When Clients Are Compromised

Scammers have more sophisticated tools that can fool even your savviest clients. Planners need to stay vigilant and be ready to act
By
Andy Baxley, CFP®, CIMA, MSFP

Journal of Financial Planning: February 2024

 

As a senior financial planner at The Planning Center, Andy Baxley, CFP®, CIMA, MSFP, provides comprehensive financial planning for professors and others in the higher education community. He is a proud member of the Financial Planning Association and the National Association of Personal Financial Advisors.

“Apparently my computer has a virus. Can we please meet in person instead of virtually?”

At first, I didn’t think much of this request, which came over the phone from Carl, a recently retired professor and longtime client of our firm. Computers get viruses from time to time, so nothing about this seemed outside of the ordinary.

Still, I decided to ask a few more questions. If Carl’s computer had been compromised with a virus, I wanted to understand the extent to which his personal and financial data may have been at risk.

The answers to those questions revealed that my client’s data had indeed been compromised—not by a virus, but by a highly effective and potentially devastating scam.

As I questioned Carl about his experience, I learned that a very official-looking alert had appeared on his computer two weeks prior with a message from “Microsoft Solutions.” The message alerted him to an urgent issue with the security of his laptop and gave him a number to call for immediate assistance.

Understandably concerned, Carl called the number right away and spoke with someone who called himself Adam and claimed to work for Microsoft Solutions. Adam told Carl that his computer had been infected with a virus but encouraged him not to worry. Adam had encountered this virus before and assured him that he could remove it. He instructed Carl to download remote desktop software that would allow him to access and control Carl’s computer. Fully convinced that he was speaking to a Microsoft employee, Carl did as he was told.

After doing a “security sweep” of the computer, Adam told Carl that he’d identified the issue and that Carl would need to purchase Microsoft’s “Diamond Security Package” in order to resolve it and prevent any further breaches to his computer’s security moving forward. The package would include “Cleanup and Removal of Malicious Malware” ($1,500), “Creation of a Security Firewall” ($1,500), and various other benefits ($940).

Carl was instructed to write three separate checks, each made payable to what they claimed was a third-party payment processor. He did as he was told and assumed the issue was resolved.

A week later, Carl received a call from an unknown number and spoke to someone calling himself Derek, who also claimed to work for Microsoft. Derek reported that Carl’s computer had been compromised once again. More work would need to be done as soon as possible to resolve the issue. Of course, the scope of the work was beyond what the previously purchased “Diamond Security Package” could provide, so additional payment would be necessary.

Upon hearing all of this, it was clear to me that Carl had been the victim of a scam. It was time to take immediate action.

A Staggering Loss

According to a recent AARP study in collaboration with The University of Chicago, victims of elder financial exploitation lose an estimated $28.3 billion annually (Gunther 2023). Of this, $20.3 billion is stolen by people known to the victim. The remaining $8 billion loss comes from scams and other fraudulent schemes conducted by professional criminals.

An October 2023 CBS News article tells the story of Rich Brune, a 75-year-old retiree from Virginia, who lost nearly $800,000 to criminals posing as Microsoft workers who told him that “his computer had been hacked, his financial accounts were compromised, and he needed to take urgent remedial action” (Legare, Peques and Triay 2023).

Sound familiar?

The ‘Phantom Hacker’

Unfortunately, Carl and Rich’s experiences are not isolated incidents.

In a public service announcement published last year, the FBI warns that occurrences of “phantom hacker” scams are on the rise (Federal Bureau of Investigation 2023).

According to the announcement, “This Phantom Hacker scam is an evolution of more general tech support scams, layering imposter tech support, financial institution, and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target. Victims often suffer the loss of entire banking, savings, retirement, or investment accounts under the guise of ‘protecting’ their assets.”

Here’s how it typically works, as described in the FBI’s announcement:

Phase 1—Tech Support Imposter

  1. A scammer posing as a tech or customer support representative from a legitimate company contacts the victim through a phone call, text, email, or a pop-up window on the victim’s computer and instructs the victim to call a number for “assistance.”
  2. Once the victim calls the number, a scammer directs the victim to download a software program, allowing the scammer remote access to the victim’s computer. The scammer pretends to run a virus scan on the victim’s computer and falsely claims the computer has been or is at risk of being hacked.
  3. Next, the scammer requests the victim open their financial accounts to determine whether there have been any unauthorized charges—a tactic the scammer uses to determine which financial account is most lucrative for targeting. The scammer chooses an account to target and tells the victim they will receive a call with further instructions from the fraud department of the respective financial institution hosting that account.

Phase 2—Financial Institution Imposter

  1. A scammer posing as a representative of the financial institution mentioned in phase 1, such as a bank or a brokerage firm, contacts the victim. The scammer falsely informs the victim their computer and financial accounts have been accessed by a foreign hacker and the victim must move their money to a “safe” third-party account, such as an account with the Federal Reserve or another U.S. Government agency.
  2. The scammer directs the victim to transfer money via a wire transfer, cash, or cryptocurrency, often directly to overseas recipients. The scammer may instruct the victim to send multiple transactions over a span of days or months.
  3. The scammer tells the victim to not inform anyone of the real reason they are moving their money.

