Malicious fraudsters are breaking into email accounts to transfer funds from online brokerage accounts and other forms of stock fraud.
An independent regulator for securities
firms has warned investors of a growing number of financially motivated attacks
targeting email accounts.
Malicious attackers are compromising
user email accounts and sending trading instructions, the Financial Industry
Regulatory Authority said in an investor alert issued Jan. 27. Similar warnings
have been issued by the FBI and the Financial Services Information Sharing and
The incidents highlight "some of
the risks" associated with being able to transmit or withdraw funds via
email, the notice said. After compromising an email account, the attackers
obtain the information needed to request wire transfers to accounts overseas,
FINRA said. The accounts are also used to send authorization letters to the
brokerage firms approving the transfer of funds without the investors'
"FINRA has received an increasing
number of reports of incidents of customer funds stolen as a result of
instructions emailed to firms from customer email accounts that have been
compromised," according to the investor alert.
Some firms released the funds despite failed
attempts to verify the instructions by phone, FINRA said. In at least one case,
the fraudsters sent an email stressing the urgency of the requested transfer,
forcing the brokerage firm to release the funds before verifying the
instructions, FINRA said.
Investors should monitor their accounts
for signs of being compromised, for such things as reports of spam, bounced
email messages or unexplained password changes, according to the alert.
Investors should also monitor their accounts for unauthorized transactions.
This kind of financial fraud totals
approximately $23 million, according to figures provided by the FBI. Actual
victim losses are approximately $6 million.
The FINRA warning was issued a day
after the U.S. Securities and Exchange Commission charged a trader with hacking
into user accounts and manipulating stock prices. Four brokerage firms were
also charged in the case for being unregistered and still allowing the trader
to make trades in the U.S. securities market, according to a complaint filed by
the SEC in a federal court in San Francisco.
A trader in Latvia was charged with breaking
into online brokerage accounts 159 times between 2009 and August 2010, the SEC
said Jan. 26. Igors Nagaicevs allegedly manipulated prices for more than 100
securities listed with the New York Stock Exchange and NASDAQ exchanges by
making unauthorized purchases and sales, making $874,896. His stock fraud
scheme may have cost investors more than $2 million, according to the SEC
Nagaicevs is accused of setting up
accounts with eight unregistered brokerage firms, four of which are based in
the United States to trade in the U.S. securities market. He then hacked into online
accounts at other broker dealer companies and used their client investors' cash
funds to make unauthorized trades of stock and securities, the SEC said in a
complaint filed in a federal court in San Francisco. The unregistered brokerage
accounts made the trades in accounts using the company names, allowing
Nagaicevs to make the trades anonymously.
"Nagaicevs engaged in a brazen and
systematic securities fraud, repeatedly raiding brokerage accounts and causing
massive damages to innocent investors and their brokerage firms," said
Marc J. Fagel, director of the SEC's San Francisco regional office.
Nagaicevs allegedly generated profits
of $14,000 in 32 minutes by driving up the stock price of a NYSE-listed company
using the hacked accounts, and then buying and selling securities at those
artificial prices through the anonymous brokerage accounts. The broker-dealer
companies were forced to reimburse the investors who had been hacked.
Four firms-Alchemy Ventures, KM Capital
Management, Zanshin Enterprises and Mercury Capital-face charges for giving
Nagaicevs access to the markets despite not being registered. Associates at
Mercury and Zanshin have agreed to settle for $35,000 each in fines. If these
firms had been registered brokerage firms, they would have been required to
implement safeguards, which would have flagged Nagaicevs' malicious activity