We're sending this update to you because a few of our clients have been subject to a simple yet highly sophisticated scam, with one client losing in excess of $600,000. As we share the story with more people, one-on-one, in compliance committees, at compliance forums, via our regulatory update subscription service and elsewhere, we are hearing more variations of the same scam. People are often unwilling to talk about it, because being caught is, well, embarrassing.

Here's how it works, as described in our October regulatory update (for subscribers to our T-REX service):

We have recently been involved with advising clients caught by a scam targeting financial advisers and their clients. Scammers are hacking into client email accounts, posing as those clients and emailing financial advisers to request large withdrawals from the client's portfolio and payment into a third party bank account. The scam is sophisticated with the scammers reading through a client's emails and referring to previous conversations between the financial adviser and the client, as well as impersonating the client's conversational style. Tip: Ensure you confirm any withdrawal requests with your clients in person or by telephone, particularly if you receive an email requesting payment into a third party bank account. Ensure these procedures are followed, especially when a client travels overseas.

Following that release, and after conducting more research, we've seen more iterations of the scam:

  1. An overseas advisory firm, as reported in the Wall Street Journal, was caught by the same tricks, and due to the impression of urgency, the adviser "skipped" the internal telephone verification protocol.
  2. Simple telephone verification is not a fix-all to avoid the scam. A financial planning dealer group colleague said that one scammer pre-empted telephone verification; and called in, successfully impersonating the spouse of her planner's client, and knew enough about the client to carry on a conversation and effectively remove the need for further telephone verification before a third party transfer.
  3. One client required the masquerading scammer to complete a third party account opening form, so that money could be moved from the client's platform-managed bank account, to the third party account. The form was emailed to the client's email address, fraudulently signed, returned, and the account was opened and money transferred.
  4. Scammers are looking at the scope of advice and goals described in advice documents and telling the advisers things like "in line with my goals, I'd like to support my daughter buy her next house." Tight payment deadlines are then imposed, creating a sense of urgency, coinciding with excuses about "global roaming not working" so as to avoid telephone confirmation.

We're often told about the scams because our clients want to do the right thing and, if necessary, notify ASIC of a breach of the financial services laws. As you know, both ASIC and AUSTRAC have breach or notification reporting mechanisms. If you and your client are subject to fraud, this does not automatically mean you have breached your Australian Financial Services Licence (AFSL) obligations. However, the steps leading up to the breach need to be carefully assessed to ensure that normal disclosure and conduct rules have been complied with. Also, it does not automatically mean you must report a suspicious matter report with AUSTRAC. Despite this, in a number of instances you may decide to notify regulators so that they have market intelligence on current scams, and can provide further guidance to industry to help avoid them in the future.

Of course, your disgruntled client is also likely to come to you seeking compensation on the grounds that you acted negligently or in breach of contract by not detecting and preventing the fraud.

So, what should you do now?

  1. Ensure that your procedures regarding dealing and suspicious matter reporting are up to scratch.
  2. Ensure that staff are trained on the red flags associated with the scam: a request for a new third party money transfer (always), being on holidays (sometimes), urgency (sometimes). Google the terms "wire transfer fraud" if you'd like plenty more case studies of this scam.
  3. Ensure that all third party transfer requests are orally confirmed in a way that is unique to the client. For example, set up a code word or test question when you first deal with the client (which is never to be referred to in an email!).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.