clients, I know each person well and seriously doubt I could ever make such a mistake. However, in an abundance of caution, I will no longer accept any wiring instructions without also calling my client on the phone number in the file. Knowing-your-customer well is always the first line of defense! I don't know how large firms with hundreds of clients can manage this risk.
This is also an example of why it is important to always have a third-party custodian, such as TD Ameritrade. They are another strong line of defense, as they will not allow advisors to wire funds to any account that is not already on record, with the clients signature. One of our speakers was the new head of their wire transfer fraud department, where they independently verify the validity of outgoing wires.
A final thought is why is it the good guys have to always be on the defense? Of course, it is difficult to catch the bad guys, but do we really try? And, when we catch them, do we really punish them in a public fashion? What is the dis-incentive for the bad guys?
It works like this: A hacker breaks into your email account. Immediately, he routes all incoming email to an account of his, effectively isolating the client from his own incoming email. The hacker quickly scans your existing emails to find your financial advisor and, copying your writing/spelling/punctuation as much as possible, sends your advisor an email that you have a sudden problem and need to know how much cash is in your account. The hacker explains he needs it quickly, but is unavailable by phone, as he is at a funeral, wedding, deposition, etc. Emails from the advisor to the client are re-routed to the hacker, so the client doesn't know what is happening. Lastly, the hacker provides wiring instructions to a bogus account, where the money is immediately transferred out-of-country as soon as it arrives. I'm both sad and embarrassed by how many advisors try to help their clients and end up hurting them instead.
This problem of wire transfer fraud is much greater in large firms, where the client is just another account number. Because I accept so few clients, I know each person well and seriously doubt I could ever make such a mistake. However, in an abundance of caution, I will no longer accept any wiring instructions without also calling my client on the phone number in the file. Knowing-your-customer well is always the first line of defense! I don't know how large firms with hundreds of clients can manage this risk.
This is also an example of why it is important to always have a third-party custodian, such as TD Ameritrade. They are another strong line of defense, as they will not allow advisors to wire funds to any account that is not already on record, with the clients signature. One of our speakers was the new head of their wire transfer fraud department, where they independently verify the validity of outgoing wires.
A final thought is why is it the good guys have to always be on the defense? Of course, it is difficult to catch the bad guys, but do we really try? And, when we catch them, do we really punish them in a public fashion? What is the dis-incentive for the bad guys?