Protect your RIA firm and clients from social engineering

Learn how social engineering works and what RIA firms can do to prevent this type of scam from breaking through their defenses.

Key Points

  • Social engineering uses deception to manipulate people into providing personal information or carrying out a transaction they shouldn't.

  • Email is a common tool for social engineering because everyone uses it and it's an easy way to pose as someone else.

  • Many social engineering schemes use a mix of high-tech and low-tech methods, which is why it's important for everyone at your firm to receive regular training and reminders to stay alert for potential fraud via social engineering.

Social engineering is a fancy name for an old problem. Any scheme that uses deception to manipulate people to provide personal information–or to carry out a fraudulent transaction–is social engineering. 

In the old days, social engineering involved verbal low-tech methods such as phone calls and in-person conversations. Today, social engineering has expanded to include phishing attacks that use imposter websites, text messages, and email to trick you into providing information. Some scammers also use AI (artificial intelligence) and voice simulation software to sound exactly like someone you know and trust, making these attacks even trickier to detect.

Teaching your staff and your clients to recognize the red flags of social engineering can help them stop a scam before any harm is done.

The trouble with email

Email is an easy way to quickly pass along a lot of information, which is why nearly everyone uses it. However, the strengths of email as an instant and informal mode of communication are also what make it especially vulnerable. Plus, email phishing has become increasingly sophisticated, taking on many forms that trick people into inadvertently revealing sensitive information to imposters.

Most social engineering hackers attempt to:

  • Gain control of legitimate email accounts. They convince individuals to reveal their login credentials or to click links that download malware onto their computers.
  • Create fake email accounts resembling legitimate ones. They research an organization's website to find out who's in leadership and to identify colleagues who likely work together. They then create bogus email accounts that display the correct names of these individuals, but from email addresses that do not quite match real addresses.

Cybercriminals frequently target high-net-worth individuals. To help protect your clients, look for signs that suggest a client's email may have been hacked. For example, someone posing as a client or client's representative may send an uncharacteristically aggressive email demanding speedy service. If this happens, call the client back at a trusted phone number to verify the identity of the caller. While it involves an extra step, this effort could prevent a potential problem.

To spot hacker emails, ask yourself:

  • Does the sender's email address match the address you have on file? Hackers sometimes only change one letter of an address, so look closely!
  • Does the email contain misspellings, odd phrases, or signs that suggest the writer might not be the person you expect? Watch for clues that may reveal you're communicating with someone unfamiliar with the matter you're discussing. They might get places wrong, misname a colleague, or describe your office functions in an unusual way.
  • Are there unfamiliar links in the email? Never click a link unless you're certain it's safe. Before you click, hover your cursor over the link to scrutinize the embedded address.
  • Does the context make sense? If you're asked to do something you would not expect the sender to request, it could be a red flag.
  • Are you being rushed? Fraudsters often fabricate a sense of urgency to knock you off balance. Don't lose your cool. Take a deep breath, continue to ask questions, and allow yourself time to think things through.

It's not just about technology

While email is a frequent tool used in social engineering, be mindful that many schemes are a combination of high-tech and low-tech elements. For example, a hacker may take control of a client's email, change the contact information, and reset the authentication steps. Once that's complete, they can execute fraudulent transactions over the phone by providing the verification information now on file.

Some hackers attempt to steal sensitive information by gaining physical access to offices. They may pretend to be a client's trusted relative or colleague, pose as an IT service provider, or impersonate a utility worker. Exercise the same degree of caution as you would with phishing schemes by validating the identity of visitors you don't recognize. Effective physical security at your office is critical to protect your firm from intruders attempting to steal sensitive information.

Your people are your best defense

Technology systems can detect and deflect many threats before a security breach occurs, but social engineering schemes ultimately rely on the manipulation of people's behavior. To protect your firm and your clients:

  • Educate your staff. Regular cybersecurity training can help them recognize the signs of social engineering, navigate complex situations, and make safe decisions.
  • Review your workflow processes and security practices from a hacker's point of view. Where are the vulnerabilities? Where would a hacker try to exploit your systems? Once you identify these risks, establish policies and procedures to help minimize your exposure.
  • Provide cybersecurity awareness for your clients. A simple communication to help clients recognize the tell-tale signs of social engineering can help them spot trouble before it's too late. It's a good service for them and adds an extra layer of protection for you.
  • Utilize services that simulate phishing attacks. Test your team's diligence. KnowBe4, Cofense, and PhishLabs are a few tools that allow you to send fake phishing emails to help identify the types of attacks likely to get through. Follow-up educational materials are made available to help people stay vigilant and to recognize typical phishing ploys.

Read more about how to strengthen your cybersecurity culture >

Three types of insurance to consider for your firm

Despite your best efforts, security breaches can occur, and the losses can be massive. Consider these three types of insurance to sufficiently cover your firm in the event of a cyberattack:

  • Errors & Omissions (E&O) insurance is not specifically a form of cybersecurity insurance, but it protects against honest mistakes that are common in the digital age.
  • Fidelity bonds cover firm assets and client property against theft by employees or fraud by people outside your firm, basically making your clients whole if someone uses your firm to steal from them.
  • Cyber insurance offers the broadest approach to internet crimes committed against your firm and your clients.

Read more about these policies and how to protect your firm >

Hackers can do a lot of damage. Firms must be diligent in their efforts to prevent attacks. Help safeguard your clients' assets, sensitive information, and ultimately the reputation you've worked hard to build by shoring up your defenses against cyberattacks and the tricks of social engineering.

What you can do next

Related resources

(1224-2JKB)

Read more about Schwab's privacy policy.

The above mentioned firms and their employees are not affiliated with or employees of Schwab unless otherwise noted. Mention should not be construed as a recommendation, endorsement of, or sponsorship by Schwab. The views expressed are those of the third party and are provided for information purposes only. Experiences expressed are no guarantee of future performance or success and may not be representative of you or your experience.

Schwab does not provide investment planning, legal, regulatory, tax, or compliance advice. Consult professionals in these fields to address your specific circumstances.

Third party trademarks are the property of their respective owners and used with permission. Third party firms and their employees are not affiliated with or an employee of Schwab.

Schwab Advisor Services™ provides custody, trading, and the support services of Charles Schwab & Co., Inc. ("Schwab"), member SIPC, to independent investment advisors and Charles Schwab Investment Management, Inc. ("CSIM"). Independent investment advisors are not owned by, affiliated with, or supervised by Schwab.

© 2025 Charles Schwab & Co., Inc. ("Schwab") All rights reserved. Member SIPC.