Help Protect Your Firm and Clients from Cyber Fraud

Transcription

1 One Step Ahead: Help Protect Your Firm and Clients from Cyber Fraud Actions for advisors and investors to consider In Brief: Threats grow more sophisticated: Just as technology advances, so do the tools cyber criminals use to steal from clients. Wire fraud, identity theft, and scams especially phishing currently threaten data security for broker-dealers and financial advisors and are growing in number and sophistication. An estimated 5% of U.S. adults fall victim to these crimes every year. 1 Advisors have required responsibilities: Many financial services firms are required to implement an Identity Theft Protection Plan (ITPP) under Regulation S-ID. Those not required to do so may wish to consider implementing an ITPP as a best practice and consider all applicable state laws. Inside, you will find details about: How threats to data security are intensifying Responsibilities of financial advisors Actions for advisors to consider to protect their firm Ways to educate your clients using the sample resources presented in this guide Be vigilant in educating and protecting: As part of their general fiduciary responsibility to customers, firms and their advisors should remain vigilant for signs of fraud and consider proactively warning investors of threats, educating them on how they can protect themselves. 1 Mary Jo White, SEC Open Meeting, 4/10/13,

2 Threats to Data Security Intensify Every hour, technology continues to evolve, changing the way we lead our lives. Unfortunately, cyber criminals are evolving just as fast, developing new ways to separate people from their assets. While the most common tactics used to compromise a victim s identity or login credentials are long-time nemeses such as malware, phishing, and social engineering, they are growing increasingly difficult to spot. The end game with these tactics is, of course, criminal. After gaining access to an investor s personal information, cyber criminals can use it to commit various types of fraud, including: Fraudulent trading Electronic funds transfer (EFT) fraud Wire fraud Establishing fraudulent accounts Common ways in which identity and login credentials are stolen Malware. Using malicious software (hence, the prefix mal in malware), criminals gain access to private computer systems (e.g., home computer) and gather sensitive personal information such as Social Security numbers, account numbers, passwords, and more. How it works: While malware can be inserted into a victim s computer by various means, it often slips in when an unwary user clicks an unfamiliar link or opens an infected . Phishing. In this ruse, the criminals attempt to acquire sensitive personal information via . Phishing is one of the most common tactics observed in the financial services industry. How it works: Masquerading as an entity with which the victim already has a financial relationship (e.g., a bank, credit card company, brokerage company, or other financial services firm), the criminals solicit sensitive personal data from unwitting recipients. Social engineering. Via social media and other electronic media, criminals gain the trust of victims over time, manipulating them into divulging confidential information. How it works: Typically, these scammers leverage something they know about the person like their address or phone number to gain their confidence and get them to provide more personal information, which can be used to assist in committing fraud. Social engineering has increased dramatically, and many times fraudsters are contacting investors by telephone. Recent trends in criminal activity William R. French, vice president of Customer Protection and Financial Intelligence at Fidelity Investments, has been focusing primarily on information security and risk management matters for more than 25 years. Mr. French is a Certified Fraud Examiner (CFE) and an active participant in the National Cyber-Forensics & Training Alliance, an FBI cyber unit based in Pittsburgh. With this industry-wide perspective, French has observed specific trends in cyber criminal activity that take place after a criminal has secured sensitive personal information from his or her victim: On the rise: fraudulent trading Imagine having your assets traded on the stock exchange without your knowledge or permission. That s one form of fraudulent trading the intentional misuse of business information or technology by an individual or entity to steal money or assets from another individual or entity. Fraudulent trading typically occurs when an investor s login credentials for his or her brokerage account are compromised. Fraudulent trading isn t an isolated problem, French warns. When financial services firms identify high levels of potentially fraudulent trading activity in a particular stock, they share that information with regulators and other firms so that everyone can be on alert. 2

