Don't get hooked by phishing scams
Guard your firm against phishing scams with 10 practices that every employee should know.
Texts and emails keep us more connected than ever. Yet technologies like these are also making us more vulnerable to scams. Under the anonymous cover of the web, cybercriminals use an elaborate arsenal of methods to commit fraud and steal personal information. Phishing has become one of the most prolific methods because scammers know it’s effective.
Phishing involves criminals who pose as trusted sources through various media—such as email, phone calls, texts, advertisements, and websites—to acquire usernames, passwords, Social Security numbers, credit card details, or other sensitive private information. More recently, phishing campaigns have begun surfacing in social media channels such as Facebook and Twitter. Phishing can also be used to install malicious software, known as malware, on a computing device or network to allow the perpetrator to gain access to private information or inflict other damage.
Phishing scammers typically use the ill-gotten information to commit identity theft or fraud. They may wait days, weeks, or even months to complete the scam. Some fraudsters don't even use the information themselves but instead sell it to other cybercriminals.
See the Fraud Encyclopedia to learn more. This comprehensive resource provides definitions and examples of common fraud techniques (beyond phishing) that you can use to educate yourself and your staff.
As phishing attempts continue to spread, employees and clients of financial advisory firms are increasingly at risk. Phishing campaigns use legitimate-looking emails, SMS texts, or instant messages—which often appear to come from a known source—to trick recipients into sharing sensitive personal or financial information. From October 2013 to December 2016, the FBI investigated more than 22,000 phishing incidents that caused nearly $1.6 billion in losses, or roughly $500 million every year. And the monetary costs have continued to climb sharply—up 2,370% between January 2015 and December 2017.1
In the past year, we've seen numerous firms and clients receive emails that appear to be from Schwab requesting credentials and personal information. Fraudsters recognize that if their phishing attempt can convince an advisory firm employee to open an attachment, click a link, or enter personal information, they'll likely be able to compromise not only that employee but also your clients.
10 tips to prevent phishing
Knowledge and awareness can help you protect your firm and clients against cybercrimes such as phishing. Here are some best practices:
- Do not allow employees to access personal email using the company network. Personal email accounts are more susceptible to hacking and may not be as secure as corporate email.
- Hover over links to view the actual URL, and don't click if it looks suspicious or questionable. This includes any website address beginning with "http," which often indicates the site is not secure and might be a sign that it is fraudulent or spoofed.
- Be wary when clicking links or attachments within emails and texts, especially when the sender is unfamiliar.
- Be suspicious of emails that have grayed-out "CC" or "To" lines, which are signs that these messages may have been sent to a mass distribution list.
- Compare the domain name in the sender's email address to verify that it matches the expected domain. For example, be suspicious of an address that ends in schwad.com rather than schwab.com.
- Consider turning on spam filters within your email account to help block unsolicited and unwanted messages.
- Do not enter your username and password on any web page that you've reached by clicking a link in an email or by copying and pasting an address into your browser. Instead, type the trusted website address directly into your browser and log in to your account as usual.
- Have employees check their email accounts regularly to look for any unauthorized rules—such as "Forward To" or "Redirect To"—or deleted emails that could be an indication that their email was hacked.
- Require employees to follow secure company protocols for transmitting non-public information (NPI)—through the use of shared folders, customer relationship management systems, or portals—rather than send NPI through email.
- Conduct simulated phishing attempts to test your employees' security awareness and susceptibility to scams. Several vendors offer services that will send fake phishing emails to your employees and provide an analysis of the results. This information can help you develop additional training to address areas where your employees or systems may be vulnerable.
An employee of an advisory firm received a phishing email with an attached file. Clicking the attachment enabled malware to be installed on the employee's machine and gave the criminal access to the employee's email account. As a result:
- Phishing emails were sent to all the employee's contacts.
- Auto-forwarding rules were added, sending blind copies of emails to an external email account.
- Some of the forwarded emails included files containing clients' NPI.
- The fraudster sent additional phishing emails to clients from the employee's email address in an attempt to compromise client accounts.
How was the fraud detected?
One of the phishing email recipients, a fellow wealth manager, recognized the signs of a suspicious email and contacted the breached firm, sharing that they had experienced a similar attack. This wealth manager suggested that the breached firm check for email auto-forwarding rules set up by a fraudster. The breached firm identified several unauthorized emails and ultimately contained the phishing incident, although the perpetrator did intercept some intra-firm emails that included NPI. By contacting affected clients and taking steps to protect their accounts, the breached firm avoided more serious fallout from the event.
What to do next
Schwab offers a wealth of tools, educational materials, and other resources to help you create a cybersecurity plan or strengthen your existing defenses to better detect and prevent fraud.
These three steps can get you started:
- Download and share the Tips for Preventing Fraud checklist with your clients. Use our turnkey checklist or customize a version with your own information.
- Encourage your employees and clients to use two-factor authentication. Watch this video to learn more.
- Visit the Fraud Updates & Resources page of our Cybersecurity Resource Center.
Keep these phishing-prevention tips handy to ensure that you and your clients are taking precautions to reduce the risk associated with phishing attacks.
If you're thinking about becoming an independent advisor, consider a custodian that invests in your success. Contact us to learn more about the benefits of a custodial relationship with Schwab.