Phase 3—U.S. Government Imposter

  1. The victim may also be contacted by a scammer posing as an employee at the Federal Reserve or another U.S. Government agency. If the victim becomes suspicious of the government imposter, the scammer may send an email or a letter on what appears to be official U.S. Government letterhead to legitimize the scam.
  2. The scammer continues to emphasize the victim’s funds are “unsafe” and they must be moved to a new “alias” account for protection until the victim concedes.

Prevention and Mitigation

Follow-up research has led me to the conclusion that the criminals who targeted Carl were likely just getting started. Had I not asked one or two additional questions on that initial phone call, there’s no telling how much money they might have successfully stolen.

I encourage my fellow advisers to do two things.

The first is to warn all clients, especially those who are over 60 and/or experiencing diminished capacity, about the phantom hacker scam. Awareness and prevention are priority number one. I recommend sending the previously referenced FBI public service announcement, which also includes several helpful tips for people to stay vigilant and protect themselves.

Second, if a client tells you that their computer has a virus, ask questions.

  1. How did they find out about the virus?
  2. What steps have they taken to resolve the issue?
  3. Have they spoken to anyone else about it?

It shouldn’t take long to determine if something suspicious has taken place.

If the client has fallen prey to the phantom hacker scam, there are a few steps they should take immediately.

  • Report the crime to the FBI Crime Complaint Center (IC3) at www.ic3.gov.
  • Contact all financial institutions and notify them of the issue. If money has already been stolen, inquire about how the financial institution can help recover it. If necessary, have new credit cards and account numbers issued.
  • Name a “trusted contact” at all financial institutions. This will give the institution someone to call if they suspect exploitation or fraud has taken place.
  • Call all three credit bureaus (Transunion, Equifax, and Experian) to request a security freeze and place a fraud alert.
  • Change online passwords for all websites that contain sensitive information.

AI and the Future of Scams

As convincing and effective as the phantom hacker scam is, there is reason to believe that scams will only increase in their sophistication and potential for devastation.

Imagine the following scenario—your client gets a call from someone claiming to be you, their trusted adviser. The person sounds just like you and knows many of the important details about your client. They alert your client about an urgent security issue and provide them with instructions to wire funds to a “safe” third-party account.

What I’m describing is not science fiction. Artificial intelligence (AI) voice cloning technology already has the power to mimic anyone’s voice with chillingly realistic results. CBS News reports that scammers are already using this technology to mimic the voices of victims’ friends and family (Evans and Novak 2023).

According to a June memo from Microsoft (2023), AI will enable professional criminals to implement so-called spear-phishing campaigns with alarming efficiency.

Spear-phishing, a more targeted form of phishing, involves utilizing meticulously gathered details about the specific target to extract sensitive information, often through means like email, text messages, or phone calls. Though more convincing and effective than regular phishing attacks, which is more generic and less targeted, spear-phishing has historically been far more time-intensive as well.

No longer.

According to Microsoft, a scammer can now train AI to execute a spear-phishing campaign for them, vastly increasing the scalability of this kind of attack.

Of course, the news is not all bad. Just as AI has enabled criminals to be more efficient in scamming victims, it has also improved our ability to detect and prevent this kind of illegal activity.

One such solution comes from popular VPN maker NordVPN, which recently launched a tool called Sonar, designed to scan your email inbox for potential phishing emails. Their goal? “To beat cybercriminals in their own game” (https://labs.nordvpn.com/).

One thing is clear—scammers and those trying to thwart them are engaged in an AI arms race. As both the scams themselves and the tools designed to stop them become more sophisticated over time, financial advisers will need to do everything in their power to keep their clients out of harm’s way.

A Happy Ending?

In some ways, my client, Carl, is one of the lucky ones. “Only” a few thousand dollars had been taken from him when we realized that he had been the victim of a scam. There’s no telling how much worse it could have gotten if we hadn’t made this discovery.

Of course, victims like Carl and Rich don’t just lose money. There is an emotional toll as well. Unknowingly sharing sensitive information with someone who intends to do you harm can leave one feeling violated, ashamed, and anxious.

Trusted advisers can help to minimize these feelings through emotional support and a shared commitment to reactive remediation and proactive vigilance. Better yet, we can prepare our clients so they never become victims in the first place

References

Evans, Carter, and Analisa Novak. 2023, July 19. “Scammers Use AI to Mimic Voices of Loved Ones in Distress.” CBS News. www.cbsnews.com/news/scammers-ai-mimic-voices-loved-ones-in-distress/.

Federal Bureau of Investigation. 2023, September 29. “‘Phantom Hacker’ Scams Target Senior Citizens and Result in Victims Losing their Life Savings.” Alert Number I-091223-PSA. www.ic3.gov/Media/Y2023/PSA230929.

Gunther, Jilenne. 2023, June. “The Scope of Elder Financial Exploitation: What It Costs Victims.” AARP Public Policy Institute. www.aarp.org/content/dam/aarp/money/scams-and-fraud/2023/true-cost-elder-financial-exploitation.doi.10.26419-2Fppi.00194.001.pdf.

Legare, Rober, Jeff Pegues, and Andres Triay. 2023, October 6. “FBI Warns of Rising Elder Fraud Crime Rates as Scammers Steal Billions in Savings Each Year.” CBS News. www.cbsnews.com/news/fbi-warns-elder-fraud-crime-rates-rising-scammers-steal-billions-each-year/.

Microsoft. 2023, July 14. “How AI Is Changing Phishing Scams.” www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/how-ai-changing-phishing-scams.

 

Topic
Practice Management

Related Events