3 On the rise: EFT fraud via prepaid bank cards Criminals abuse of traditional credit and debit cards for fraudulent EFTs has long been an issue. However, financial institutions are periodically seeing the use of prepaid bank cards to facilitate fraud. There are legitimate banking institutions issuing prepaid bank cards to customers for legitimate reasons, says French. However, the increased use of prepaid bank cards by consumers offers perpetrators another vehicle through which they can move fraudulently disbursed funds. EFT fraud traditionally involves getting into a customer s account using their login credentials, establishing bank money movement instructions online, and then moving money out of the account through a series of EFT disbursements after a pre-note period of seven to 10 days. A pre-note period is the hold period before newly established EFT instructions can be used to move money. (Note: Pursuant to regulations stemming from the Dodd- Frank legislation, the pre-note period is expected to be shortened to three banking days, effective September 19, 2014.) However, instead of moving the money out of the customer s accounts and into what would be considered a more traditional bank account, criminals are now moving the funds to prepaid bank accounts. On a comeback: wire fraud While wire fraud has been around much longer than some of today s emerging data security threats, it s experiencing a resurgence. The most common scenario involves fraudulent money transfers by phone or electronically. Typically, an individual s account has been compromised for a fraudster to gain access to one s personal information. Unfortunately, the number of these incidents in the securities industry has risen more than tenfold over the past decade and by more than 60% just since 2011, according to the Treasury Department s Financial Crimes Enforcement Network (FinCen). 2 Of particular concern to advisors: they may be held personally liable for a wire transfer that turns out to be fraudulent if they failed to follow the proper procedures, which often includes calling the client to verify the transaction before initiating it. Advisors should consult their legal and compliance department to help ensure that they have proper procedures in place. On the rise: establishing fraudulent accounts Establishing a fraudulent account is a more sophisticated criminal technique but one that is nonetheless popping up more and more. French points to two emerging trends in fraudulent accounts: Fraudulent accounts in your clients names. First, the criminal establishes a fraudulent account in a client s name. The fraudster transfers assets from the client s legitimate account to the fraudulent account, and then quickly moves the money out of the fraudulent account. Multiple client distributions into a fraudulent third-party account. In many cases, wire or EFT instructions are used to process repetitive distributions from multiple client accounts. The wire or EFT instructions are altered to make transactions initiated by an unauthorized third party appear as though they have been made by an authorized party. This gives the appearance that the processed wire transfer or EFT is being paid into an account controlled by the beneficial owners of the distributing account, French explains. In reality, the receiving account is controlled by the perpetrator of the misappropriation. 2 Wire Fraud Is on the Rise, by Matthias Rieker, the Wall Street Journal, 10/12/13. 3

4 Phishing techniques: improving and abetting wire and EFT fraud One particularly scary trend is that phishing techniques, which once had telltale signs, are becoming vastly more sophisticated. Phishing s used to be fairly easy to spot, says French. Most phishing s were filled with typographical and grammatical errors, inaccuracies, or requests for information. Almost always, they also included an urgent request for immediate action. Lately, however, the financial services industry has seen an uptick in a vastly improved type of phishing scheme designed to capture the login credentials for accounts, which gives the perpetrators a gateway to their victims personal and business information. These criminals are skilled at identifying custodial financial relationships and mining saved s for critical information about account holdings, available cash, and money movement opportunities, says French. This information is then used to initiate illicit wire transfers and EFTs. The perpetrators impersonate legitimate customers on phone calls to determine when funds will be disbursed and quickly withdraw them before the customers or their financial firms become aware of what s happening. In some cases, says French, the criminals also modify victims account settings to divert legitimate s from their financial services providers into spam folders, providing additional time for the criminals to cover their tracks. Often, a request for a fraudulent transfer is accompanied by a request that the customer be contacted only through . While it s natural for advisors to want to go above and beyond for their clients, limiting communication to is why these scams are so effective, explains French. may very well be a common method of communication, but advisors really may not want to rely on it for high-risk transactions. Responsibilities of Financial Advisors Given the evolving, serious threats discussed, some financial advisors have federally mandated responsibilities, in addition to applicable state laws, to protect clients: The red flags rule: The identity theft red flags rule, known as Regulation S-ID, was issued jointly by the SEC and the U.S. Commodities Futures Trading Commission (CFTC) and became effective in The new rule requires any SEC or CFTCregistered financial entity that directly or indirectly holds transaction accounts for its clients to develop and implement an Identity Theft Protection Program (ITPP). What does it mean? By November 20, 2013, all advisors, broker-dealers, and other financial institutions (as defined by the regulations) were required to be in compliance by developing and implementing an identity theft protection program consisting of reasonable, board-approved compliance policies and supporting procedures to prevent, detect, and respond to any possible identity theft situations. While Fidelity encourages all advisors, as part of their fiduciary responsibility, to remain vigilant for signs of fraud, we suggest that you consult your legal and compliance department to gain a full understanding of the rules and regulations that apply to your firm, especially because current data protection and data breach notification laws vary from state to state. Cybersecurity: an SEC exam priority On April 15, 2014, the SEC s Office of Compliance Inspections and Examinations (OCIE) announced an initiative to conduct examinations of more than 50 investment advisors and broker-dealers, focusing on areas related to cybersecurity. As part of the Risk Alert announcement, the SEC provided a detailed list of questions to help all firms (regardless of whether they will be audited) assess their level of cybersecurity preparedness. You may read the full alert and access a copy of the detailed document list at SEC: OCIE Cybersecurity Initiative. 4

