The internet can be a scary place. Lurking in the shadows behind cute cat videos and sports scores are hackers, fraudsters, and thieves. They are probing for access, looking for vulnerability, and hunting for victims. Their crimes range from massive thefts of private information to remarkably personal scams perpetrated against unsuspecting consumers. The techniques of nefarious internet thieves become more sophisticated and more targeted as time passes.
In the interest of protecting our clients and friends from potential harm, we are passing along information about some current internet scams and how to best protect against them.
Internet phishing is the act of dangling bait in front of unsuspecting prey. The bait tends to be links to websites or files that appear to be legitimate, but are in fact pathways to invasions of privacy, password theft, or computer viruses. Sophisticated hackers dangle bait in the form of emails expertly designed to mimic those sent by legitimate companies – Citibank, PayPal, Amazon, etc. But the links within the email take the user either to websites designed to infect the user’s PC with a virus or a fake site designed to trick the user into entering personal information.
Lately, we (and others) have seen emails with PDF or ZIP file attachments that appear to be from trusted users – Delta Airlines, The Royal Bank of Scotland, and even Century Wealth Management. On the surface, these emails look legitimate. They appear to contain important documents such as airline tickets or scanned files for review, but in reality they are attempts to get the recipient to click open a file that will likely wreak havoc on their PC. We even saw instances where emails were being sent as if they originated from a multi-function printer (Xerox.Device2@centurywealth.com) in our office.
When we became aware of this Phishing attempt that piggybacked on our web address, we immediately scanned our network and PCs for viruses and malicious programs. We found none. Upon further research, we found this to be a widespread problem without a solution.
When an email like this is sent from a forged return-path email address, it is the email equivalent of using a fake return address on a letter sent through the U.S. Mail. And just as no one can be prevented from writing 1600 Pennsylvania Ave. as the return address on a letter, no one can be prevented from putting Bill@Microsoft.com as the forged “from” address in an email about Canadian Viagra.
Ultimately, consumers must be vigilant about the emails they receive, the files they open and the links they click. Here are some tips to follow:
There has been a steady stream of stories from investment custodians such as Charles Schwab, Fidelity and TD Ameritrade regarding a unique brand of wire fraud that exemplifies the length to which fraudsters will go to perpetrate a crime.
The story always begins with a hacked email account (gmail, yahoo, etc) - usually resulting from a guessable password or maliciously installed keyboard logging software. With complete access to a compromised email account, the fraudster searches for emails to and from financial advisors or bankers. Once they find enough detail - names, accounts, historical transactions, and examples of previous requests – the fraudster crafts a new email to the financial advisor requesting a wire transfer to a third-party. The need for cash is immediate. The tone of the request is familiar but urgent. The sender is unreachable for the rest of the day. Here are the wire instructions. Make it happen.
In our business, when a client says “make it happen” we do just that, which is exactly the type of excellent client service response the fraudsters are counting on.
The interesting part is the length to which the fraudsters go to perpetrate this hoax. Not only do they hack an email account, but they craft an intelligent, customized request that appears to be from the client. The email may reference a real estate purchase in a vacation town the client recently visited. The fraudsters then monitor the account and respond to any replies until the wire is sent to an unrelated third party, and the funds are lost forever.
Thankfully, the custodians and banks are being vigilant in the protection of your assets. They have modified their own policies and procedures to require verbal authorization in any situation that has the potential to be fraudulent. This results in a bit more hassle from time to time, but it is well worth the protection.
Century Wealth Management’s response has also been to review and modify our internal policies and procedures. They now compliment the best practices of the various institutions we use to custody client assets. In any instance when a client is requesting a transfer of funds to an account with which we are not familiar, we will require verbal authorization as well. Our intention is to provide excellent, fraud-free, customer service.
This scam highlights the need for long, complex and secure passwords. This is a soapbox issue for us. Everyone needs to learn and maintain good password hygiene. The stakes are too high. There are several tricks of the trade that can make managing passwords easier:
This article from Wired Magazine provides additional tips on password creation. This page from Consumer Reports has a wealth of information regarding internet security.