Face it folks, there are many people from many countries that want your money and or want your information. These same people have all of the time in the world to become very talented at hacking into your computer. We pay for varying services to protect us. And the hackers spend their time working around the firewalls, spyware, malware and other pieces of software designed to protect our information and our money.
Very recently I received an email from a long time customer. The email came from his usual email address, therefore nothing seemed suspicious. He requested an IRA distribution form. This client is in his seventies and the request was not out of the ordinary. I sent a blank IRA distribution form and it was returned promptly. The form had his account number, address, and social security number.
First red flag was the distribution request was substantially more than what he had in his IRA. The second red flag was the funds were to be wired to a bank in Virginia. My client lives in Texas. I promptly called my client and he carefully explained that he had not sent any emails nor any IRA distribution requests to me.
I contacted my I.T. company to have them him check out my server and my system to be sure we were not compromised on our end. I also contacted my consultant, for compliance purposes since we are a broker dealer, to make sure I took appropriate steps to document and contact the proper authorities.
We do have a written Cyber Security policy for our firm. I quickly thumbed through it. And proceeded to file a report with the F.B.I. There is an online portal for such purposes.
Later that evening my I.T. company had determined that our computer system had not been hacked. And my client’s email must have been hacked. Unfortunate for my client. Very relieving for me.
If our firm’s system is ever hacked, we must notify all of our clients of the breech. That would be devastating for our firm. I am sure you will agree security is of great importance when one is entrusting us with their investments.
The following day I contacted one of my banking friends to find out what department of the bank I should call. I wanted to make contact with the bank that was to receive the wire. He told me the B.S.A. Compliance Department or Fraud Department. B.S.A. stands for the Bank Secrecy Act.
I did contact the bank and gave them the account number so they would know fraudulent activity was being operated through the account.
I could have contacted the local police, but after reading the website I determined the online report forms did not fit the occurrence and would create more questions than answers.
I also followed up with my client a number of times and he had his I.T. firm work on his end. And at the end of the day we stopped the potential theft from ever happening.
A different occurrence.
A couple of years ago another client told me of an attempt at his firm. The hackers had to have been observing and reading the firms emails for quite some time. This attack was very well thought out. The hackers knew the names of the correct executives and their job functions and the employees in accounts payable.
One day a request for a wire of funds was sent to an employee in accounts payable. The wire request was in excess of $300,000. The amount was a little high but not completely out of the ordinary for this firm.
The employee was one keystroke from sending the wire and decided to ask the controller of the firm if it was legitimate. My client, the controller, looked into the request further. He made a phone call or two and verified the request was not valid.
They dodged a large bullet that day.
Thereafter, the firm has instituted more layers of review before wires of such size are sent out.
Procedures, procedures, procedures.
After mine and my clients scare last week, we are instituting additional layers of procedures as well. We cannot be careful enough. There are many people out there who want our money and our information.
Be careful out there.
Corey N. Callaway
Investment Advisor Representative