Cybercrime and Your Investments: What You Need to Know

We've all seen the headlines about data breaches at some major companies. Perhaps you even know someone who has been victimized by identity thieves who have used his or her personal information for their own financial gain. With so many criminals hiding behind keyboards these days, financial firms are on high alert against hack attacks and other forms of cybercrime. But how safe are your financial assets, and what is the financial industry doing to combat the problem?

Morningstar recently spoke to two experts--Gerri Walsh, senior vice president of investor education at the Financial Industry Regulatory Authority (FINRA) and Karl Schimmeck, managing director of financial services operations for the Securities Industry and Financial Markets Association (SIFMA)--about these topics. The following are edited transcripts of each of these conversations.

Morningstar: In recent years, there have been many reports of data breaches at high-profile companies--the breach at  Target (TGT) late last year comes to mind. Should investors be concerned that the same sort of data breach could happen to their brokerage- or fund-company account?

Gerri Walsh (FINRA): Brokerage firms have taken steps to assure online security for their customers, but it's critical that any consumer, whether a consumer of financial services or any other type of online vendor, take steps to protect themselves.

Morningstar: Do you have any numbers in terms of how big the problem is?

Walsh: Well, there was a recent report by Symantec [a maker of security software]. Their 2014 Internet Security Threat Report shows that 71% of phishing scams were spoofing banks and other financial institutions.

Morningstar: Can you describe how a phishing scam works?

Walsh: The way a phishing scam works is usually the consumer will receive an email and the email may look as though it's from a financial-services firm that is familiar, a well-known bank. They may claim that you are a customer of that bank or a brokerage firm or financial institution and they will ask you to do something, to take a step. Typically, it's that your account has been compromised--please click here to update your security protocols or to refresh your account--or it may be that they are seeking new information, a different financial advisor has been assigned to you or some other thing that would require you to update your information. But the reality is that financial-services firms will not contact you that way if there's been some breach in your account or if there's information that would require them to have your password. They would not be contacting you by an email.

Morningstar: How can someone determine whether it is a legitimate email from their financial institution or one of these phishing emails?

Walsh: The first thing is to look at the email as it comes in. In other words, is it coming from that institution? Now, email addresses can be fake. But sometimes if you mouse over the [sender's address] you can see that even though it says it's from XYZ financial firm, in fact it's from some online Internet service provider's account, so not the company email.

If it's addressed to "dear customer," it's not personalized in any way, that's another tip-off that it's not really from your financial institution. But the most important thing is, when you get an email that requests you to do something in connection with your account, separately contact your firm yourself using a phone number from your own contacts, not from the email, or go visit the website of the firm, but not by clicking on a link in the email. Instead, open up another browser window and go visit the firm yourself with the address that you've used in the past.

Morningstar: So, how does someone who is perpetrating a phishing scam know what financial institution I use in order to make the email look legitimate?

Walsh: Well, the whole hitch is that they don't. Sometimes, these phishing scams are absolutely widespread, and they claim to be from a prominent bank hoping that you will rise to the bait because you, in fact, bank with that company. So, the names and the logos of prominent financial-services firms are frequently the targets of phishing attacks rather than a local bank. Now that doesn't mean that a local bank is immune from this kind of phishing attack. But often it's the well-known international conglomerates that tend to be [the targets] of these scams.

Morningstar: What would be my first indication that my personal information has been compromised? Would it be getting a phishing email, would it be finding that a transaction has taken place on one of my accounts that I did not authorize, or something else?

Walsh: It would more likely be an account transaction that you did not authorize. Getting a phishing scam just means that you are part of the Internet world. Phishers are sending out these widespread emails to pretty much everybody. So, it's not so much that they've gotten your email. But if you see transactions in your account that you did not authorize or if you get indications from a biller, from a utility company, or from somebody else that your account has been suspended, that's critical. So, you should absolutely call the company. Also, call credit-reporting agencies because if your personal information has been taken in one sector of your financial life, it is entirely possible that it has also been compromised elsewhere.

Morningstar: So, is an investor protected from financial loss if there is an identity-theft problem and there have been unauthorized withdrawals from his or her accounts?

