Impersonation fraud in the financial sector is on the increase, with financial advisers being unknowingly used to facilitate the frauds. ABI members have reported cases where advisers are receiving instructions that appear to have been sent from a genuine client's email address, but which in reality have come from fraudsters that have hacked, or 'spoofed' email accounts. The instructions request that funds be encashed/transferred into an account (or accounts) controlled by the crime group. If the initial request is successful, criminals have been known to repeat transfer requests to fund a number of different accounts. Particular vigilance is needed if the communication received by an advisor from someone, purporting to be the customer, provides new bank details.
Life companies are tightening up their controls where possible, but there remains a dependency on financial advisers also being diligent and verifying that they are dealing with the genuine client when they receive instructions to act.
This type of fraud is generally successful where the fraud controls employed by the financial adviser prior to acting upon the request are not as strong as they might be. Advisers that accept instruction online should consider strengthening verification controls to ensure that clients are protected from this criminal activity. Controls that are worth considering could include:
- Verification of the source of the instruction by using another, well-established means of contacting your client; preferably via phone. Do not use contact numbers included on or with the instruction.
- Making staff aware that fraudsters may also have cloned, or 'split' SIM cards, or arranged for a victim's phone line to be redirected. Additional security questions that would only be known to the client could help here. Consider what questions would be suitable - if your client's email has been hacked, what other information is and isn't likely to be available to the fraudsters?
- Consider the tone, spelling, time of day and format of the email and/or the instruction. Is this consistent with your existing relationship with the client? e.g. if you are used to receiving long e-mails from clients with a high standard of written English then it would be suspicious if you were to receive an unusually short e-mail in broken English.
- Be extra cautious whenever one instruction is followed in quick succession with another, particularly when the client is asking for funds to be paid to multiple accounts that you have no record of.
- If you have acted upon an instruction that you subsequently find to be fraudulent, alert the life office immediately so that the ceding and recipient banks can try to prevent the withdrawal of funds.