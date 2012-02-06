By Lynn Brenner
Feb 6 The first thing a lot of people do
when they get hacked is worry that their Facebook friends are
going to be annoyed. But before you send out an "I've been
hacked" alert to the 500-or-so people closest to your digital
life, call your financial adviser.
Why? Because while you're alerting your friends, the hacker
might be emailing your brokers in your name and imploring them
to wire your assets to a bank account in Malaysia. And if they
do, no government or securities industry agency is obligated to
reimburse your losses.
The Financial Industry Regulatory Authority (Finra) recently
warned that brokerage firms have fallen for this scam an
"increasing" number of times. ()
Unlike investor scams where the thieves establish a
relationship with the victim, such as so-called romance scams (),
these identity-thefts bypass the victim to go straight to a
financial institution.
In some recent cases, the perpetrators searched the victim's
sent folder for brokerage account information. Then they sent an
email to the broker and requested the fund transfer, attaching
genuine letters of authorization downloaded from the broker's
website, or convincingly faked letters of authorization.
If the brokerage takes too long to comply, says Finra, the
thieves sometimes send follow-up emails stressing the urgency of
the situation.
"There's a pattern of individuals citing dramatic
circumstances, claiming to be out of the country or at a
funeral, invoking sympathy and creating a sense of urgency to
pressure the firm into releasing funds before verifying the
authenticity of the emailed instructions," says Gerri Walsh,
Finra's vice president for investor education. "There seems to
be an uptick in these scams."
LOSSES
The FBI says victims have lost about $6 million in
fraudulent transfers from brokerage, bank and credit union
accounts since December 2011, with amounts in these cases
ranging from $15,000 to $183,000 ().
Losses from such scams are not covered by the Securities
Investor Protection Corp, a nonprofit corporation funded by its
member securities brokers.
SIPC's coverage is only triggered when a member firm goes
bankrupt, says Stephen Harbeck, its president. The failed
company's remaining assets are distributed on a pro-rata basis
to its customers and SIPC covers any remaining shortfall up to
$500,000 of securities in each account. (Up to $250,000 of that
amount can be cash.)
Unlike the Federal Deposit Insurance Corp (FDIC), SIPC does
not cover the value of customer accounts - it only replaces
missing securities and cash.
"SIPC doesn't protect against a loss in the value of an
investment even if it's caused by broker fraud," says Harbeck.
Unless your brokerage fails, you'll have to ask the firm
itself to make good for any losses due to unauthorized wire
transfers. Every firm has its own policy, Walsh says.
Some big companies, including Charles Schwab Corp
and Fidelity Investments, say they don't accept wire transfer
requests via email, period.
Schwab verifies wire transfer requests made through other
channels "through a variety of back-end processes that raise red
flags with respect to customer behavior, activity, history,
location, etc.," says Sarah Bulgatz, a Charles Schwab
spokeswoman. "I don't want to be cagey, but we're reluctant to
share specifics."
Fidelity is similarly tight-lipped about its verification
procedures.
"For security reasons, we generally don't disclose details,"
says Adam Banker, a Fidelity spokesman. "But we use a variety of
measures, including multi-step authentication and proprietary
technology applications."
Fidelity and Schwab said they were aware of the Finra alert,
but would not say if the firms had experienced any scams.
Both firms say they cover losses in their customers'
accounts caused by unauthorized activity. To ensure that
protection, however, customers are responsible for safeguarding
all account access information - including 'payment devices like
credit cards, debit cards, and checks,' notes the boilerplate in
Schwab's guarantee. They are also responsible for reporting any
unauthorized transactions as quickly as possible.
Common sense precautions:
* Don't ignore signs that your email account has been hacked,
such as finding emails you didn't send in your 'sent' folder, or
hearing from your friends that they've received spam from your
email address.
* If you get email on your smart phone, make sure the phone is
password protected.
* Don't save sensitive information in your email account.
According to Finra, the hackers have found the brokerage
information they need by looking in their victims' contact lists
and 'sent' email folders.
"A lot of us put more personal information in our email contact
list than we realize," says Walsh. "For example, people
sometimes put the broker's information in the contact list and
their account numbers in the side notes. Not a good idea."