Financial Fraud: Savvy Investors Aren't Immune

MIKE TOWNSEND: I have always loved a good heist movie. The entire Ocean's Eleven series. The Italian Job. The Thomas Crown Affair. The Sting. A clever robbery, the matching of wits between the perpetrator and someone trying to unravel the crime, a tidy ending.

But today's heists don't involve temporarily disabling the motion detectors while the criminal rappels down an elevator shaft, and the criminals are not stealing from some faceless bank, or another criminal, or an uber wealthy individual. Instead, today's crimes often involve a guy sitting in his basement with a computer in a country 10 time zones away, insidiously trying to get you and me―regular folks―to transfer them $500, or a $1,000, or tens of thousands of dollars.

Today, financial fraud is everywhere. And I still find myself fascinated by the stories. I recently read a crazy one where the writer was scammed out of $30,000, supposedly by the guy who was going to build him a swimming pool―only it turned out that a criminal was impersonating the swimming pool builder, who wasn't even aware that someone had hacked his email account and was pretending to be him.

I read these stories with this kind of dark fascination, wondering how people could possibly be so gullible, so trusting, so careless with their money. And probably like a lot of you, I think, "That will never be me."

But it's not true. It might very well be me someday. Or you, dear listener, because the level of sophistication of financial scammers, especially with the increasing use of artificial intelligence, is going up at an exponential pace. And none of us are immune.

Welcome to WashingtonWise, a podcast for investors from Charles Schwab. I'm your host, Mike Townsend, and on this show, our goal is to cut through the noise and confusion of the nation's capital and help investors figure out what's really worth paying attention to.

Coming up in just a few minutes, I am going to dig into the ever-changing landscape of financial fraud with DJ Johnson, managing director for financial crimes risk management here at Charles Schwab. I think you'll find this a really interesting conversation, as DJ and I discuss the latest kinds of scams and smart steps we can all take to help ensure that we don't become victims.

But first, a quick look at some of the issues making headlines right now here in Washington.

Topping the list is the latest scramble on Capitol Hill to avert a government shutdown. New House Speaker Mike Johnson finds himself squarely on the hot seat just three weeks into his Speakership as he tries to avoid a government shutdown on November 17. He announced a two-tiered approach last weekend, which would extend funding for some federal agencies until mid-January and funding for the rest of the government through early February. It's an unusual approach that some on Capitol Hill find unnecessarily complicated. But Johnson did not include any controversial policy provisions or spending cuts in the proposal in order to attract some Democrats. And he did not include emergency aid for Israel, Ukraine, or border security in the package, something that probably won him some Republican support, since Republicans would prefer separate debates on those requests. A straight extension of funding until early 2024 is the likely back-up plan.

This all continues to be a very fluid situation, but there is one powerful driving force that has been pushing a grudging Congress toward a deal: the Thanksgiving holiday. No one wants to be here in Washington next week.

As I record this mid-week, nothing was certain, but the growing consensus is that the real fight over government spending―and the risk of a government shutdown―will be pushed to early 2024.

Elsewhere, President Biden met Wednesday with Chinese President Xi Jinping on the sidelines of this week's Asia-Pacific Economic Cooperation conference in San Francisco. It was the first direct communication between the two leaders in exactly a year, since a November 14, 2022, meeting in Indonesia during last year's Group of 20 summit. Since then, relations between the two countries hit a new low when a Chinese spy balloon floated across the United States in early 2023 before being shot down by the U.S. Air Force.

But in recent months, there's been a slow but persistent movement towards a thawing of U.S.-China relations. A parade of senior U.S. diplomats have been to Beijing to lay the groundwork for a Biden-Xi meeting, including Secretary of State Antony Blinken, Defense Secretary Lloyd Austin, Commerce Secretary Gina Raimondo, and Treasury Secretary Janet Yellen.

This week's meeting yielded few dramatic breakthroughs, but it was an important meeting, nevertheless. Biden and Xi discussed a host of issues, including Ukraine, Israel, and Taiwan, as well as economic and trade issues, including a discussion on artificial intelligence that could be an area where the two countries can build cooperation and trust.

Finally, even though the 2024 campaign has been underway for months, it feels like last week's off-year elections were kind of the official kick-off of the run to November 5 next year. While Democrats had a good night last week with key wins in states like Kentucky, Ohio, and Virginia, off-year elections are almost entirely focused on local issues. It can be tempting to try to extrapolate what they might mean for a national election next year, but they're rarely much of a predictor.

