Compromised Clients: The Weak Link in Cyber Defense

Article and interview with Brian Edelman, Financial Computer CEO.
Link to the article:

During a panel on cybersecurity at the 2015 T3 Conference in Dallas, William French, the vice president of risk management at Fidelity Investments said that 88 percent of broker/dealers and 74 percent of financial advisors have experienced some sort of cyberattack. And more and more, the weak link in the chain of cyber protection is the advisor’s own clients.

French said that he’s seen a large increase in high-quality “phishing” attacks, a method where hackers masquerade as trustworthy entities in order to steal usernames or passwords, that are targeted at advisors’ end customers. Hackers use social media to seek out personal details about clients and send personalized emails or messages to increase the chance they will be believed as an innocent inquiry from a trusted confidant. This method, known as “spear phishing,” is one of the most successful techniques on the Internet and some have estimated that it accounts for 91 percent of attacks.

Once a hacker has compromised a client’s email account, they begin to contact the financial advisor. The messages may be benign at first, but slowly build to reveal more information with the advisor unaware that messages aren’t coming from the actual client. They often make successful requests to wire money.

So as clients increasingly demand electronic communication instead of phone or face-to-face verifications, how can advisors collaborate without exposing their clients to increased risk?

Brian Edelman, CEO of Financial Computer Services, suggested advisors take advantage of cheap and even free email encryption services that don’t require any additional effort on the part of the client. Edelman said that some advisors use these services as a selling point for their firms to grow their assets.

Often all an advisor needs to do is ask a prospect if their current financial advisor is encrypting their emails, Edelman said. “If the prospect says ‘no,’ they have a new client.”

Bill Winterberg, the panel’s moderator, suggested that advisors stop including links in their emails and instead instruct clients to just login to the advisors’ portal to view information. French added that advisors should tell clients explicitly that they will never ask for personal information in an email, so clients will be more aware of potential spear phishing emails.

Phishing also highlights the importance of the personal relationship. French said that if you have more constant contact with clients, the advisor will be prepared to spot suspicious activity.