Two scam attempts, diligent employees: $500k in client assets protected

Woman working in an office

October is National Cybersecurity Awareness Month. We’re sharing one firm’s fraud-fighting story to help raise awareness about the importance of cybersecurity and demonstrate how your staff can personally make a difference.

Key Points

  • With minimal risk and potential for significant rewards for cyber thieves, costly cyber attacks are a real threat to businesses of any size. So, what can your firm do to counter cybercrime? Engage your employees, one of your most powerful weapons in this continuous game of cat-and-mouse. Learn how one firm leveraged its employees to prevent two fraud attempts that targeted nearly $500,000 in client assets.

According to "The 2017 State of Cybersecurity in Small and Medium-Sized Businesses," where Keeper Security and the Ponemon Institute joined forces to survey over 1,100 firms, 54% of small and medium-sized businesses experienced a cyberattack in the past year.

But there's good news: The unique relationship you have with your clients puts you and your staff in the best possible position to identify and prevent crimes such as these. We interviewed Ashlee Enzensperger, Director of Operations and Information Technology at Optivest Wealth Management, to learn how she leveraged her knowledge and intuition to detect and prevent two fraud attempts targeting nearly $500,000 in client assets.

The best offense is a good defense

Optivest knows employees are key to a solid cybercrime defense system. They foster a culture where employees know their clients intimately and feel empowered and responsible to guard the firm’s data and client assets. Even though it may not be feasible for your firm to establish and maintain a deep level of knowledge and familiarity with every client, there are ways you can sharpen awareness and develop your employees’ skills to spot suspicious activity.

Always pay attention to details and ask yourself, "Am I sure this is really my client?"
~ Ashlee Enzensperger Optivest Wealth Management

One fraud attempt started with an email requesting a wire transfer for over $200,000 to purchase an investment property. Enzensperger knew this behavior was atypical for her client. She recognized other red flags, too: a period at the end of the client’s name, phrases that didn't "sound" like her client, and a "sent from my ipad" notation, which was typically on other emails from this client, that was missing. Finally, the wire instructions were for a Michigan LLC and a Minnesota bank account – both of which she’d never seen this client use before.

"There are subtle nuances in her emails that make them unique to her," Enzensperger explains. "The email we received didn’t sound like her and her signature block wasn’t her normal one."

Nonetheless, Enzensperger continued following her firm's client verification policy and requested the client call the office to provide verbal authorization of the wire transfer. The "client" explained she was traveling and not available. This was yet another warning sign, as the client was diligent about contacting the advisor’s office prior to going out of town.

Realizing Enzensperger would not process the transaction without a verbal verification, the fraudster called the office and spoofed the number so that the client’s home phone number appeared on Caller ID. What the fraudster didn't know was that the client had recently moved and the previous home number was invalid. This was the final clue that convinced Enzensperger she was delaing with a fraud attempt. She escalated the transaction to her CEO, who subsequently called the client and confirmed that she wasn’t traveling and did not submit a request for funds.

Optivest shared this example with all its employees and reminded clients about the firm’s policies and procedures for protecting client data, including its client authentication policy. The firm also informed local police and other financial institutions that work with this client. Finally, Optivest provided its client with guidance on the next steps she should take to protect her identity from further harm. For example, the client immediately closed her email account, created a new one, and updated logins and passwords.


In a second attempt, Enzensperger received an email to retrieve an uploaded document. Shortly after, she saw a second email arrive from her client stating, "I just uploaded a wire request via secure message to you. Please let me know when to call, or simply call me on XXX-XXX-XXXX for verbal confirmation."

When she opened the uploaded document, Enzensperger immediately recognized her firm’s Letter of Intent form and noticed that the wire instructions had been copied and pasted on top of old instructions. When the fraudster called the office insisting that he was the client and demanded she wire the funds immediately, she strongly suspected another fraud attempt. To be certain, she contacted her client at the phone number on record and confirmed that he did not send wire instructions. After several failed attempts, the fraudster gave up.

"It was the urgency and insistence that made me suspicious—the effort that they were going through to try to make it happen. And they weren’t taking 'no' for an answer."

Looking back, there were several other warning signs. Enzensperger knew that this client has a very distinct voice and communication style. She was not expecting wire instructions, the signature block was unfamiliar, and the obvious forgery of the Letter of Intent were all warning signs that this request was fake.

Again, Optivest shared this story with its employees, reviewed the firm's cybersecurity policies and procedures, and encouraged the client to replace his compromised email account and reset all logins and passwords.

Take time to "pause"

All money movement requests should be viewed with an air of heightened awareness, and it’s important that your employees are empowered to take the time to properly reflect on the details surrounding a request. Uncovering motivations behind financial goals, recognizing patterns of behavior, and becoming familiar with specific characteristics that make each client unique are fundamental details to help your employees detect and prevent fraud. Keeping up to date on the latest fraud schemes and periodically testing and refining your cybersecurity plan and written procedures also help.

"We've recently added an additional safeguard to our procedures," Enzensperger explains. "If an advisor and a client are discussing a money movement request, the advisor will pose a personal question that only the client would know the answer to, and instruct the client to provide that answer as part of his or her verbal authorization."

Create a culture of cybersecurity excellence

Not sure where to begin? Ready to help your employees and clients take their fraud prevention skills to the next level?  Here are some ideas to get started:

  • First, educate staff on your firm's cybersecurity plan, including best practices, policies, and procedures. If you don't have your own training program, leverage Schwab’s  "Safeguarding Our Firm and Client Assets" and see our Fraud Encyclopedia that defines common fraud schemes, explains how they happen, and suggests ways to prevent them.
  • Second, ensure all employees and clients are committed to following all client authentication policies when processing money movement requests – NO exceptions.
  • Third, share our newest resource with your clients, "Tips for preventing fraud." This is a one-page checklist you can customize with your logo and firm information.

For more information, visit our Cybersecurity Resource Center. If you custody with Schwab, you also have exclusive access to a vast library of additional resources, such as our action-oriented, five-step approach to cybersecurity, which guides you through enhancing and maintaining data security at your firm, and additional educational content and tips to help heighten awareness with your employees and clients.

Even though National Cybersecurity Awareness Month comes only once a year, the threat is ongoing and constantly evolving. We hope this case study inspired you to start thinking about steps you can take to prevent a cybersecurity breach.

For more insights on cybersecurity and a chance to discuss these issues and others with Schwab experts and your peers, we invite you to stop by the Business Consulting and Education booth at IMPACT® in November, listen to a webcast replay, or attend one of our in-person or online events. We will be adding new online events soon, so look for our updated calendar of events in early 2018.

Take action on cybersecurity

Cybersecurity Resource Center