Unfortunately, a registered investment adviser ("RIA") firm’s clients may be even more vulnerable to a cybersecurity breach than an RIA firm and or its employees. Hackers continue to more aggressively target high and ultra high net worth individuals as criminals recognize such individuals offer greater potential financial exploitation opportunity. In a recent cybersecurity report, Verizon noted that 76% of cybersecurity breaches were financially motivated. With that primary motivation, brokers’ and investments advisers’ clients are unfortunately a top target. This means that hackers may already be targeting an investment advisory firm’s clients with email phishing and social engineering efforts, often focusing on accessing clients' personal email accounts.
After gaining access to a client’s email account, a bad actor may scan past email correspondence to identify any financial advisor or banking relationships. Moreover, sophisticated hackers will review the client’s email history to learn how to best imitate that individual in future correspondence with the client’s financial advisor. Next, the hackers may send a seemingly innocent email, possibly inquiring about the current balance of accounts or investment performance, to gauge the financial advisor's general reception.
Ultimately, the impersonator will try to access the client’s funds. A hacker may even wait to send a wire request that corresponds with the client's scheduled travel or other personal plans (which can also be found in the client's email account). This is generally followed by an "urgent" wire request along with additional context which notes that he or she is "traveling" or otherwise "not accessible." There will also often be a convincing story as to why the funds need to be transferred to a third party account, perhaps related to a large purchase or needing access to the funds while traveling internationally.
Client impersonation cybersecurity attacks are particularly dangerous to an RIA firm because once a client’s funds are transferred or wired to a third party, there is often little that can be done to retrieve the funds.
How RIA Firms Can Protect Against Client Impersonation Cybersecurity Attacks
In order to protect itself from a client impersonation attack, an RIA firm should consider the following:
- Carefully review client emails before responding or taking action: Since many unauthorized wire requests are initiated by an impersonator sent from your client’s actual email account, you should always be on high alert for anything that seems unusual or suspicious about the email. Attentive review of a fraudulent client email will often reveal a potential red flag that can be addressed accordingly.
- Verbally confirm all wire requests: Your firm’s compliance manual should require all personnel to verbally confirm all wire requests. Do not simply call the phone number listed on the email since that may direct you to a bad actor; instead be sure to follow all policies and procedures, including calling the previously designated client phone number on file for wire confirmations.
- Don’t be pressured into making a mistake: Even if it is a legitimate client wire request, you should never cut corners even if it may lead to client frustration. You should educate clients on your firm’s wire confirmation procedures in order to set expectations and to help them understand the prevalence of wire fraud. Helping clients safeguard themselves against cyber threats benefits them while also protecting your firm.
By focusing on potential client impersonation events, an RIA firm can help clients safeguard themselves while also protecting the advisory firm. This allows an advisory firm to shows clients it takes cybersecurity seriously and is looking out for clients' best interests.
Unfortunately, RIA firms are a frequent target for client impersonation cybersecurity attacks given the potential ability to facilitate client wire or fund transfer requests. Client impersonation schemes continue to increase in frequency and sophistication. Investment advisory firms need to recognize the risk that client impersonation cybersecurity attacks present and actively address through proper policies and procedures and frequent information security staff training.