RIA Compliance and Practice Management Blog

How RIA Firms Can Protect Against Social Engineering Cyber Attacks

Posted by RIA in a Box

Mar 5, 2019 10:08:28 AM

RIA Cybersecurity social engineering hack

Sophisticated bad actors looking to gain access to a registered investment adviser ("RIA") firm’s sensitive and non-public information may look to target the firm's individual staff members directly via a cyber attack method called social engineering. In this type of targeted attack, cyber criminals will research an individual staff member online looking for publicly available information that may help them answer the individual's personal security questions, decipher their usernames and passwords, or launch an email phishing attack specifically targeted at that individual based on what information has been discovered. If an RIA firm staff member is not careful, a hacker may be able to find his or her high school mascot, mother’s maiden name, date of birth, childhood street address, place of birth, children’s school, dog’s name, or even best friend’s name. This becomes a lot easier when an individual does not make a concerted effort to protect their own personal information online.

Download Our Free RIA Cybersecurity Compliance Checklist

Here are a few tips for RIA firm staff members to help protect against investment adviser social engineering cyber attacks:

  • Do not make social media profiles accessible to the public: LinkedIn, Facebook, or Twitter profiles can reveal a lot of personal information about you that can be exploited in a hacking campaign. Consider making your personal profiles (not those of the firm) non‑public.
  • Be cautious when accepting social media friend or connection requests: Hackers will often create fictitious social media profiles in an attempt to gain access to information that individuals only "share with friends." Consider this a second level of precaution beyond a non‑public profile.
  • Utilize less common online security questions: For example, instead of selecting "mother's maiden name", which may not be too difficult for someone to discover online, instead utilize questions like "What is the last name of the teacher who gave you your first A+?" if available.
  • Use different online security questions for different systems: Similar to avoiding the same password to access different applications, you should not use the same security questions for different systems in case one of your security question answers is exposed.
  • Always be wary of providing personal information: Bad actors may pose, often via email, text, or phone, as a co-worker, pollster, law enforcement member, or other seemingly trusted position. Don’t fall for an impersonator who is asking for your personal information; instead take their information and then research it before taking any action.
  • Don’t be baited by a “lost” physical storage device: Given that so much of the public’s focus on cyber security concerns online systems, cyber attackers will also leave unattended storage devices as bait. One example would be a malware-infected flash drive left in your firm’s bathroom, lobby, or mailroom in the hope that you will insert the device into your computer to use or to determine the device’s owner.

Unfortunately, RIA firms are a frequent target for social engineering hacking attempts and other related cybersecurity attacks given the sensitive client information that firms may have access to. With the abundance of personal information available online in today's world, social engineering attacks continue to increase in frequency and success. Investment advisory firms need to recognize the risk such attacks present and actively address through proper system design and frequent information security staff training

It's also important to remember that all staff members of an RIA firm need to take the risk of a social engineering attack seriously. In particular, the key principals of a firm that likely have access to many of the firm's key systems and most sensitive information are prime targets for a social engineering cyber attack.

Download Our Free RIA Wire Fraud Prevention Checklist

Lexington Compliance and RIA in a Box LLC are not law firms, investment advisory firms, or CPA firms. Lexington Compliance and RIA in a Box LLC do not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

Topics: RIA Operations, RIA Compliance, RIA Technology

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts