Don't get hooked by phishing scams

Guard your firm against phishing scams with 10 practices that every employee should know.

Key Points

  • The threat of phishing scams has risen dramatically as more advisors work remotely and on multiple devices.

  • Scammers can use email, text, and social media messages to compromise your network and steal sensitive personal and financial information. 

  • Protecting your firm against phishing involves technology, policies, and employee training. 


As phishing attempts become more sophisticated, financial advisory firms are increasingly at risk for this common cybercrime. Phishing campaigns use legitimate-looking emails, texts, and social media messages to trick recipients into sharing sensitive personal or financial information—the kind of details advisory firms have in abundance. 

With more employees working from home and on multiple devices, the threat from phishing is growing. The FBI reported a 70% increase in Internet crime complaints between 2019 and 2020, including phishing scams exploiting the COVID-19 pandemic.1 One such scam targeted business owners with emails that appeared to promote government-sponsored COVID relief loans but were really an attempt to obtain personal information.2

Advisory firms must remain diligent and up to date on their anti-phishing efforts to avoid downloading an attachment, clicking on a link, or logging into spoof websites that could compromise your firm's data or client's financial information.  

What is phishing and how does it happen?

Phishing involves criminals who pose as known and trusted sources through various media—such as email, phone calls, texts, social media messages, advertisements, and websites—to acquire usernames, passwords, Social Security numbers, credit card details, account numbers, or other sensitive private information. Phishing can also be used to install malicious software, known as malware, on a computing device or network to allow the perpetrator to gain access to private information or hold company data hostage.

Phishing scammers typically use the ill-gotten information to commit identity theft or fraud, or to demand a ransom from business owners. They may wait days, weeks, or even months to complete the scam. Some fraudsters don't even use the information themselves but instead sell it to other cybercriminals.

10 tips to prevent phishing

Knowledge and awareness can help you protect your firm and clients against cybercrimes such as phishing. Here are some best practices:

  1. Do not allow employees to access personal email on the company network. Personal email accounts are more susceptible to hacking and may not be as secure as corporate email. For employees working from home, consider requiring them to use company-issued devices to keep personal accounts separate from firm business. 
  2. Urge employees to not click on links or attachments within emails and texts, especially when the sender is unfamiliar. Instead, they should hover over links to view the actual URL. Avoid any website address beginning with "http," which often indicates the site is not secure and might be a sign that it is fraudulent or spoofed. Instead, look for websites beginning with "https," which indicates a secure site.
  3. Encourage your employees and clients to turn on two-factor authentication for all logins that support it. Two-factor authentication requires users to enter a code sent to another device, in addition to providing a username and password, which can keep systems secure even if someone were to compromise your login information. 
  4. Verify any email requests for asset transfers, new account details, or other financial transactions with clients in person or over the phone to ensure requests are legitimate.
  5. Compare the domain name in the sender's email address to verify that it matches the expected domain. For example, be suspicious of an address that ends in "schwad.com" rather than "schwab.com."
  6. Consider adding anti-phishing software to your firm's email system and make sure any security programs such as firewalls, antivirus, and malware detection are up to date with the latest versions. 
  7. Do not enter your username and password on any web page that you've reached by clicking a link in an email or by copying and pasting an address into your browser. Instead, type the trusted website address directly into your browser and log in to your account as usual.
  8. Have employees check their email accounts regularly to look for any unauthorized rules—such as "Forward to" or "Redirect to"—or deleted emails that could be an indication that their email was hacked.
  9. Require employees to follow secure company protocols for transmitting non-public information (NPI) via virtual private networks or encrypted file-sharing programs rather than sending NPI through email.
  10. Provide cybersecurity training for your team and then conduct simulated phishing attempts to test your employees' security awareness and susceptibility to scams. Several vendors offer services that will send fake phishing emails to your employees and provide an analysis of the results. This information can help you develop additional training to address areas where your employees or systems may be vulnerable.

Case study: Phishing scheme baits an advisor

What happened?

An employee of an advisory firm received a phishing email with an attached file. Clicking the attachment enabled malware to be installed on the employee's machine and gave the criminal access to the employee's email account. As a result:

  • Phishing emails were sent to all the employee's contacts
  • Auto-forwarding rules were added, sending blind copies of emails to an external email account
  • Some of the forwarded emails included files containing clients' NPI
  • The fraudster sent additional phishing emails to clients from the employee's email address in an attempt to compromise client accounts

How was the fraud detected?

One of the phishing email recipients, a fellow wealth manager, recognized the signs of a suspicious email and contacted the breached firm, sharing that they had experienced a similar attack. This wealth manager suggested that the breached firm check for email auto-forwarding rules set up by a fraudster. The breached firm identified several unauthorized emails and ultimately contained the phishing incident, although the perpetrator did intercept some intra-firm emails that included NPI. By contacting affected clients and taking steps to protect their accounts, the breached firm avoided more serious fallout from the event.

What you can do next