(Reuters) - The first thing a lot of people do when they get hacked is worry that their Facebook friends are going to be annoyed. But before you send out an “I’ve been hacked” alert to the 500-or-so people closest to your digital life, call your financial adviser.
Why? Because while you’re alerting your friends, the hacker might be emailing your brokers in your name and imploring them to wire your assets to a bank account in Malaysia. And if they do, no government or securities industry agency is obligated to reimburse your losses.
The Financial Industry Regulatory Authority (Finra) recently warned that brokerage firms have fallen for this scam an "increasing" number of times. (r.reuters.com/xav46s)
Unlike investor scams where the thieves establish a relationship with the victim, such as so-called romance scams (r.reuters.com/zav46s),
these identity-thefts bypass the victim to go straight to a financial institution.
In some recent cases, the perpetrators searched the victim’s sent folder for brokerage account information. Then they sent an email to the broker and requested the fund transfer, attaching genuine letters of authorization downloaded from the broker’s website, or convincingly faked letters of authorization.
If the brokerage takes too long to comply, says Finra, the thieves sometimes send follow-up emails stressing the urgency of the situation.
“There’s a pattern of individuals citing dramatic circumstances, claiming to be out of the country or at a funeral, invoking sympathy and creating a sense of urgency to pressure the firm into releasing funds before verifying the authenticity of the emailed instructions,” says Gerri Walsh, Finra’s vice president for investor education. “There seems to be an uptick in these scams.”
The FBI says victims have lost about $6 million in fraudulent transfers from brokerage, bank and credit union accounts since December 2011, with amounts in these cases ranging from $15,000 to $183,000 (r.reuters.com/bev46s).
Losses from such scams are not covered by the Securities Investor Protection Corp, a nonprofit corporation funded by its member securities brokers.
SIPC’s coverage is only triggered when a member firm goes bankrupt, says Stephen Harbeck, its president. The failed company’s remaining assets are distributed on a pro-rata basis to its customers and SIPC covers any remaining shortfall up to $500,000 of securities in each account. (Up to $250,000 of that amount can be cash.)
Unlike the Federal Deposit Insurance Corp (FDIC), SIPC does not cover the value of customer accounts - it only replaces missing securities and cash.
“SIPC doesn’t protect against a loss in the value of an investment even if it’s caused by broker fraud,” says Harbeck.
Unless your brokerage fails, you’ll have to ask the firm itself to make good for any losses due to unauthorized wire transfers. Every firm has its own policy, Walsh says.
Some big companies, including Charles Schwab Corp and Fidelity Investments, say they don’t accept wire transfer requests via email, period.
Schwab verifies wire transfer requests made through other channels “through a variety of back-end processes that raise red flags with respect to customer behavior, activity, history, location, etc.,” says Sarah Bulgatz, a Charles Schwab spokeswoman. “I don’t want to be cagey, but we’re reluctant to share specifics.”
Fidelity is similarly tight-lipped about its verification procedures.
“For security reasons, we generally don’t disclose details,” says Adam Banker, a Fidelity spokesman. “But we use a variety of measures, including multi-step authentication and proprietary technology applications.”
Fidelity and Schwab said they were aware of the Finra alert, but would not say if the firms had experienced any scams.
Both firms say they cover losses in their customers’ accounts caused by unauthorized activity. To ensure that protection, however, customers are responsible for safeguarding all account access information - including ‘payment devices like credit cards, debit cards, and checks,’ notes the boilerplate in Schwab’s guarantee. They are also responsible for reporting any unauthorized transactions as quickly as possible.
Common sense precautions:
* Don’t ignore signs that your email account has been hacked, such as finding emails you didn’t send in your ‘sent’ folder, or hearing from your friends that they’ve received spam from your email address.
* If you get email on your smart phone, make sure the phone is password protected.
* Don’t save sensitive information in your email account. According to Finra, the hackers have found the brokerage information they need by looking in their victims’ contact lists and ‘sent’ email folders.
“A lot of us put more personal information in our email contact list than we realize,” says Walsh. “For example, people sometimes put the broker’s information in the contact list and their account numbers in the side notes. Not a good idea.”
The author is a Reuters contributor. The opinions expressed are her own.; Editing by Beth Pinsker Gladstone and Andre Grenon.