Preventing email fraud: How Canterbury Consulting is tackling the challenge
Get cautious about electronic client communications.
We've never been more connected. Advances in communication technology have made our everyday interactions streamlined and immediate. But they've also simultaneously exposed us to new vulnerabilities.
Increasingly, firms are finding that electronic channels are creating new opportunities for fraudsters to illegally gain access to clients' funds. Canterbury Consulting is one firm that was targeted in an elaborate fraud scheme. Mike Ethridge, Canterbury’s chief operating officer, shares some details about their experience below.
Late last year, Canterbury engaged in correspondence with a client about sending a $350,000 wire for a loan payment. After a few weeks of typical email exchange, it was time to send the money to the bank account on file. The client acknowledged that trades might be necessary to free up cash.
That’s when the fraudster stepped in.
"At this exact point in the interaction, we received a series of emails from what appeared to be our client," says Mike. "Turns out, the fraudster had gained access to the client's email account and began sending us emails as if they were the client." In fact, the new messages were strategically integrated into the existing email string.
While posing as the client, the unknown individual suggested to Canterbury that the funds should be sent to another bank account, because the loan would be paid off from there. The fraudster then sent the alternative bank account and routing numbers, stating that the account was registered in the client's name.
The risk: How do you know?
It's tempting to rely on email, especially if there has been an ongoing discussion about a legitimate request—even more so if funds are purportedly going to a bank account in the client's name. For Canterbury, it was alarming how seamlessly the fraudster was able to insert themself into an ongoing client-advisor communication. So how can you identify risk?
"Consider that fraudsters are savvy and patient. They're likely to monitor legitimate conversations until the time is right to strike."
—Mike Ethridge, COO Canterbury Consulting
It's not usual for them to wait weeks, or sometimes months.
Even if you have been discussing or working with a client on a particular transaction, you cannot assume that any email communication is legitimate. The risk of fraud is always there, so your firm has to follow the same verification procedures each and every time. That is how Canterbury was able to detect this fraud attempt on its client's account. The firm immediately called the client and discovered that the wire instructions were fraudulent.
Fraud attempts for first-party or like-registered accounts at other financial institutions are becoming increasingly common. This is likely because fraudsters know that many firms' processes for vetting first-party transactions are often less stringent than those for third-party requests due to two common misconceptions:
- The sending institution does not have the ability to verify account registrations. Due to privacy laws, the receiving financial institution cannot verify that the registration provided on the "client’s" instructions is the registration on the account. So, while the wire instructions may say the account is registered to John Doe the account may actually be owned by Jane Smith.
- The receiving institution does not always have rules in place for matching delivery instructions with the account registration.
The response: What can you do?
"Don’t think it can't happen to you. You are a target, and having processes in place to detect fraud attempts and protect your clients should be your utmost priority," says Mike.
Canterbury prides itself on the robust process they have in place that has enabled them to prevent several fraud attempts. Even with strong procedures already in place to detect fraud, Canterbury recently decided to implement and require eApproval for all eligible first- and third-party wires.
This tool has safeguards in place when the advisor firm submits requests, and client approval is required before wires go out, which adds a second security layer to the process and speeds processing time.
"We were initially concerned about client adoption of the eAuthorization tool," says Mike. "But the response from clients has been overwhelmingly positive. Once the initial setup is complete, it's actually easier for the clients, and the requests get processed faster. The additional layer of security is the icing on the cake."
"It is a priority to know your clients well to be able to catch anomalies, and also to educate them to be aware of fraud threats and steps to take for you to work together to protect their assets," Mike explains. To combat fraud, it is important to make the client a critical part of the process. Methods used by firms include obtaining verbal verification—using video chat whenever possible—to confirm you're speaking to the client, or pursuing client signoff using Schwab's eApproval for wires for all eligible disbursements.
The reaction: Increased client trust
Learning new processes always presents new challenges, but Canterbury Consulting's commitment to transparency has helped its clients understand that the changes are designed with protection of the clients' assets in mind.
"Our clients have always been appreciative of our security measures, and the rollout of eAuthorization has been no different," says Mike.
We hope Canterbury's story demonstrates how easily fraud can occur and how important it is to have robust procedures in place to prevent it. For more information on secure money movement best practices, read our new handout . For additional insight into request verification, see Educate your team to verify client requests to prevent fraud.
Get perspective from Schwab's expert
Explore our video series where we share best practices and insights into preventing fraud: