Three New Cyber Threats - September Edition
1. Callback Phishing
New tactic for getting WMs to download malware
Callback phishing is the latest email scam designed to get wealth managers to infect their systems with malware. It begins with an innocuous email inquiry from a prospective client looking for a wealth manager asking that someone at the firm call them. The caller is greeted by an articulate person who offers to send over information about themselves to see if they might be a good fit with the advisory firm. However, the email attachment includes malware. If the employee clicks on the attached file, it will infect the firm’s systems.
Wealth management firm employees must do their homework before responding to such inquiries, much less before opening a file sent by them. Only rarely does anyone call in asking to provide information to see if they might be a good client. Preventing this kind of breach requires educating all employees about this new, widely used scam.
2. Synthetic Identity Fraud
Using unprotected client personally identifiable information (PII) to fraudulently borrow money
Cyber criminals regularly look for unprotected client PII so they can apply for on-line loans and credit cards using someone else’s identity. The criminals most often target potential auto loans followed by bank credit cards, retail credit cards, and unsecured personal loans.
Unfortunately, wealth managers have immense amounts of client PII. Per Regulation S-ID, they are liable if it is stolen be it online or by vendors (such as cleaning staff) from their offices. All WM employees need to be educated on never leaving such information out or unsecured.
3. Password Spraying
Weak passwords threaten wealth manager networks
Cybercriminals are now conducting “brute forced attacks” that attempt to login into administrative accounts by using a limited number of commonly used passwords. Although employees are regularly told to use unique, random passwords, inevitably one person will instead use something easy to remember. However, studies have shown that there are about one hundred such types of passwords that are commonly used. Once in, the cybercriminals quickly change the privileges associated with the breached user and then move laterally within the network .and still key data or client assets.
Strong password standards are essential to preventing this from happening. Wealth managers need to regularly review what passwords employees are using and whether they are strong enough to prevent brute force attacks.