Tips on Identifying Cyber Threats

We recently received the following two emails from a client email address:

From: Client Name [mailto:[email protected]]
Sent: Friday, April 14, 2012 9:32 AM
To: Lisa Reynolds
Subject: Update

Lisa,

I will like you to email me the cash available balance in my account for today.

Thanks,

From: Client Name [mailto:[email protected]]
Sent: Friday, April 14, 2012 9:45 AM
To: Lisa Reynolds
Subject: Re: Update

I would need you to kindly help me send out an urgent wire transfer today.
Please Advise on wiring instructions.

Best Regards,
____________________________________________

The grammar mistakes and behavior exhibited in the email prompted Lisa to call the client to verify the instructions. The client confirmed Lisa’s suspicions – a fraudster had hacked the client’s email!

In recent months, incidents of wire fraud, identity theft, and so-called “phishing” scams have been on the rise. The FBI has recently been investigating an international fraud ring that compromises individual email addresses in an attempt to impersonate someone and ultimately access financial accounts. As in the example above, the fraudster uses a client’s legitimate email account and poses as the rightful account owner. The ring has been successful at getting large sums of money wired to bank accounts that they control. Account owners are often unaware they are being targeted, putting the responsibility on financial advisors and banking institutions to identify suspicious activity.

How does it work?

The scam starts with an email, sent to a large number of individuals, requesting that they login to view an offer or utilize a service. The scam may be set up to look like the email is coming from an internet service provider, like AOL or Gmail, so the unsuspecting consumers think they are logging into their own account. This practice is known as phishing. Once fraudsters obtain access to the email account, they review sent and deleted emails for financial information, account numbers, and the names of the email holder’s financial institutions. Finally, the fraudster uses this information to communicate with the advisor or financial institution to request unauthorized transactions, typically wire transfers.

Protecting our clients

Truepoint takes several steps to reduce the risk of fraudulent transactions, including:

  • Be on the lookout for signs of fraud – Employees are trained to spot email compromise fraud: wire transfer requests, international wires, spelling and grammar mistakes, sympathy ploys, or requests to communicate only via email.
  • Separate sensitive information – We communicate an ID and password separately or utilize a password already known to the client. Without both an ID and password, execution of fraud is more difficult.
  • Maintain strong systems – Truepoint maintains a restrictive and effective firewall. We require passwords for all access and mandate frequent  password changes.

Clients can also protect themselves

Because email compromise fraud, and many other scams, target individual clients, there are steps everyone can take to reduce the risk of their personal information falling into the wrong hands:

  • Safeguard account information – Never send account information or personally identifiable information over any insecure channel (email, chat).
  • Be suspicious of unsolicited information requests – Any email requesting personal information should be suspect. Most businesses have no need to get your information that way. And never respond to an information request by clicking a link in an email. Type the web site’s URL into the browser yourself instead.
  • Protect your information on social networks – Be careful how much information you post on social networking sites. You should never post your social security number (including even the just the last four digits), and you should consider keeping confidential your birth date, home address and home phone number.

Advisors may be the first and best line of defense in protecting clients, as our personal relationship with the client can help us detect fraud.  If the details and behavior exhibited in an email request don’t seem to be right, then it may be fraudulent. Through industry publications and the Fidelity Institutional Fraud Response Team, Truepoint keeps up to date on the latest scams and fraud methods.

If you are not currently a client but would like to learn more about Truepoint’s services, please contact Lisa Reynolds. If you are a client and would like to learn more about Truepoint’s security policy, please contact your lead advisor.

Truepoint Wealth Counsel is a fee-only Registered Investment Adviser. Registration as an adviser does not connote a specific level of skill or training. More detail, including forms ADV Part 2A & 2B filed with the SEC, can be found at TruepointWealth.com. Neither the information, nor any opinion expressed, is to be construed as personalized investment, tax or legal advice. The accuracy and completeness of information presented from third-party sources cannot be guaranteed.

We’d love to get to know more about you and
share with you how we can best help you.