By Byron Acohido, USA TODAY
In a new twist, cyber-robbers are using ginned-up e-mail messages in attempts to con financial advisers into wiring cash out of their clients' online investment accounts.
If the adviser falls for it, a wire transfer gets legitimately executed, and cash flows into a bank account controlled by the thieves - leaving the victim in a dispute with the financial adviser over getting made whole.
Anecdotal evidence of this ruse - directed at financial planners, estate lawyers and other advisers who rely on e-mail and online banking to work with clients - has just begun to surface, say tech security and online banking experts.
"It's the Willie Sutton principle at work," says Adam Dolby, an independent banking security consultant. "Robbers go where the money is."
IDentity Theft 911, a theft-recovery service, is working on a case where a faked e-mail led to a $35,000 transfer into a thief's account.
"That victim may be looking at a complete loss," investigator Mark Fullbright says.
In another recent caper, a veteran financial planner was fooled by a Gmail message appearing to arrive from an insurance company executive, says Adam Levin, IDentity Theft 911's chairman. The e-mail carried instructions to wire $15,850 into an account at PNC Bank, worded in a casual style similar to past e-mails the financial adviser had received from the executive, Levin says.
Luckily, the financial planner phoned his client to clarify which account to pull the money from. "They determined it was a fraudulent e-mail," Levin says.
Cybercriminals have discovered that investors now routinely rely on e-mail to authorize personal advisers to execute financial transactions. Search engines and social networks have made finding and profiling potential victims, and their advisers, easy.
Taking over or impersonating someone's e-mail account likewise isn't hard to do. "It's low-tech," says John Zurawski, a vice president at Authentify, supplier of single-use PIN codes delivered by cellphone text messages. "Instead of managing layers of malicious software, all the bad guys need is e-mail and phone skills."
This new scam is the latest strain of a long-running crime wave that preys mainly on small and midsize organizations. The banking industry has steadily been making it tougher for hackers to use computer infections to carry out wire transfer fraud against small organizations, says Jon Callas, chief technology officer at authentication firm Entrust.
"The shift to personal advisers and individual wire transfers is an indication that the well is running dry for them with small businesses and small government," he says.