Most people with investments are smart enough not to fall for obvious and clumsy phishing attempts, but fraudsters are becoming increasingly sophisticated in their efforts to scam innocent investors. Their preferred modus operandi is to target personal email accounts, where people are at their most vulnerable. This is particularly prevalent in cases where investors don’t work in large corporates, given that many small businesses don’t have sophisticated online security measures in place and rely on easy-to-target cloud-based email services.
Not only are the syndicates smart and sophisticated, they’re also patient, willing to wait until they have built up a comprehensive profile on their victims. An investor may not even be aware their email has been hacked, allowing the fraudster the luxury of time to get information on their bank accounts, investment accounts and more importantly, to work out with whom investors do business. They’ll know who their advisor is, how much is invested in which investment products, and they’re clever enough to know which products can be cashed in and which can’t. The fraudsters also gather personal information about investors, which they use to make their fraudulent interactions seem more plausible.
In some of the cases we have seen, they will wait to see a legitimate repurchase actioned between the investor and advisor; they will copy the emailed form without interrupting the transaction. In the meantime, they would have created a fraudulent email address and cell phone number and opened fraudulent bank accounts – unfortunately disconcertingly easy to do. They then put through a forged copy of the intercepted repurchase form and use the new bank account details, sometimes in conjunction with the ‘new’ email address or cell phone number.
They tend to know that investment providers occasionally phone to confirm instructions, and in the most sophisticated variation of this we’ve encountered, the syndicate would go so far as to imitate the investor’s voice. Sadly, because these fraudsters are so adept at their trade, fraudulent transactions can sometimes be successful and the chances of investors recovering lost funds are very slim.
So, what to do? We believe investors, their advisors and us as investment providers all have a role to play in combating fraud.
The investor needs to understand the importance of securing their emails. It is their responsibility to ensure they use a strong password on their email and regularly change it; and if they suspect they have been hacked, to secure their email again. It is also incumbent on them to be alert to and respond to notifications – in a recent instance in which an investor lost a substantial amount, they were in fact notified of the repurchase via sms, but they didn’t act upon it.
For the advisor, it is about being vigilant and working in conjunction with us as the provider to make sure transactions are valid. Don’t make assumptions – look out for high-risk transactions, encourage secure online transactions wherever possible (rather than scanned paper forms) and verify email instructions with follow-up phone calls.
As an investment service provider, we also need to be vigilant and already monitor unusual and large transactions; we will contact both the advisor and their client if we note red flags. In addition, we do regular random checks and change the upper limit at which transactions are monitored every day to ensure no clear pattern emerges. Finally, we are continuing to develop our secure online transactional capability to ensure only the right person can see and approve transactions.
Without all parties collaborating, it would be difficult to turn the tide on these scams. After all, we are at our strongest when we work together.