Sophisticated bad actors looking to gain access to a registered investment adviser ("RIA") firm’s sensitive and non-public information may look to target the firm's individual staff members directly via a cyber attack method called social engineering. In this type of targeted attack, cyber criminals will research an individual staff member online looking for publicly available information that may help them answer the individual's personal security questions, decipher their usernames and passwords, or launch an email phishing attack specifically targeted at that individual based on what information has been discovered. If an RIA firm staff member is not careful, a hacker may be able to find his or her high school mascot, mother’s maiden name, date of birth, childhood street address, place of birth, children’s school, dog’s name, or even best friend’s name. This becomes a lot easier when an individual does not make a concerted effort to protect their own personal information online.
Here are a few tips for RIA firm staff members to help protect against investment adviser social engineering cyber attacks:
- Do not make social media profiles accessible to the public: LinkedIn, Facebook, or Twitter profiles can reveal a lot of personal information about you that can be exploited in a hacking campaign. Consider making your personal profiles (not those of the firm) non‑public.
- Be cautious when accepting social media friend or connection requests: Hackers will often create fictitious social media profiles in an attempt to gain access to information that individuals only "share with friends." Consider this a second level of precaution beyond a non‑public profile.
- Utilize less common online security questions: For example, instead of selecting "mother's maiden name", which may not be too difficult for someone to discover online, instead utilize questions like "What is the last name of the teacher who gave you your first A+?" if available.
- Use different online security questions for different systems: Similar to avoiding the same password to access different applications, you should not use the same security questions for different systems in case one of your security question answers is exposed.
- Always be wary of providing personal information: Bad actors may pose, often via email, text, or phone, as a co-worker, pollster, law enforcement member, or other seemingly trusted position. Don’t fall for an impersonator who is asking for your personal information; instead take their information and then research it before taking any action.
- Don’t be baited by a “lost” physical storage device: Given that so much of the public’s focus on cyber security concerns online systems, cyber attackers will also leave unattended storage devices as bait. One example would be a malware-infected flash drive left in your firm’s bathroom, lobby, or mailroom in the hope that you will insert the device into your computer to use or to determine the device’s owner.
Unfortunately, RIA firms are a frequent target for social engineering hacking attempts and other related cybersecurity attacks given the sensitive client information that firms may have access to. With the abundance of personal information available online in today's world, social engineering attacks continue to increase in frequency and success. Investment advisory firms need to recognize the risk such attacks present and actively address through proper system design and frequent information security staff training.
It's also important to remember that all staff members of an RIA firm need to take the risk of a social engineering attack seriously. In particular, the key principals of a firm that likely have access to many of the firm's key systems and most sensitive information are prime targets for a social engineering cyber attack.
Lexington Compliance and RIA in a Box LLC are not law firms, investment advisory firms, or CPA firms. Lexington Compliance and RIA in a Box LLC do not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.