Internet crime is an unfortunate reality. In fact, the FBI's Internet Crime Complaint Center received its three millionth complaint in May of this year. In 2013 alone, the dollar loss of complaints submitted totaled nearly $800 million.
Here at Commonwealth, our Information Security team believes that education is one of the most powerful weapons to improve Internet security. And to protect clients from online crime, you need to understand where the vulnerabilities are.
Combatting Wire Fraud
I recently met with Fidelity's fraud department to discuss cybercrime, specifically the problem of wire fraud. Fidelity has been working closely with the FBI to disclose information about every scam that the company and its correspondents, including Commonwealth, encounter. Based on the data Fidelity has compiled, it's easy to spot the big-picture trends and see how criminals adapt their tactics to exploit the newest "weakest link."
Unfortunately, that link is your clients.
Across the financial services industry, criminals are assaulting clients' e-mail accounts and attempting to deceive firms into wiring client funds to both domestic and international banks. Fidelity alone has seen approximately $15 million in losses as a result of fraudulent wire requests originating from clients' compromised e-mail accounts. Without a doubt, we must take the lead to educate and help protect our clients—and ourselves.
E-Mail: The Entry Point for Online Crime
In many of the instances of wire fraud we've seen, criminals hack into personal e-mail accounts using one of the following common programs:
Brute-force attacks. In a brute-force attack, hackers run a program that systematically tries every possible combination of letters, numbers, and symbols until it finds one that works. Although this type of attack can eventually crack any password, the more complex the password, the longer it will take to crack (and the more likely hackers will be to give up).
Dictionary attacks. Similar to a brute-force attack but not as comprehensive, a dictionary attack program runs through words until it finds a match. Clients who use everyday words (i.e., anything found in a dictionary) as passwords are vulnerable to this type of attack.
Once the criminal gains access to the account, he or she digs through current, past, and deleted correspondence to learn as much personal information as possible about the client, including financial account information. The criminal then turns his or her attention to your business, sending e-mails that appear to be from your client asking for account information and, ultimately, a wire transfer.
In many cases, our clients' best—and sometimes only—defense is a strong password. Although you are responsible for knowing your customer and verifying that client requests are legitimate (Errors and omissions insurance does not cover fraud.), you can help clients shore up their online information and accounts by being aware of the following best practices. (For additional safeguards to help protect your business, be sure to download our guide.)
What Is a Strong Password?
If a hacker can't access an e-mail account in the first place, he or she can't attempt to defraud your clients of their hard-earned money. If a password is just four letters or numbers long, it can be compromised instantaneously in a brute-force attack. A simple increase to eight characters makes it a bit harder to crack. But for the greatest protection, your clients should be using strong passwords made up of at least eight upper- and lowercase letters, numbers, and symbols—and they should consider implementing other security features like multifactor authentication as well.
*This figure depends on the type of attack and the power of the computer used.
Information Security and Financial Security Go Hand in Hand
Talking about information security may not be the first item on your agenda when a client walks into your office. Bear in mind, however, that this discussion is vital in helping protect clients from online crime and safeguarding your business's reputation. After all, information security precautions help protect clients' financial information and the funds themselves.
How do you educate clients about information security? How do you make these conversations a priority?