Walsh: The most important thing you can do is to call your firm and let them know that this has happened to you. There is no rule that requires that clients be reimbursed, but financial-services firms have dealt with email hack attacks and other types of problems like this by working out a settlement with the customer.

Morningstar: Are there other protective measures that investors should take?

Walsh: One piece of advice that I would offer is that if you are connecting with a financial institution, be it your bank or your brokerage, honestly, if you are paying a bill, don't do it on an unsecured Wi-Fi connection. That's one of the biggest mistakes that a lot of people make because that's where hackers often go in and try to scrape information.

Morningstar: Let's talk about what an unsecured Wi-Fi connection is. So, my password-protected Wi-Fi at home, is that considered a safe connection?

Walsh: That's considered a safe connection as long as you also have a firewall on your router and you follow other security protocols, like making sure that your Internet Explorer or your Firefox--whatever Internet browser you are using--is updated and if you have virus and malware protection on your system that is also updated. You want to make sure that you have the latest patches on all of the Internet programs you have.

Morningstar: What about in a public place such as an airport, a library, a restaurant? Those, I assume, are places where one should not make financial transactions via the Wi-Fi, is that correct?

Walsh: Absolutely. It's most dangerous when you are in a public place, where you're on an unsecured Wi-Fi network, or if you're using a computer at hotels and other places. If you're using a computer in the business center that other users have been using before you, you have no idea what malware is or isn't on those computers, and when you're in an open Wi-Fi zone any hacker can get through. So, never ever engage in financial transactions from your smartphone, from your tablet, or from your computer in a public place on an unsecured network.

Morningstar: Let's turn to the topic of passwords. Do you recommend changing passwords periodically or any other sort of maintenance when it comes to passwords?

Walsh: Changing passwords periodically is critical and make sure that they're not easy for a hacker to figure out. One of the things that can happen with these phishing emails is that, if you click on a link or if you visit a website, you'll end up downloading malware that can be a password tracker. It's really a keystroke-logging program, so that they can tell what your user-account information is and then what your password is to get on to the website. So, absolutely, change your password from time to time and don't make it obvious relative to the financial institutions. You wouldn't want to call it "XYZ bank password." That would be too obvious.

Another tip is to avoid emailing personal or financial information. So, even if your spouse really needs to know what your credit card number is or needs to access your brokerage account, don't just send them a text or an email with that information. It's never a good idea to have that. Another way to keep yourself safe when you are using mobile is to lock your phone--one of the simplest security measures that we can all take and far too many of us don't do it.

Morningstar: With regard to including financial information in an email, does that apply even over a secured connection?

Walsh: It does. If you have an item in your sent folder that you might have sent from your email someplace else, if you are in an unsecured location, somebody could hack into your email and get that. That's also why it's important to password-protect your phone or your smart device, your tablet, because if you have your email available to anybody, so you don't have to put in the password every time you log in, you've opened the door to all kinds of information about yourself.

Morningstar: Any other steps that individual investors can take to protect themselves from this problem?

Walsh: Just be super suspicious when you are online, especially when you are dealing with money, because it's your money. You don't want hackers to have access to it. Also, if you have an opportunity to invest with a new firm that you hear about through an email, always check out that firm. Make sure that you use FINRA's BrokerCheck tool to determine whether the financial institution is, in fact, a registered investment company. Otherwise, you might be dealing with a fraudster.

In a separate interview, Karl Schimmeck discussed the problem of cybercrime and how the financial industry is responding to it.

Morningstar: How big of a problem is ID theft and cybercrime in general for the financial industry?

Karl Schimmeck (SIFMA): Cybercrime and cyber security, it's a major issue for the banks, broker/dealers, and the asset managers. I would say most firms consider this as [among the] top three risks that they are facing currently. The firms are a target. They're probably facing upwards of millions of attacks on a daily basis if you aggregated that across the entire landscape of all the banks and broker/dealers that are out there. 

For the most part, most of those attacks are unsuccessful. I would say a very, very small percentage of them would be successful and are capable of getting and/or doing any kind of damage or theft. But the firms are aware of it. They know it's a risk and they are taking many, many measures and investing a significant amount of their resources, time, effort, and money into making sure that their infrastructure is protected--that the data that they've been entrusted with is protected and that their clients, as such, are protected.

