How to Avoid Phishing Scams in Investment Management

Phishing scams are a growing threat to investment firms, but with extra awareness and proactive measures, you can stay a step ahead of the fraudsters.

Financial services is one the top 3 of most affected industries when it comes to data breaches.

And according to Statista, 18% of phishing attacks worldwide were directed towards financial institutions.

Scammers love to target investment managers because of the valuable data they hold, as well as the perceived lack of security around that data.

They bank on your gullibility and lapses in judgment, so that you fall into their trap.

You don't have to fall for their dirty tricks. With a bit of knowledge and awareness, you can avoid being their next victim.

What is a Phishing Scam?

A phishing scam is a type of fraudulent activity, where the person reaching out to you looks like someone you know or appears to be from a reputable organization.

They will call or email you, and through their deceptive communication, they establish a sense of familiarity and credibility. They might pretend to be a client or say they work at a bank or for the credit card company.

They might call and say you missed a payment, or they'll send you a link to view a document.

They may ask you to share sensitive information, like passwords, credit card numbers, bank account details, Social Security numbers, etc.

If you click their links or download their attachments, your devices could be installed with malware that obtains the files on your device and tracks your keystrokes.

Once they got what they want, the security around your various accounts and electronic devices have been compromised.

How to Avoid Phishing Scams

Check the Sender's Email Address

Some scammers will send an email that appears as if someone called you.

For their contact name, they will use one that appears reputable, like Speakeasy, as shown above.

Speakeasy is a reputable organization and a commonly used services provider for business communication.

The scammers will assume at least a few of the people they target are using those services. In that case, the recipient is more likely to believe the email as trustworthy, knowing they use that service.

However, the sender is not who you think it is.

Look at the sender's email address. You may discover their email address domain doesn't match with who they said they are.

If they sent a link or attachment, do not open it.

Check The Email Domain in Google

Sometimes the email domains look legitimate, but you can can never be too careful.

Go into Google and type in the web domain and/or email domain. Put your search in quotations for a more specific result. Does it appear legitimate?

You might see results from other sites that the domain used is of scammy and spammy nature.

Call the Sender and Confirm They Emailed You

So you've checked the sender's email address, and you have confirmed it is from a person or organization you know.

You noticed they sent an attachment or a link. They  made a request for you to sign something or click a link to fill out a form.

If you were not expecting such a request and/or you think it is unusual, do not open either.

If you know the sender, call them. Confirm they know they sent an email to you with a request.

It is possible the sender's email was hacked, and now the hacker is emailing every one of their contacts.

Without you calling, they might not have known their email was hacked, and the ball is in the sender's court to fix the issue. If they say they didn't email you, now you know not to open the links or attachments.

Pay Attention To Writing Skills

The scammers will try to appear legitimate. They will use well-known organization logos and create a signature with a real name and real addresses of that organization.

However, their writing skills may expose their cover.

Pay attention to blatant grammar mistakes, spelling and punctuation errors and inconsistencies, poor word choice, and bad formatting (i.e. lack of appropriate spacing between paragraphs).

These are mistakes that can't be explained by a mere typo. They are mistakes that the person the scammers are impersonating wouldn't be making.

And there are two plausible reasons for these mistakes:

One is that English may not be the scammer's first language. Writing skills will vary, and some are better in their impersonations than others.

The second reason is that the "mistakes" are done on purpose. Cybersecurity expert Joseph Steinberg makes the case that scammers intentionally place mistakes to avoid email spam filters. After that, all they need is one or two people to fall into their trap.

In any case, check their email domain whenever you have doubts.

Notify Your IT Department

Whenever you see a suspicious email, report it. If you have an IT department, let them know about it so that they can alert others to be aware of such emails. Plus, they can block incoming mail from that domain.

Another thing IT can do is set up your email so that it warns you when there is an email outside your known network.

They can also require multi-factor authentication for logging in, as well as mandatory password changes every x number of days.

Educate Staff and Clients

The more sophisticated of scammers will find people within an organization and send emails pretending to be a colleague.

They could successfully hack into one's email or a company database and send emails to your clients pretending to be part of your organization.

Vice versa, clients' emails could be hacked, and they scammers target you.

Cybersecurity isn't just a concern for IT. Individuals themselves must take responsibility. Educate your staff and clients on these possible scenarios. Show them examples of phishing scams to look out for.

Encourage clients to set up multi-factor authentication for their emails and to change passwords regularly.

Show them how to check the site domain. Also, have them call colleagues or clients to confirm emails sent.

Prevent Against Phishing Threats

Phishing scams are increasingly common, and they pose an ever-growing risk to investment managers.

Fortunately, with awareness of the threat and knowing how to stop it, you can render the scammer's efforts worthless.

Check the email sender's domain. Call the email sender to confirm they emailed you. Pay attention to blatant writing mistakes. Notify IT. Educate your staff and clients.

By taking these measures, investment managers and their clients do everything to stop the bad guys.

Chat with an Expert

Get the latest in financial technology support, AI and digital transformation and investment operations outsourcing

Our monthly newsletter features helpful resources, articles, and best practices to implement within technology providers and investment firms