5 Actions for Firms & Their Advisors to Consider Technologies are constantly evolving including those used by criminals. Ask yourself: Are your security policies and procedures keeping up? Consider the following precautionary measures to help combat the growing threat of data security compromises: Ways to learn more about Regulation S-ID, Identity Theft Red Flags Rules Federal Trade Commission: Identity Theft Red Flags Rule SEC: Identity Theft Red Flags Rules FINRA: Customer Information Protection, Red Flags Rule Educate customers on proper third-party wire requests. Help clients understand the right practices involved in wire transactions for their good and yours. For example, faxes, voice mail messages, and s should not be used to verify wire transactions. Customer education and awareness about your third-party wire requests may help make these types of moneymovement controls more acceptable to your clients and actually encourages them to play an active role in protecting their personal information and assets. Limit home office employee access to sensitive client data to secure networks and devices. For example, public computers in locations like hotels or cybercafés have unknown virus protection and are highly susceptible to attacks; they should not be used to access confidential firm or client data. Establish, and regularly update, an employee education program on cybersecurity. Use this program to keep all firm personnel abreast of the latest trends in cybersecurity and firm policies and procedures. You may also want to make cybersecurity a regular agenda topic for team meetings and have a plan in place to train new employees. Make sure user IDs and passwords are kept current. Delete the login credentials of former employees, and periodically review the levels of access granted to current employees. As a further level of protection, consider making it a policy to regularly reset employee passwords. Don t give broad-based entitlement to anyone who doesn t need it. Limit authorizations to move money. Be careful whom in your organization you authorize to issue money movements and consider keeping this number limited. Know the security level on each of your systems. Make sure your use is appropriate for the level of security available. Maximize your system s security tools to identify suspect transactions ASAP. If a transaction is unusual or not typical for a customer s historical profile, you should immediately contact the client to verify the transaction. Review client account balances and transactions at least monthly. If you see transactions that are unusual or atypical for a client s historical profile, that should trigger an immediate phone call to the client to verify the transaction. Also, be sure to review any account profile changes. If anything seems unusual, verify the changes directly with the client. Keep the most up-to-date antivirus and antispyware software on all devices (PCs, laptops, tablets, smartphones). Consider setting antivirus software to run regularly, which could help detect viruses on the machine, as well as the presence of keystroke capture malware. Simply running a periodic virus scan may not offer protection between scans. 5

6 Proactively prepare for a compromise Security compromises can occur despite the best efforts of all involved. Consider taking these proactive measures to prepare your firm for a potential problem from outside criminals or employees within your firm: Create a detailed set of written procedures for reacting to fraud. This includes steps to take internally, as well as any client communications. Your procedures should also include the after-hours escalation processes through any financial institutions you work with. Identify a point person responsible for carrying out the procedures. This person should be well versed in the procedures and able to escalate them in a timely manner when fraud occurs. Timely escalations are critical to any success you may have in recovering fraudulently disbursed funds. Train your team. Conduct internal training to ensure that all professionals in your organization understand what needs to happen if an incident occurs. Familiarize yourself with all available resources. Take stock of the types of resources available through the financial institutions and third-party vendors you work with to protect your firm and your clients against cyber fraud. 6

