- Always use two-factor authentication for email.
- Consider using a broker who knows your voice on the phone.
- In many cases, the customer has been made whole.
When a customer at the Doylestown, Pennsylvania, branch of Securian Financial Services Inc. emailed to ask for a $40,000 wire transfer back in 2015, employees sprung into action.
Christopher J. Hackley, the stockbroker in charge of the account, forwarded the request to sales assistant Rosemary McGinley, who put the gears in motion to get the paperwork done. With the help of two other colleagues over the next six days, the broker and assistant swiftly processed that and two more wire requests totaling $147,000.
There was just one problem: They wired the money to a fraudster who had hacked the customer's email account.
Fraudulent wire transfers by email hackers "is something that continually raises its head," said Gerri Walsh, senior vice president of investor education at the Financial Industry Regulatory Authority.
FINRA, the brokerage industry's self-funded regulator, first started noticing this kind of fraud five years ago, she said, adding that vigilant investors should take advantage of all the security measures their financial firms offer — such as two-factor authorization — and keep close tabs on activity in their accounts.
In the Securian case, FINRA earlier this year suspended each of the four employees involved for 10 days for failing to follow policies to properly identify the client. And Securian took actions against the employees and reimbursed the client, according to Jeff Bakken, a company spokesperson.
Searching FINRA's disciplinary database using the keyword "imposter" going back to 2012 shows 42 cases where criminals had hacked an investor's email and fooled brokerage firms into making a wire transfer.
While FINRA had no overall annual dollar figure lost to email hacking, the Financial Crimes Enforcement Network, or FinCEN, a bureau of the Treasury Department, issued an advisory in September saying that criminals are "actively using e-mail schemes to defraud financial institutions and their customers" using wire transfers.
In almost all the cases, workers flouted rules requiring an outbound telephone call to confirm the transaction. Making it worse, many signed forms saying that they had spoken with the customer when the only communication they had was by e-mail.
Debra Ferrara, a former client service associate at Morgan Stanley Smith Barney, falsified forms for five wire transfers totaling $108,680, saying she'd spoken with the client when she hadn't. Morgan Stanley fired her and reimbursed the client, said spokesman Bruce C. Dunbar. Ferrara, who did not respond to messages sent via LinkedIn, settled her case with FINRA in September.
John J. Arnold, a former Merrill Lynch broker in Newport Beach, California, took the bait on two fraudulent wire requests that came in by email, falsely representing to a sales assistant that he had verbally confirmed transactions totaling $127,200 with his customer, according to FINRA.
The imposter said he couldn't speak on the telephone because he was headed to a board meeting. In a settlement with FINRA in June 2016, the broker agreed to a 60-day suspension and $15,000 fine.
He said in his public FINRA records that the firm hadn't given him "meaningful training" in wire transfer security, yet FINRA said in the settlement that he had certified he understood the wire transfer policies. He did not respond to messages left at his office and sent via LinkedIn. Merrill spokesperson William Halldin said the settlement agreement "speaks for itself." The customer was reimbursed.
Fortunately, many cases are resolved with no harm to the customer. "We've seen that firms in almost all of these types of cases make customers whole," said Michelle Ong, a FINRA spokesperson.
Hackley, the Securian broker, said his client who was scammed out of $147,000 had been the victim of identity theft. His Securian account was made whole "in less than 12 hours," Hackley said.
John Reed Stark, a consultant who is a former chief of the Office of Internet Enforcement at the Securities and Exchange Commission, said investors would be far safer if they used two-factor authorization for their email accounts, yet conceded that many don't want the hassle of waiting for an access code to be sent to their cellphones or other devices.
He said he has a personal bias to work only with full-service firms where there is a broker he knows who answers his calls.
"It becomes much tougher to be made whole when you're dealing with a customer service rep in the Philippines," he said.