On the presidential front, South Carolina Senator Tim Scott surprised a lot of people last weekend when he announced that he was suspending his campaign. Scott had raised a lot of money and had campaigned tirelessly in Iowa, but he was never able to move his polling numbers out of the low single digits. Scott will continue to serve in the Senate―in fact, he is not up for re-election until 2028. And he's the top Republican on the Senate Banking Committee, which means he's in line to become chairman in 2025 if, as many analysts expect, Republicans recapture the Senate next November.

It will be interesting to see whether Scott leaving the race has any benefit for his South Carolina colleague, Nikki Haley, who has seen an uptick in her polling numbers over the last three months, though she still trails former President Trump by 30 or more points in national polls.

Recapturing the Senate became significantly easier for Republicans last week, when Democratic Senator Joe Manchin of West Virginia announced he would not be running for re-election. Manchin has always been a bit of an electoral outlier, a moderate Democrat representing a ruby red state that gave former President Trump his second-largest margin of victory of any state in 2020. Manchin's seat is virtually certain to flip to the Republicans next year, with popular two-term Governor Jim Justice the most likely winner. That would mean Republicans would need to flip only one more Democrat-held seat in the Senate to recapture the majority. With extremely close races shaping up for Democrat seats in Ohio, Montana, Nevada, Pennsylvania, and Wisconsin, as well as the seat held by Independent Senator Kyrsten Sinema in Arizona, Republicans are confident that they will take back the Senate next year.

On my deeper dive today, I want to explore the world of fraud and scams that are, unfortunately, an all-too-common reality of today's globally interconnected financial world. To do that, I'm really pleased to welcome to the podcast DJ Johnson, who is the managing director for financial crimes risk management here at Charles Schwab. In that role, he is responsible for the firm's anti-money laundering, anti-bribery, cybercrime, and fraud prevention efforts. Prior to joining Schwab, he spent more than 25 years with the FBI, serving as a senior executive in the agency's Criminal, Cyber, Response, and Services Branch, overseeing worldwide investigations. He has unparalleled experience in understanding the ever-changing landscape of financial fraud and what can be done about it. So thanks so much for joining me, DJ.

DJ JOHNSON: Hey, super glad to be here, Mike. Thanks for having me.

MIKE: Well, let's begin with just getting your perspective on the scope of this problem. How much money is lost to financial fraud each year, and how many people are victimized?

DJ: Big scope and big losses. So I'll reference a couple of annual reports. 2022 is the latest complete annual reports that we have. The first is from the Federal Trade Commission. They reported 3.7 million fraud and identity theft reports, and about $8.8 billion in fraud losses in 2022. The FBI's Internet Crime Complaint Center, or IC3, received a little more than 800,000 reports of fraud, and estimated fraud losses were around $10.3 billion, so very significant. To bring you up to date, in 2023, the FTC is reporting year-to-date 2.6 million fraud and identity theft reports, 6.3 billion in fraud losses.

I'd like to provide some context around those numbers and note that generally when it comes to reporting fraud, we know people are not going to report every time they are victimized by a fraudster. And so I believe it's fair to say that these numbers are probably on the lower end of the range.

MIKE: That is absolutely a lot of money. But I'm guessing that while there are undoubtedly some very big scams, the bulk are likely thousands of smaller incidents, right?

DJ: Yeah. So the vast majority of fraud are isolated incidents. Average loss per report to the FTC is around $1,300. Phishing and imposter scams are the most prevalent.

Let me just take a minute and talk a little bit about phishing. I think most people are going to know what it is, but in the event not everybody does, phishing really is the practice of sending fraudulent communications that appear to come from a legitimate and reputable source, usually through email, text messaging. Typically, those emails will include an attachment or a link for folks to click on. The attacker's goal really is to steal money, gain access to sensitive data and login information, or to install malware, or malicious software, on the victim's device.

Let me talk a little bit about imposter fraud here. So there are a couple of different variants of imposter fraud that I'd like to highlight here. The first is where the fraudster impersonates the customer to obtain information. So an example of this is where the fraudster calls a financial institution call center and impersonates a customer to collect or change data. Another example is where a fraudster will call a financial institution call center and impersonate the customer to initiate or complete a financial transaction.

Investment scams are the costliest version of fraudulent schemes, per the Federal Trade Commission and IC3. The average loss there is about $5,000. In this type of scam or fraud, the bad actor presents themselves as investment brokers and convince customers to send money, typically by wire, for phony or illegal investments that offer high and/or guaranteed rates of return.

