Keeping your clients’ accounts safe against fraud
Fraudsters are becoming highly inventive in their campaigns, which means adviser businesses need to stay vigilant, says Alistair Wilson, head of Retail Platform Strategy, Zurich
As the world turns to digital, we all face the ever increasing challenge of staying safe online. For advisers, this means being alert to the risk of fraud. Organised criminal gangs are at the forefront of attempts to take money from client investments, which could have a devastating impact on individuals and advisers.
Like anyone using the internet, clients are at risk of having their personal email accounts hacked, which can allow criminals to identify financial services firms with whom the customer has a relationship. This can lead to attempts to withdraw proceeds from client investments via advisers.
Fraudsters can attempt to communicate with adviser businesses by sending messages from the client’s genuine email account. The e-mails may contain instructions to change the client’s bank account details, with a subsequent emails requesting assets be encashed and the proceeds credited to the new bank account. Once the funds have been deposited, the money can be immediately withdrawn making it harder to locate and retrieve.
Advisers need to stay alert to potential criminal activity. The language used in emails can help to identify a fraudulent instruction. If you receive an e-mail from a client, consider the language and style used – would the customer normally ask for funds to be “wired” and would he or she use GBP or the £ sign? Look out for poor spelling and grammar. The use of full name sign-offs such as ‘John Michael Smith’ where the client would normally use ‘John’ could also suggest that something might not be right. In such e-mails, the requests to withdraw money are likely to be urgent and the instruction will usually ask for the money to be transferred via Telegraphic Transfer or CHAPS.
If you receive an email instruction to amend a client’s bank account details, make a withdrawal from an investment or transfer funds into a new account you should always:
• Call the client direct, to confirm that they have changed their bank account and that they wish for a withdrawal to be made. Fraudsters may look to prevent a call by claiming that, for example, they are out of the country. In such instances, you should still contact the customer before acting on an email instruction
• Make the call to the customer using a telephone number that you have used previously to contact them. Do not use a number shown on the email
• Ensure that you have the necessary authority from all parties before acting on an instruction on joint portfolios.
Further steps you can take to protect clients, include:
• Request an original bank statement, paying in slip or void cheque as evidence of a new bank account and NOT a pdf/photocopy. It is a simple process to create a false statement.
• Send a letter to the client’s home address advising that an email from them has been received requesting a change of bank account details and ask that the client contact the adviser immediately if they have not changed their bank account.
• Remind your clients that normal emails are not secure and could be intercepted. Therefore, if sending unsecure emails, it is always best to keep the amount of confidential information to a minimum.
Understanding the verification processes undertaken by your platform when requesting encashment is important and can offer an additional layer of defence. Technology is intended to make our lives easier but we must not lose sight that this can provide others with opportunity.
If you haven’t reviewed your own processes of late there is no time like the present to ensure they remain fit for purpose.
Criminals are always looking for new ways to access account information and by remaining vigilant we can frustrate their efforts.
Criminal email attacks aimed at discovering financial information or to extract money