7 Educating Your Clients While you may be taking all the necessary steps to protect your firm from cyber fraud, we encourage you to consider developing an ongoing communications program to help your clients better understand the ways they can protect themselves from cyber threats. The sample resources that follow are intended to help you deliver your message effectively. On this and the following pages, you ll find: A sample cyber fraud client communications plan A sample client letter you can consider and customize to your unique needs An investor protection checklist to aid client awareness of action items across six important areas SIX WAYS CLIENTS MAY BE ABLE TO HELP PROTECT THEMSELVES AGAINST CYBER FRAUD 6 SAFEGUARD YOUR FINANCIAL ACCOUNTS 5 PROTECT YOUR ACCOUNTS 1 MANAGE YOUR DEVICES 2 PROTECT ALL PASSWORDS 4 3 SURF THE WEB SAFELY PROTECT INFORMATION ON SOCIAL NETWORKS SAMPLE CYBER FRAUD CLIENT COMMUNICATIONS PLAN TIMING AUDIENCE SUGGESTED STEPS TO CONSIDER Immediately All clients Send customized copies of the client letter and investor protection checklist, found at the back of this guide, to all clients. Consider a proactive phone outreach to clients you feel could benefit from a conversation about the checklist items. Ongoing All clients During your annual review meetings, remind all clients of the importance of protecting their personal information. Allow time in your discussion to answer any questions they may have, and give them another copy of the checklist as a reminder. Communicate new developments or best practices to your clients when you learn of them. Onboarding New clients When onboarding new clients, provide them with a copy of the investor protection checklist and client letter. 7

8 Sample Client Letter Based on your clients specific needs, consider incorporating the points in this sample letter into your client communications. Dear [Insert Client Name]: Keeping your information secure from criminals is a top priority for our firm. To better protect you and your accounts from cybersecurity threats, we continuously review security procedures to ensure that we are following best practices recommended by the custodians, financial institutions, and industry experts with whom we work. While we feel we are taking clear and actionable steps in our own firm s security measures, cyber fraud continues to escalate, is becoming more sophisticated, and is ever changing. These threats take various forms, including scams (e.g., phishing), where criminals obtain investors identity and use that information to commit various forms of wire fraud. The attachment to this letter describes these phishing scams and other tactics that we believe investors should be aware of. We are encouraging our clients to embrace a series of measures to help protect their identity and mitigate potential security risks. The attached investor protection checklist outlines some best practices for investors across six key areas to help you: Manage your devices Protect all passwords Surf the Web safely Protect information on social networks Protect your accounts Safeguard your financial accounts Please carefully review this checklist with all members of your household. We also ask that you do the following: If you change a current address, notify us so that we can update our records. If you suspect that your account has been compromised, call us immediately. If you suspect that your account has been compromised, call us immediately. Do not hesitate to contact us with questions or concerns about how we protect your accounts or the steps you and your family can take to better protect yourselves and mitigate risk. As always, we appreciate the opportunity to help you achieve your financial goals. Sincerely, [Insert Advisor Name] 8

9 Attachment: Common tactics used to steal identity and login credentials Some of the most common tactics criminals use to compromise a victim s identity or login credentials are described below. After gaining access to an investor s personal information, criminals can use it to commit various types of fraudulent activity. The action items presented in the investor protection checklist are intended to help you and your family better protect yourselves against such activity. Malware. Using malicious software (hence, the prefix mal in malware), criminals gain access to private computer systems (e.g., home computer) and gather sensitive personal information such as Social Security numbers, account numbers, passwords, and more. How it works: While malware can be inserted into a victim s computer by various means, it often slips in when an unwary user clicks an unfamiliar link or opens an infected . Phishing. In this ruse, the criminals attempt to acquire sensitive personal information via . Phishing is one of the most common tactics observed in the financial services industry. How it works: Masquerading as an entity with which the victim already has a financial relationship (e.g., a bank, credit card company, brokerage company, or other financial services firm), the criminals solicit sensitive personal data from unwitting recipients. Social engineering. Via social media and other electronic media, criminals gain the trust of victims over time, manipulating them into divulging confidential information. How it works: Typically, these scammers leverage something they know about the person like their address or phone number to gain their confidence and get them to provide more personal information, which can be used to assist the criminal in committing fraud. Social engineering has increased dramatically, and many times fraudsters are contacting investors by telephone. 9

