Cyber-crime is increasing in targeting and sophistication.

Hi everyone. We live in extraordinary times.

As I have attended conferences the last couple of years, I have spoken with vendors offering various cyber-security solutions for both advisors and clients.

These seem so easy to dismiss. After all, our advisors largely came out of tech positions, as do our clients.

While it is somewhat easy to picture “grandma” getting bamboozled by a smooth-talker on the phone, surely our clients wouldn’t be susceptible, right?

Wrong.

One of our most sophisticated clients was recently the victim of a highly-targeted and sophisticated attack that has taken weeks to recover from. We are incredibly lucky that Fidelity, our custodian, threw a flag that allowed us to stop assets that were attempted to be moved via wire from their accounts.

While the financial fallout was contained, that client has had to change their authentication credentials (their entire password file was obtained in the hack), had their accounts frozen for weeks, been issued new account numbers at Fidelity (requiring reconfiguration of asset strategies), and additionally responded to a long list of security requirements to get things back up and running. This client happens to be in retirement, so the assets being frozen and unavailable has created significant challenges to their monthly living expenses.

So what happened?

As many of these things do, this started with a socially engineered attack. The client received an email from a former colleague indicating that there was going to be a surprise party for a mutual friend they hadn't seen in a while and to expect that invitation.

Soon thereafter, an invitation from a well-known online event site did arrive. While something looked “off” in that email, our client chalked it up to the lack of sophistication of their former colleagues. After all, these former colleagues were from a non-profit volunteer organization, not from tech.

One errant click was all it took to get this started. Our client saw a terminal window launch and execute something on their laptop.

Our client knew they’d misstepped immediately. They ran virus checks on their machine. If malware was installed, they were going to find it.

The virus checks came back all clean.

The problem here was that the program that had been installed was not malware. It was a legitimate piece of remote management software. Our client mistakenly gave full access for their computer to a remote unknown person and that person got to work immediately accessing the password program file (which was temporarily unlocked on the client’s machine) on the client's computer and searching for entry points into key financial services.

When the client saw the mouse on their computer moving without their input, that’s when they knew someone was in there. They erased the machine and started fresh, cutting off access.

The intruder, however, immediately went to Fidelity, logged in as the client, and submitted two small wire transfers that they probably thought would fall under a threshold that would not raise alarms. Luckily for all of us, I’m guessing that Fidelity saw a new destination and a new IP address as being a warning flag, regardless of transfer size, and reached out to validate the transfers. (Incidentally, if the client had not realized this, it is possible that the hackers might have been able to request these transfers from the client’s own IP address and been successful. That’s scary.)

Of course, the client indicated that these transfers did not belong to them, and so Fidelity shut it down and we have a relatively happy ending to this story.

What’s new here? Why is this an issue now?

AI.

Seriously.

Even in the financial advisory space, some of the tech that’s available as commercial software is pretty frightening. I recently received a demo of “prospecting software” where I can define what sorts of clients I am looking for and the software can go and sift through tens of millions of fully built-out US consumer profiles to find matches. These profiles are built from your public social data, but in many cases, it also includes cookie data (e.g. data you would expect to be private) that shows sites visited and even search queries.

From there, this software can then craft personal campaigns finding commonalities in your social graph, work history, etc. and create targeted personalized outreach without you having to do it yourself. Eek!

So if that’s what can be done with commercial software, imagine what hackers with no scruples are creating. You may think that your data is distributed all over the web and nobody will put all those bits together to target you.

You are wrong. You are not anonymous and you are not invisible. You are a target.

What can you do?

Full disclosure. None of this is fail-safe. These are just some best practices that can help.

• Be vigilant. The whole purpose of writing this post is to increase your “spidey-sense” of what is possible and what is happening to people. If you take 1 or 2 seconds to “think before you click,” that will be a huge help.

• Enable 2-factor authentication everywhere you can. It may seem like a hassle but it’s 100% necessary. Our internal policies at Prospero Wealth require every advisor to use 2FA wherever available. Use non-SMS 2-factor authentication when possible. SMS can still be SIM card spoofed by a determined party. Can you imagine somebody having your cell phone and password file?

• Use a password program. You CANNOT use the same password across sites, or small variations of your password. Use a program like 1Password or LastPass. While this does not protect against the entry point experienced by our client, it protects against poor security practices at the companies you work with and minimizes the impact of data that may be on the dark web.

• Scrutinize the domain names of emails. If the domain of the mail is not a DIRECT match to the company purporting to send it, do not click. Sometimes you might need to expand the email headers to see where it actually comes from (hackers like to to make the reply-to email legitimate but the actual domain it was sent from be fraudulent).

• When in doubt, go directly to the source site rather than liking on email or SMS messages. I promise you, if Coinbase has a problem with your account, you’re better off going to Coinbase.com to check things out rather than replying to a weird text or email.

What can Prospero Wealth do?

• We already have a full cybersecurity policy that we review and update annually. We are also required to have all of our advisors educated on the policies annually. We don’t use full account numbers in our correspondence and we request all of our clients use secure file share when sharing documents with us (as opposed to using email or SMS).

• We will be continuing to investigate new cybersecurity offerings in the advisory space for both our advisors and clients.