Cryptocurrency investment scams are very popular these days. Why? A couple of different reasons. One is, I don't think a lot of people truly understand a lot about cryptocurrency, and the bad actors know that it is an easy way for them to extract money from clients. And they know it's difficult or more difficult for law enforcement to trace and recover those funds.

MIKE: Well, let's talk about who are the targets here. Certainly, we read and hear a lot about elder fraud, in particular, where scammers prey on older people who perhaps aren't as technologically proficient, or who are more isolated and maybe don't hear much about scams, or don't have a family member that they can talk to and warn them off of something. But with the numbers you've cited, it must be a much wider group of people who are being scammed.

DJ: It is very wide, very broad. So individuals in the 30 to 39 age bracket, they account for the most reports to the IC3, and they account for about $1.3 billion in losses. However, seniors, those that are 60 and older, have fewer reports, but the losses are much more significant, $3.1 billion in 2022.

So, really, everyone is being scammed, but seniors are losing the most money, on average, per scam. And why is that the case? So going back to my FBI days, I'll quote the famous bank robber Willie Sutton. So when he was asked why he robbed banks, his response was, "That's where the money is." And that's where the money is today, too, with our senior population, as they hold the majority of financial assets in the United States.

I touched a little bit about phishing, the most common type of scam reported to the IC3. It covers all age groups due to the prevalence of emails and texts, and how many people use those particular communication techniques.

Older clients are more typically targeted by tech support or customer support scams more than any other age group. What we see here is that an imposter who is representing themselves as a tech support or customer support person will contact the victim and basically convince them that they need to fix something on their computer or provide a particular service to them. And when they are given access to the computer, the bad guys will either install malicious software, malware, or sometimes they'll even gain remote control access to the machine to glean whatever they can that would be of value to them.

Senior investors are quite often taken advantage due to their unfamiliarity with online banking and technology, and they also could be suffering from diminished financial capacity. So this population is so important to Schwab that we have developed a special team to investigate fraudulent activity involving our elderly clients. We believe that is absolutely the right thing to do to protect our clients here at Schwab.

MIKE: I absolutely agree with that. One of the things that's always fascinated me when I read stories about financial fraud, you know, a lot of the victims are quite sophisticated, and they're savvy people. They're sort of people that make you wonder how could they possibly have fallen for that. So why does that seem to happen so often?

DJ: A couple of different thoughts here and perspectives. So, first, the fraudsters will play on people's emotions, and many of these types of scams evoke a sense of urgency, which causes individuals to act quickly or impulsively. If a victim believes someone they care about is in trouble, such as in a grandparent scam, or they are personally in trouble with authorities, such as in a government impersonation scam, they're likely to provide payment, as opposed to risking the potential consequences. So I am a big fan of hitting the pause button. It's always a good idea if you think you're potentially being the victim of fraud.

The phishing scams I mentioned earlier, easy to fall for, as people are often distracted. They want to expedite a transaction or transfer, and, therefore, they don't always verify the request for information. It's common to receive requests from financial institutions and other businesses asking for information. So we ask our clients to be diligent in verifying any email, text, or phone call which requests personal information.

Second, bad actors are leveraging technology and constantly adapting and improving their craft. The complexity of the techniques and schemes has increased over time, and this makes it more difficult for victims to differentiate between a legitimate actor and a fraudster.

MIKE: You mentioned that these criminals are often evolving very quickly. You know, you talked about phishing. You talked about some of the other scams. Are there other kinds of fraud and scams that you're seeing most frequently right now? Like kind of what are the hot things that are going on right now?

DJ: In terms of channel across the industry, we see a lot of fraud around wire fraud. And those involve fraudulent wires that are sent due to a client's online credentials being compromised. We're also seeing a lot of fraud around certain payment platforms. I'll just highlight Zelle as one of those. They're becoming more popular for fraudsters because they're becoming more popular for clients and for individuals to use. It's easy, it's faster, and they've just become more popular over time.

With regard to scams, we've already talked about the computer and the technology scams, we see a lot of those. We continue to see a lot of romance and emergency scams. So in these types of situations, the fraudster tricks the victim into believing the parties have a relationship, so the victim will act. A lot of the information that is used to social engineer the victim may come from social media, like a networking or gaming or dating site. And the bad actors will typically present themselves as a U.S. citizen located overseas, or a U.S. military member deployed overseas, or a known or mutual connection in need. And what the bad actors do is they leverage the relationship to persuade the victim to send money, or provide sensitive information, or purchase something.