10 Investor Protection Checklist The educational checklist presented below is designed to help you take appropriate action to better protect you and your family and mitigate risk of cyber fraud. Carefully review the items in each of the categories below to determine which apply to your unique situation. TOPICAL AREA ACTIONS TO CONSIDER CHECK WHEN COMPLETED Manage your devices Protect all passwords Surf the Web safely Protect information on social networks Protect your accounts Safeguard your financial accounts Install the most up-to-date antivirus and antispyware programs on all devices (PCs, laptops, tablets, smartphones) and update these software programs as they become available. These programs are most effective when users set them to run regularly rather than just running periodic scans, which may not provide maximum protection to your device. Access sensitive data only through a secure location or device; never access confidential personal data via a public computer, such as in a hotel or cybercafé. If you have children, set up a separate computer they can use for games and other online activities. Use a personalized custom identifier for financial accounts you access online. Never use your Social Security number in any part of your login activity. Regularly reset your passwords, including those for your accounts. Avoid using common passwords across a range of financial relationships. Avoid storing passwords in folders. Consider using a password manager program. Do not connect to the Internet via unsecured or unknown wireless networks, such as those in public locations like hotels or cybercafés. These networks may lack virus protection, are highly susceptible to attacks, and should never be used to access confidential personal data. Limit the amount of personal information you post on social networking sites. Never post your Social Security number (even the last four digits). Consider keeping your birthdate, home address, and home phone number confidential. We also discourage clients from posting announcements about births, children s birthdays, or loss of loved ones. Sharing too much information can make you susceptible to fraudsters and allow them to quickly pass a variety of tests related to the authentication of your personal information. Never underestimate the public sources that individuals will use to learn critical facts about people. Delete any s that include detailed financial information beyond the time that it s needed. In addition, continuously assess whether you even need to store any personal and financial information in an account. Use secure data storage programs to archive critical data and documents. Review unsolicited s carefully. Never click links in unsolicited s or in pop-up ads, especially those that warn that your computer is infected with a virus and request that you take immediate action. Establish separate accounts for personal correspondence and financial transactions. Review all your credit card and financial statements as soon as they arrive or become available online. If any transaction looks suspicious, immediately contact the financial institution where the account is held. Never send account information or personally identifiable information over , chat, or any other unsecure channel. Suspiciously review any unsolicited requesting personal information. Further, never respond to an information request by clicking a link in an . Instead, type the Web site s URL into the browser yourself. Avoid developing any online patterns of money movement, such as wires, that cyber criminals could replicate to make money movement patterns appear more legitimate. o I ve reviewed and understand all the items in this topical area. o I ve taken action for those that apply to my situation. o I ve reviewed and understand all the items in this topical area. o I ve taken action for those that apply to my situation. o I ve reviewed and understand all the items in this topical area. o I ve taken action for those that apply to my situation. o I ve reviewed and understand all the items in this topical area. o I ve taken action for those that apply to my situation. o I ve reviewed and understand all the items in this topical area. o I ve taken action for those that apply to my situation. o I ve reviewed and understand all the items in this topical area. o I ve taken action for those that apply to my situation. 10

11 11

12 NATIONAL FINANCIAL 200 SEAPORT BOULEVARD BOSTON, MA For more information, please contact your Fidelity Relationship Manager. For Broker-Dealer Use Only. Not for distribution to the public. The information contained herein is as of the date of its publication unless otherwise noted, is subject to change, and is general in nature. Such information is provided for informational purposes only and should not be considered legal, tax, or compliance advice. Fidelity does not provide legal, tax, or compliance advice. Fidelity cannot guarantee that such information is accurate, complete, or timely. Federal and state laws and regulations are complex and are subject to change. Laws of a specific state or laws that may be applicable to a particular situation may affect the applicability, accuracy, or completeness of this information. This information is not individualized; is not intended to serve as the primary or sole basis for your decisions, as there may be other factors you should consider; and may not be inclusive of everything that a firm should consider in this type of planning decision. Some of the concepts may not be applicable to all firms. Always consult an attorney, tax professional, or compliance advisor regarding your specific legal or tax situation. Third-party marks are the property of their respective owners; all other marks are the property of FMR LLC. National Financial Services LLC, Member NYSE, SIPC FMR LLC. All rights reserved