Don't get burned by email fraud
Email fraud is becoming an even greater threat in the financial services world. According to recent alerts from FINRA and the Internet Crime Complaint Center (IC3), criminals are using compromised email accounts to trick financial professionals and institutions to wire client funds to phony domestic and international accounts.
Here's how the fraud typically plays out:
- A cyber-criminal will send an email to an advisor, bank or brokerage firm pretending to be the client and requesting a current account balance. If the advisor or institution responds with the information, the criminal will then send another email initiating a wire transfer to another account, often overseas. If asked why email is being used, the criminal will give a family illness or death as an excuse.
- The initial email will often appear legitimate. However, closer examination will reveal irregularities such as a modified top-level domain (.net may be used instead of .com), the user's name may contain an extra digit or a letter may be substituted for a number or vice versa (for example, 0 used for o).
- The fraudulent email often originates with an email service such as Yahoo, Gmail or AOL.
- If the advisor or financial institution asks for a letter of payment authorization via fax, the criminal will often produce a fax with the customer's actual signature. The scammer gets the signature through extensive research of other documents linked to the compromised account. Once they find a signed document, it's a simple matter of just copying and pasting the actual signature into a transfer request document.
- After the criminal transfers the money, the person may then modify the victim's email settings to block all legitimate emails from the financial institution. This will give the scammer more time to take control of the money and make a "getaway."
- Although financial institutions have antifraud provisions in place, advisors must still do their part to detect fraud. According to FINRA's Regulatory Notice 12-05, broker-dealers and investment professionals should watch out for unusual funds transfer requests, including those asking for money to be sent to an unfamiliar third-party or phrased to deter normal verification.
Advisors who suspect a client has fallen victim to email fraud should immediately notify their compliance unit or anti-money laundering team. They should also advise clients to report the crime to the FBI and to file a complaint online at www.IC3.gov.