We talked a little bit about investment scams. Those continue to be very popular.

That's a good chunk of what we're seeing today.

MIKE: Well, DJ, I wanted to ask you about AI. Artificial intelligence has, obviously, exploded into the mainstream in 2023, with lots of people using ChatGPT and other types of tools. But that, of course, means that AI is starting to be used for nefarious purposes as well. My wife actually asked me recently about this ability of some scammers to use AI to make exact replicas of your voice just based on manipulating a recording of a few words you said somewhere. And as someone who has got like 100 podcasts out there in the ether, there's a lot of my voice that people can find. So my wife was not excited about that when she read something about this type of scam. But to what degree are you seeing artificial intelligence play an increasing role in financial fraud, and how are you thinking about combating that?

DJ: Super important topic these days, Mike, as you know. We're thinking about AI every day, all day long. It's one of those generational technology leaps that will really impact the world. And much good will come from it, and we also know that bad actors will try and leverage that technology, like you said, to do nefarious things.

To give you an example, shortly after the release of ChatGPT last year, cybersecurity experts found criminals discussing various ways to use that software to generate phishing emails and text messages to potentially scam victims, as well as have that program write scripts for malware, malicious software, as well as ransomware.

So very much a significant area of potential concern for financial institutions moving forward, in particular, looking at the use of AI to bypass voice biometric authentication, as well as the technology being used against clients to pose as family or friends to perpetrate scams.

Here at Schwab, we're continuously evaluating our security measures against any emerging threat, real or perceived, and AI is no exception. We also ask our clients to continue to employ the diligence that they do today, and have in the past, to verify emails, verify text, verify phone calls, and be on high alert due to this new technology being used for social engineering.

MIKE: DJ, as you know, one of the big challenges in this space, and you mentioned this earlier, is that victims are often reluctant to come forward, and often that's just because of embarrassment. But we also frequently hear that even when they do come forward, they have trouble getting anyone to pay attention to them, and the fraud department at their financial institution is maybe overwhelmed, local police don't have the resources, and while the FBI is interested in these scams, I think a of people feel like their scam, what they're a victim of, is probably too small for the FBI to bother with. So what should victims do? Who should they call?

DJ: Yeah, if someone believes they're a victim of a fraud or a scam, no loss is too insignificant. They just have to report it, right? And there are a couple of different places that I would recommend they report it.

So let's start with time is of the essence. There is no value in delay here. As soon as somebody feels like they might be the victim of a fraud, they got to report. If they're a Schwab client, and if they believe they have sent money from a Schwab account to a fraudster, then they should reach out to Schwab. Whether it's the 800 number or to an FC in a branch, just report it, please. The sooner we have the information, the sooner we can act, and the sooner, if money went outside of the firm, we can try and recover those funds. Timing is really, really important.

Reporting also should be made to law enforcement. Local law enforcement, should be contacted. Mike, you mentioned the FBI's IC3. Again, that is another place to report that information. What they do is they connect the dots, they analyze the information, and they aggregate that reporting, and they disseminate it to the appropriate agency or organization for further action.

And then a couple of other thoughts in terms of places to report is the Federal Trade Commission, or FTC; the attorney general's office in the state that a person resides; and then the U.S. Postal Inspection Service.

Now, I'm not advocating that individuals report to all of these agencies, but certainly if you're a Schwab client and you've sent money outside of Schwab, let Schwab know. Let your local police department know, and let the FBI know, at a minimum.

MIKE: Well, DJ, when someone calls you at Schwab, or calls the Schwab team, and reports the situation, how do you handle that? What does Schwab do? And, also, what is Schwab doing to prevent them from happening in the first place?

DJ: We take security very seriously here at Schwab, Mike, and as part of our commitment to that security, we're always updating our technology stack, updating our skillset of our people and our protocols to keep our clients personal and financial information safe.

Although I can't share the details of our security measures, here are a few ways we protect our clients. One, we're constantly monitoring the traffic coming into Schwab, and we're protecting and preventing access to that information as appropriate. We often use the analogy of the castle with a moat and fences, and that's the type of defense and depth and layered approach that we take to our security here at Schwab. A couple of other examples of these fences, if you will, or moats, would be encryption and risk-based security technology. Those all add to our security posture here.

