The threat of cyberattacks is very real in the financial advice business and has been for some time now. But not all advisers are getting the message.
Two weeks ago,
a former broker for Wells Fargo Advisers Financial Network was fined $5,000 and suspended for 30 days by the Financial Industry Regulatory Authority Inc. for transferring $350,000 to someone she thought was a client. Turns out it was an imposter posing as her client via a series of email exchanges.
The case was noteworthy for the amount of money involved. Most cases of wire-transfer fraud involving bogus emails are for much smaller amounts. In a survey a few years ago, the Securities and Exchange Commission found that 74% of cases involved amounts less than $5,000.
NO VERBAL CONFIRMATION
In the Wells Fargo case, Finra determined that the adviser failed to verbally confirm the email instructions to verify the client's identity, which she was required to do under Wells Fargo's protocol. If she had, the money likely never would have been sent.
Actually, the Finra fine and suspension are the least of this adviser's worries. Wells Fargo fired the broker over the incident, and she is not currently registered with another broker-dealer.
No one can blame Wells Fargo. It had a policy in place that the adviser ignored. Adding insult to injury, the adviser misled the firm by indicating in an internal system that she had verbally confirmed the client's identity when she hadn't. Wells Fargo was forced to reimburse the client the $350,000.
(Related read: Financial advisers severely underestimating cyberthreats: experts)
More than half the brokerages surveyed by the SEC acknowledged they had been targeted by imposters using stolen email addresses in wire-transfer scams. Among the brokerages that lost money in these scams, 25% said it was the result of employees not following client verification procedures.
Adviser and InvestmentNews contributor Sheryl Rowling last week described
what happened recently at her firm when an email arrived seeking a wire transfer.
“The email had the client's business address and appropriate footer. It also referenced personal information that the client would know. In this case, we called the client for confirmation and discovered it was a scam,” she wrote.
Ms. Rowling's firm could easily have ended up getting scammed as Wells Fargo did. The difference was that her firm followed its established procedures to verbally verify requests for wire transfers, while the broker at Wells Fargo did not.
(Related read: Heading off hack attacks)
Ms. Rowling also noted that the bogus email requesting the wire transfer was from a foreign account. “This should automatically ring a warning bell,” she wrote.
Most brokerages and advisory firms are hesitant to discuss in detail the procedures they follow to verify that requests they receive for wire transfers are actually coming from customers and not fraudsters. But almost all seem to involve a verbal verification of some sort. That's fine as long as employees are following the procedures. It seems in more than a few cases they are not, despite the consequences they must know they face for not following them.
A LOT AT STAKE
Perhaps in the future, firms will come up with better ways to verify wire transfers that do not depend on brokers. After all, a lot is at stake: not only the amounts that firms such as Wells Fargo have to reimburse clients who lose money, but customer confidence and the reputation of the firm going forward. Until then, firms should remind their advisers in no uncertain terms that if they violate these verification procedures, they will almost certainly lose their jobs.