Morningstar: In terms of systemic risk, could a single cyber-attack potentially bring the financial markets to a halt?

Schimmeck: That's something we have done a lot of work on here at SIFMA, looking at the factors around a systemic attack. The way we look at it is, there is a possibility, it's probably a [low] probability, [of a] type of attack where you could have that high impact in regards to affecting an exchange or making it so that the markets can't operate properly.

So, that possibility is out there and what we've done with the firms and with our government partners at Treasury and Department of Homeland Security and the FBI is that that's something we practice for. We recently held an exercise called Quantum Dawn 2 where basically the main focus was a cyber-attack on the U.S-equity markets where they were no longer able to function properly, and just how do we respond as an industry to be able to face that.

So, what I would say for the individual investors is that we think of that as a possibility. We do plan an exercise for it, and we try to ensure that if that were to happen we would be able to respond properly and, as much as possible, mitigate the impacts and make sure that data is protected, transactions are protected, and that we can get the system up and running as quickly as possible.

Morningstar: What about an attack on a specific financial firm? Is that something you also game-plan for or is that done on a firm-by-firm basis?

Schimmeck: We actually have organized individual exercises as well. So, while we do sort of sectorwide exercises where we're exercising sector-response plans and the firms participate in that along with government partners, we've also done exercises that are targeted at individual firms. Earlier this year, we did this for a number of our members. We came up with five or six scenarios and ran their incident-response teams through those scenarios: How would they respond to them, what would be their internal practices and protocols to mitigate the attacks, make sure that they are protecting their data and that they are also keeping their systems operational and providing their clients with access to the markets.

So, yeah, it's something we facilitate on both levels--both the individual firm and their protocols and then also what happens on the sector basis as well.

Morningstar: What are some of the sources of these cyber-attacks? Are they U.S.-based criminals? Are they criminals from abroad? Are foreign governments doing this?

Schimmeck: We see a wide range of different players [among] threat actors or people who are looking to do damage. We have criminals, so that would be very typical, people we dealt with for as long as banks and broker/dealers have been around, people are looking to steal information, they are looking to steal money, and they're just using the computer as a new way of doing it versus using telephones to perpetrate fraud or whatever the case might be.

But then you also have hacktivists that are looking to cause reputational risk for the banks and broker/dealers, where they are looking to do things like DDoS [Distributed Denial of Service] attacks, where they're looking to make, let's say, a website unavailable for a period of time. Typically, they're kind of harassing, just causing people to maybe lose confidence in their individual firm.

And then as it elevates further, now you get more into your terrorists and nation-state players. They are looking to perform espionage, stealing information maybe more on the investment-banking side for any kind of deals that might be going on and then also, from a trading standpoint, this would be where they look at financial services as a critical infrastructure sector within the United State and would look to cause damage to the U.S. economy by [attacking] it.

So firms, based on their size and their position in the market, will face a broad spectrum of those different players that are out there. Firms determine what they see as their main threat that they have to deal with, and firms right now perform a threat analysis, determine where their risks are, and then try to focus and concentrate their resources on where they think the highest risk is.

Morningstar: What questions can individual investors ask of the financial firms that manage their assets to make sure they are being adequately protected from cybercriminals?

Schimmeck: I think first and foremost is the authentication methods that are being used by their financial manager. So, is it two-form authentication? Right now you'll see a username and password, but they also have things like a question, or a color, or something else to get that two-form authentication for logging on to their website.

It's always a good question to ask what do [the firms] typically do for disclosure, how is information shared, how do I update the information on my account, because what you'll see is somebody may get a piece of information and try to change the reference data that an investment advisor has for their clients in order to try to reroute where a transaction is going or where money is being sent.

But also, if they are seeing any type of strange behavior--suddenly it doesn't look normal--call up your investment advisor and ask the question, see what transactions have happened. I think that's always a good thing to do. So, when you get that call from your investment advisor, that people typically see from maybe their credit card companies asking about a strange transaction, take that call--don't look at it as something where it's kind of a burden. All they are looking for is strange behavior and just want to confirm that it is the correct activity that they should be supporting and making sure it is transacted.