Hackers allegedly emptied brokerage accounts with a simple email scam — here's how to protect yourself
- Prosecutors in Brooklyn, New York, said in November that a Lithuanian man and an unknown co-conspirator emptied the brokerage accounts of hapless victims of hundreds of thousands of dollars. It would have been more, but for a handful of investors who made some seemingly simple but savvy moves to stop the fraud from happening.
- There is a lot investors can learn from this complaint and its allegations, from how criminals break into and monitor the emails of wealthy investors and convince their brokers to execute trades or transfer funds illicitly.
Prosecutors in Brooklyn, New York, said in November that a Lithuanian man and an unknown co-conspirator emptied the brokerage accounts of hapless victims, stealing hundreds of thousands of dollars. The losses would have been worse, but for a handful of investors who made some seemingly simple but savvy moves to stop the fraud from happening.
The crimes spanned eight years starting in 2011, according to a complaint from the office of Richard Donoghue, U.S. attorney for the Eastern District of New York. Vytautas Parfionovas allegedly worked with co-conspirators to trick day traders, and their financial advisors into liquidating securities, wiring cash from brokerages, and establishing new, fraudulent trading accounts under the victims' names.
The complaint against Parfionovas, who was extradited to the U.S. from Ukraine on Nov. 21, reads like a list of do's and don'ts for protecting your accounts from one of the most common and costliest types of wire fraud. Here's what you need to know.
What is email compromise?
There are many types of business email compromise, but in all of them, a fraudster uses electronic communications, usually email, to convince someone to wire money to an offshore account.
The scammer often targets the victim by breaking into or spoofing the email of a trusted third party, like an attorney, financial advisor, product vendor or real estate broker. From that trusted email, the scammer can send an urgent message that a payment needs to go to a new account.
Scammers can also lie in wait on the compromised email account, searching for valuable details like account numbers and wire transfer habits, and even learning how to mimic the victim's communication style.
To get started with this kind of fraud, a criminal only needs to gain access to the huge number of email addresses and passwords that have been leaked onto underground forums. They can then attempt to match the leaked passwords with the email addresses of people who they think have hefty personal or business accounts.
In the Parfionovas case, he allegedly compromised email accounts and then searched them for valuable information. For instance, the complaint says he used one compromised AOL account to find the victim's financial advisor, then emailed the advisor requesting a wire transfer of $225,000 into a U.K.-based account.
Parfionovas also allegedly used stolen credentials and personal details from email intrusions to open new online financial accounts in the names of two of his victims, then transferred cash and securities into the fraudulent accounts.
How to protect yourself
Wire fraud can be devastating because of the simple fact that when someone loses money in this way the bank is not required to make the victim "whole," meaning, the money is very often gone for good.
In rare cases, the FBI can recover the funds, but the best offense is defense, including being spare with financial information you share via email, setting up protocols with your financial institutions for wire transfers, being mindful of your passwords that may be compromised and asking your bank how it approaches protecting against wire fraud.
Know your advisors well. Work face to face or over the phone with financial advisors who you know and trust, and communicate to them that you are concerned about cybercrimes and fraud.
Parfionovas and his alleged co-conspirators are accused of going to great lengths to impersonate advisors and victims, including through phone calls, through disguised social media accounts, and even fake IP addresses that made it appear they were sending their messages from New York and not Eastern Europe.
But where victims had a strong relationship with their advisors, the attempts were less likely to work. For instance, at one financial institution, an email addressed by a victim named "Greg" to his financial advisor, "Joel," drew suspicion. Joel shared the email with his colleague "Sarah," at the bank. (Their last names were not published in the indictment.)
Sarah called Greg, who said he had not requested the wire transfer. Simply having a protocol in place to speak with Greg before he became a victim saved him $225,000 from the alleged criminal group.
"[Sarah] wrote some s---," Parfionovas allegedly wrote at the time, having observed Sarah's exchange with Joel via Greg's compromised email account and realizing the wire had been stopped. "I think they contacted [Greg]. It looks like he f---ing talked on the phone with her. F--- me."
Mind your email. In another incident alleged by prosecutors, a co-conspirator coached Parfionovas on how to find critical personal banking conversations in a victim's hacked Yahoo email account:
"Check inside his email. He emailed him before? He email account adviser before? Cuz some talk with email, they don't like calling. Check his email," the co-conspirator said according to prosecutors.
"Oh f---, so many emails," Parfionovas allegedly responded. "Sick s---. They wrote [the victim's bank] with all the f---ing info. So nice doc. He tell all sh-- on email. Sell Stocks. Send money."
The takeaway: don't conduct all of your financial business via email. Think of the types of information available in your email account. What types of personal information would a fraudster find there, and what would he be able to piece together to pull off a successful financial scam?
If you have more than one email address, determine which contains the most sensitive of this information, and re-up the strength of your passwords. In particular, if you have emails with very old passwords, they may already be compromised -- so change them.
It's also a good idea set up two-factor authentication — for instance, by having the email provider send a code by text message to your phone, then forcing you to enter that code before you can log in. That way, scammers would need to have access to more than your password to read your email.
These systems aren't perfect. Some cybercriminals have found ways around even two-factor authentication using mobile devices. But for most individuals, this will be enough to stop most types of wire fraud.
Communicate fast if you're scammed. If you suspect you're a victim of fraud, don't let embarrassment keep you silent. Reach out to your financial institution or advisor as soon as possible. Catching it early enough may give you time to stop the fraudulent wire from being fully executed. You can also contact the FBI via the agency's IC3 Internet Crime Complaint Center.
Follow @CNBCtech on Twitter for the latest tech industry news.