Phishing is the attempt to impersonate a trustworthy source to fraudulently obtain sensitive information such as your username, password, Social Security number, credit card information, and account numbers. Email phishing schemes involve a phony email that's cleverly disguised to look exactly like a message from a trusted source -- be it a friend, associate, or even your financial institution -- in order to obtain sensitive data from you.
This scam has traditionally targeted individuals, but in a new twist on an old scheme, fraudsters are now targeting financial institutions. One of the most popular targets of this new scam is brokerages.
How the scheme works
Criminals are now hacking into people's personal email accounts and going through their archives to gather intelligence on the account's owner. If the victim has a brokerage account, they will email the broker a message such as:
Please send $30,000 to my niece in Seattle using the listed account and routing numbers. She's in real bad shape. Cancer. Stage four. If she doesn't get this surgery right away she might not make it. Thanks!
The thief will address your broker by name and keep it as short as possible in order to minimize their opportunities to give themselves away. While a medical emergency is not always given as a reason for the transfer, the excuse will sound urgent, giving the targeted broker the sense that time is of the essence.
Because the crooks gather intelligence through your email account, they will often incorporate a real-life event into the email to make the reason for the money transfer sound even more plausible. For instance, if your niece really is sick, then the above example is something they would likely use. On the other hand, if the email account's owner is a business owner or landlord, then the scammer might claim to need the money fast because of a once-in-a-lifetime business opportunity.
Why the scheme works
Unfortunately, once the broker receives this phony request, the system can break down. Brokerages are regulated by the Financial Industry Regulatory Authority. FINRA has recognized this potential weakness in the system for a long time and, as early as 2012, sent out a regulatory notice requiring brokerages to review their specific procedures for wire transfer requests received via email. This alert stated:
One of the risks associated with accepting instructions to withdraw or transfer funds by email and other electronic means is that customers' email accounts are susceptible to being breached by hackers or other intruders who may use the email accounts to commit fraud. Therefore, FINRA recommends that firms reassess their policies and procedures for accepting instructions to withdraw or transfer funds via electronic means to ensure that they are adequately designed to protect customer accounts from the risk that customers' email accounts may be compromised and used to send fraudulent transmittal or withdrawal instructions.
FINRA advised that it is imperative brokerages do two things to ensure they do not play an unwitting role in this scheme: 1) verify that the email was sent by the customer and 2) identify and respond to red flags, including unusual requests and unfamiliar third-party accounts that the money is being sent to. The alert specifically says that requests that indicate a sense of urgency should be flagged as potentially fraudulent because, by their very nature, they tend to "deter verification of the transfer instructions."
Unfortunately, this scheme is still far too successful and has only become more widespread since this alert, and subsequent ones, have been issued. That's because, all too often, the brokerage does not follow the rules and wires the money with no verification from the account holder.
Why aren't the rules followed? At the end of the day, brokers are still human and are subject to the same emotional tendencies as the rest of us. In my experience working these cases as an economic crimes detective, most brokers simply said they skirted the rules for the convenience of their client.
What you can do
While FINRA has the authority to fine and suspend brokers for not following regulations, very few consumer protection laws are in place for this type of fraud. In my experience, most brokerages will refund a victim's money because they don't want to lose face in the industry. But that doesn't mean that they're required to repay customers or that it will be easy to get it back. Therefore you must take proactive steps for your own protection.
- Ensure that all your personal information on file with your broker is up to date and correct. If your old cellphone number is still on file, then your broker can't reach you to verify that you sent an email requesting a money transfer.
- If you have a personal relationship with your brokerage, call them and let them know you want to be personally contacted before money is ever wired out of your account.
- Call your brokerage and ask what their policies are for acting on a money transfer request. Make them be specific. Don't let them get away by brushing off your concerns and saying something like, "That could never happen here." Ask them for their specific policies that safeguard your money. If you're not satisfied, consider another brokerage.
At the end of the day, this is your money. You need to be satisfied with how well it is being protected. Don't give thieves the chance to steal the fruit of your life's labor just because you didn't take a few minutes out of your day to talk to your brokerage about how safe your money is.