Don't get hooked: Phishing prevention tips for RIA firms

Guard your firm against phishing scams with 10 practices that every employee should know.

Key Points

  • The threat of phishing scams has risen dramatically as more advisors work remotely and use multiple devices.

  • Scammers can use email, text, and social media messages to compromise your network and steal sensitive personal and financial information.

  • Protecting your firm against phishing involves technology, policies, and employee training. 

As phishing scams become more sophisticated, financial advisors and their clients are increasingly susceptible to this common cybercrime. In fact, financial firms reported 27.7% of all cases of phishing attacks, more than any other type of business. Overall, phishing attacks have increased significantly and were the top reported cybercrime in 2022—10 times the number reported in 2018.1

Many Registered Investment Advisor (RIA) firms are taking steps to address phishing and other cybersecurity risks. Schwab's RIA Benchmarking Study found that 97% of firms offer employee cybersecurity training and 94% conduct network monitoring. However, only 67% have written cybersecurity policies and procedures and 57% offer client education.2

Spotting a phishing attack takes a keen eye and vigilance, but anyone can do it. Here's what to look out for.

What is phishing and how does it happen?

Phishing involves criminals posing as a person or an organization you trust so that they can get their hands on usernames, passwords, Social Security numbers, credit card details, account numbers, or other sensitive private information. They try to trick you into downloading malicious software (called malware) or sharing sensitive data by using every form of communication imaginable including email, phone calls, texts, social media messages, advertisements, and websites.

Phishing scammers typically use the information they steal to commit identity theft or fraud, or to demand a ransom from business owners. A scam may take days, weeks, or even months to complete. Some fraudsters don't even use the information themselves but instead sell it to other cybercriminals.

10 tips to prevent phishing

Phishing attempts are often easy to see if you know where to look. Start with these 10 tips to avoid getting caught in a phishing net.

  1. Limit personal email. Personal email accounts are more susceptible to hacking and may not be as secure as corporate emails. For employees working from home, consider requiring them to use company-issued devices to keep personal accounts separate from firm business.
  2. Spot dangerous clicks. Urge employees to not click on links or attachments within emails and texts when the sender is unfamiliar. Instead, they should hover over links to view the actual URL. Avoid any website address beginning with "http," which often indicates the site is not secure and might be a sign that it is fraudulent or spoofed. Instead, look for websites beginning with "https", which indicates a secure site.
  3. Turn on two-factor authentication. Two-factor authentication requires users to enter a code sent to another device, in addition to providing a username and password. This can keep systems secure even if someone were to compromise your login information.
  4. Always verify. Doublecheck email requests for asset transfers, new account details, or other financial transactions by meeting with clients in person, by video, or over the phone.
  5. Check email addresses. Compare the domain name in the sender's email address to verify that it matches the expected domain. For example, be suspicious of an address that ends in "schwad.com" rather than "schwab.com."
  6. Strengthen your walls. Consider adding anti-phishing software to your firm's email system and make sure security programs such as firewalls, antivirus protection, and malware detection are up to date with the latest versions.
  7. Type in URLs rather than clicking. Do not enter your username and password on any web page that you've reached by clicking a link in an email or by copying and pasting an address into your browser. Instead, type the trusted website address directly into your browser and log in to your account as usual.
  8. Check settings. Have employees check their email accounts regularly to look for any unauthorized rules (such as "Forward to" or "Redirect to") or deleted emails that could be an indication that their email was hacked.
  9. Send securely. Require employees to transmit non-public information (NPI) via virtual private networks (VPNs) or encrypted file-sharing programs rather than by email.
  10. Test everyone. Provide cybersecurity training for your team and conduct simulated phishing attempts to test your employees' security awareness and susceptibility to scams. Several vendors offer services that will send fake phishing emails to your employees and provide an analysis of the results. This information can help you develop additional training to address areas where your employees or systems may be vulnerable.

Case study: Phishing scheme baits an advisor

What happened?

An employee of an advisory firm received a phishing email with an attached file. Clicking the attachment enabled malware to be installed on the employee's computer and gave the criminal access to the employee's email account. As a result:

  • Phishing emails were sent to all the employee's contacts
  • Auto-forwarding rules were added, sending blind copies of emails to an external email account
  • Some of the forwarded emails included files containing clients' NPI
  • The fraudster sent additional phishing emails to clients from the employee's email address to compromise client accounts

How was the fraud detected?

One of the phishing email recipients, a fellow wealth manager, recognized the signs of a suspicious email and contacted the breached firm, sharing that they had experienced a similar attack. This wealth manager suggested that the breached firm check for email auto-forwarding rules set up by a fraudster. The breached firm identified several unauthorized emails and ultimately contained the phishing incident, although the perpetrator did intercept some intra-firm emails that included NPI. By contacting affected clients and taking steps to protect their accounts, the breached firm avoided more serious fallout from the event.

Know it when you see it

Phishing relies on volume. Scammers cast a wide net hoping to catch a few big fish. This means they typically use well-known techniques that can be redeployed easily. This is to your advantage. With the right training and technology, you and your firm can catch a phishing attack before it's too late and keep your firm secure.

What you can do next

Related articles

(1224-65MV)

1. 2024 Phishing Facts and Statistics, Identitytheft.org, https://identitytheft.org/attacks/phishing/statistics/ 

2. Results for all firms with $250 million or more in AUM from the 2024 RIA Benchmarking Study from Charles Schwab.

About the 2024 RIA Benchmarking Study from Charles Schwab
Schwab designed the RIA Benchmarking Study to capture insights in the RIA industry based on survey responses from individual firms. The 2024 study provides information on topics such as asset and revenue growth, sources of new clients, products and pricing, staffing, compensation, marketing, technology, and financial performance. Since the inception of the study in 2006, more than 4,800 firms have participated, with many repeat participants. Fielded from January to March 2024, the study contains self-reported data from 1,304 firms that custody their assets with Schwab and represents $2 trillion in assets under management, making this the leading study in the RIA industry. Schwab did not independently verify or validate the self-reported information. Participant firms represent various sizes and business models. They are categorized into peer groups by AUM size. The study is part of Schwab Business Consulting and Education, a practice management offering for RIAs. Grounded in the best practices of leading independent advisory firms, Business Consulting and Education provides insight, guidance, tools, and resources to help RIAs strategically manage and grow their firms.

Past performance is not an indicator of future results. 

For general informational and educational purposes only. 

Read more about Schwab's privacy policy.

The above mentioned firms and their employees are not affiliated with or employees of Schwab unless otherwise noted. Mention should not be construed as a recommendation, endorsement of, or sponsorship by Schwab. The views expressed are those of the third party and are provided for information purposes only. Experiences expressed are no guarantee of future performance or success and may not be representative of you or your experience.

Schwab does not provide investment planning, legal, regulatory, tax, or compliance advice. Consult professionals in these fields to address your specific circumstances.

Third party trademarks are the property of their respective owners and used with permission. Third party firms and their employees are not affiliated with or an employee of Schwab.

Schwab Advisor Services™ provides custody, trading, and the support services of Charles Schwab & Co., Inc. ("Schwab"), member SIPC, to independent investment advisors and Charles Schwab Investment Management, Inc. ("CSIM"). Independent investment advisors are not owned by, affiliated with, or supervised by Schwab.

© 2024 Charles Schwab & Co., Inc. ("Schwab") All rights reserved. Member SIPC.