As registered investment adviser ("RIA") firms transition to alternative workplace options in response to the Coronavirus pandemic, it’s important for RIA firms to be cautious of the overwhelming amount of email phishing attacks surfacing which exploit public fears about the virus and also attempt to take advantage of employees working from home. Presently, all businesses, and investment advisers in particular, are being targeted by a wide variety of email phishing attacks.
Numerous federal agencies have alerted the public on Coronavirus scams they are seeing as a result of the pandemic. The Federal Trade Commission (“FTC”) has issued several consumer alerts warning people of fake emails claiming to be from the Centers for Disease Control and Prevention (“CDC”) or other healthcare organizations, pretending to share vital information about the virus. Other email phishing campaigns surfacing during this time of crisis include:
- Delivery of goods claiming online sellers have in-demand products like household cleaning supplies and urge viewers to purchase online
- Fake charities asking for donations to help those suffering from Coronavirus
- Emails and text messages pretending to be the World Health Organization (“WHO”) asking viewers to confirm personal information such as account numbers and Social Security numbers
Unfortunately, RIA firms remain a prime target for email phishing given the sensitive client information firms have access to and the current state of the workplace. Given many employees are more vulnerable outside of office protected networks, cyber criminals are targeting investment advisory firms with Coronavirus-related phishing emails. Regardless of whether the RIA firm is utilizing local or cloud-based technology, both types of infrastructure are prone to a staff member unknowingly allowing an unauthorized party to access an employee’s computer and/or online account login(s).
With the rapid shift to a remote work force, previous cybersecurity-related policies and procedures may no longer be sufficient. Furthermore, email phishing attempts continue to grow more targeted and sophisticated as it relates to COVID-19. Investment advisory firms need to recognize the risk such attacks present and actively address these vulnerabilities by updating relevant policies and procedures and by conducting regular staff training. The weakest link of any RIA firm’s information technology security plan is the inadvertent actions of the firm’s individual employees. Some RIA-specific targeted email phishing schemes to be aware of include:
- Fake voicemail download emails as firms transition to voice over IP phone solutions
- Fraudulent wire requests from compromised client email accounts
- Attempts to trick employees to install "require software" on their computers to enable remote work
- Fake updated information security policies and procedures which need to be downloaded and reviewed
Here are a few common tips on how RIA firms can help train their staff members to better detect a Coronavirus-related phishing email:
- Don’t trust the sender display name: A common phishing tactic is to spoof the display name of the sender. When in doubt - check the email address in the header. If the sender email address does not match the display name, don’t open the email.
- The email address is valid but looks suspicious: If you are skeptical of the content in the email, trust your instinct and use caution. It is possible a client or third-party vendor’s email account has been compromised. If the email is coming from a bank or other financial institution, try calling and verifying the information.
- Don't click on links contained within an email: If the email contains any embedded links, hover your mouse over the link and review the website address. If the link does not match the senders URL, do not open. If you'd like to view the embedded link, simply open a new browser tab and manually search for the link in your browser.
- Check for grammatical and spelling errors: Often, a phishing email will contain a grammatical or spelling error. Be sure to carefully review the content of unsolicited or unexpected emails.
- Don't download any attachments: Often times, attached documents in phishing emails contain viruses or act as a way to deliver ransomware. Don’t ever open any email attachments you weren’t expecting. If you are expecting an attachment via email from a client or vendor, but have doubts about the email always call the client or vendor at a previously known valid phone number to confirm they actually sent an email with the attachment in question.
- Don't fall for urgent and action item subject lines: Another common phishing tactic is urgent subject lines requiring you take an immediate action. For example, "Action Immediately Required" or "Urgent: Password Needs to be Updated!"
- No personal information should be sent via email: If you receive an email requesting you enter your personal credentials via email, don't. Always open a new tab browser and login directly on the site.
Most importantly, if a mistake is made with such a suspicious email, ensure that staff are trained and comfortable immediately reporting the incident in order to contain and mitigate the potential damage. Knowledge remains the best disinfectant for a phishing attack.
The MyRIACompliance® cybersecurity platform empowers an RIA firm to efficiently construct, implement, and document a robust cybersecurity compliance program with a single solution. The platform is designed exclusively for RIA firms of all sizes who face unique people, technology, and third party vendor cybersecurity risks and regulatory requirements. The platform also includes special email phishing coronavirus-themed templates to better test and train RIA staff members while working remote.
RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.