And then behind all of that, we have a lot of different teams that are really focused on this particular issue. Just to highlight a few of them, our Fraud Risk Management Team is responsible for a series of controls to mitigate fraud risk, to protect our clients and the firm. They look to prevent fraud whenever possible. They identify potential fraudulent activity on our platform, and when they can, they stop that activity. And just to highlight something here, if somebody is calling into Schwab to send out a wire transfer or a transaction, and one of our employees pauses to ask questions, it goes back to that sense of urgency idea that I brought up earlier, right. We're hitting the pause button because we want to take a minute to make sure that you are who you say you are, and you have the authority and the ability to send those funds outside of Schwab. So  I know how those questions can be frustrating at times, but at the end of the day, we're just doing that to protect you, to protect our clients, and to protect our firm. So please be patient with us. It's super important.

Sort of adding onto the additional teams here, we have a team of fraud investigators who conduct investigations, recover funds, and file reports that we're required to file by our regulators. And as I mentioned previously, we have a dedicated team focused specifically on fraud related to our senior client base.

Let me wrap up by just highlighting the Schwab Security Guarantee here. So the Schwab Security Guarantee covers losses in any of your Schwab accounts due to unauthorized activity. And I would encourage all of our clients to visit schwab.com/schwabsafe to familiarize yourself with the terms and conditions that apply to that guarantee.

MIKE: Well, DJ, this is great. It's been really, really interesting to get this kind of in-depth look at how you battle these different and evolving scams. But I want to end by getting your thoughts on what we should all be doing to protect ourselves. You're obviously on the front lines of this fight at Schwab, so you see what's happening, and how quickly the bad guys are changing their game. What do you do to protect yourself?

DJ: I do a few pretty simple things that I feel are adequate to protect myself from a cybersecurity perspective. But before we get to those, let me just give you a couple of other highlights in terms of how I think about cybersecurity, and how I protect myself sort of generally from fraud.

So first and foremost, I view cybersecurity as a partnership. It is a collective effort. We all have roles to play and responsibilities to bear. We can't do it by ourselves.

Second, education is key. We've been chatting a little bit about how quickly fraudsters are adapting their tactics, how they leverage technology to employ more complex techniques to commit fraud. So staying abreast of technology enhancements and tactics and schemes is extremely important.

Third, we have some free tools for our clients to employ and protect themselves. And here are a couple of those that I use, as well.

Two-factor authentication. I highly recommend it to all our clients. After you enroll in two-factor authentication, every time you login, you'll be provided with a one-time password that you will also enter in that provides just additional protection to your accounts and makes life a lot more difficult for fraudsters.

I'd also recommend that clients set up security alerts. These allow you to receive notifications so you'll know immediately when activity occurs in your accounts. This is important because the faster you know, the faster you can report, and the faster we can take action if we need to protect your assets.

And a couple other things that are available to clients: You can sign up for voice ID and add a verbal password for additional layers of protection. And then I'm going to go back to really simple, good cyber hygiene techniques, super basic fundamentals here―start with utilizing unique and different passwords across different websites. I know that makes life a little bit more complicated, but a very valuable technique. Consider utilizing a password manager to manage your passwords. That just makes your life a lot easier. It makes my life a lot easier as someone with way too many passwords. And then I would say utilize quality antivirus software on all of your devices and install updates immediately.

So these are all super simple things I do, not that difficult to do, not expensive, most are free, and it's just a fundamental way for me to protect myself, and I think our clients should do the same. To find more information about these tips and techniques please visit schwab.com/schwabsafe. Let me repeat that one more time, schwab.com/schwabsafe.

MIKE: Well, that's great advice, very simple advice. I certainly confess, I'm one of those people who uses the same password on far too many websites, and I'm going to vow to change that based on this conversation. So, as you said, there's lots of things that we can do, and that's one to very easily protect ourselves. And, you know, it may come at the cost of a small, minor inconvenience, but, obviously, a small price to pay compared with what any of us stands to lose if we fall victim to one of these frauds.

So, DJ, really appreciate you sharing your perspective and making the time to be with me today.

DJ: My pleasure, Mike. Thanks for having me.

MIKE: That's DJ Johnson, Schwab's managing director for financial crimes risk management.

Well, that's all for this week's episode of WashingtonWise. We're going to take a little break for the Thanksgiving holiday, so we'll be back with a new episode on December 7. Take a moment now to follow the show in your listening app so you don't miss an episode. And if you like what you've heard, leave us a rating or a review—those really help new listeners discover the show.

For important disclosures, see the show notes or schwab.com/washingtonwise, where you can also find a transcript.

I'm Mike Townsend, and this has been WashingtonWise, a podcast for investors. Wherever you are, stay safe, stay healthy, have a very happy Thanksgiving, and keep investing wisely.