An independent regulator for securities firms has warned investors of a growing number of financially motivated attacks targeting email accounts.
Malicious attackers are compromising user email accounts and sending trading instructions, the Financial Industry Regulatory Authority said in an investor alert issued Jan. 27. Similar warnings have been issued by the FBI and the Financial Services Information Sharing and Analysis Center.
The incidents highlight “some of the risks” associated with being able to transmit or withdraw funds via email, the notice said. After compromising an email account, the attackers obtain the information needed to request wire transfers to accounts overseas, FINRA said. The accounts are also used to send authorization letters to the brokerage firms approving the transfer of funds without the investors’ knowledge.
“FINRA has received an increasing number of reports of incidents of customer funds stolen as a result of instructions emailed to firms from customer email accounts that have been compromised,” according to the investor alert.
Some firms released the funds despite failed attempts to verify the instructions by phone, FINRA said. In at least one case, the fraudsters sent an email stressing the urgency of the requested transfer, forcing the brokerage firm to release the funds before verifying the instructions, FINRA said.
Investors should monitor their accounts for signs of being compromised, for such things as reports of spam, bounced email messages or unexplained password changes, according to the alert. Investors should also monitor their accounts for unauthorized transactions.
This kind of financial fraud totals approximately $23 million, according to figures provided by the FBI. Actual victim losses are approximately $6 million.
The FINRA warning was issued a day after the U.S. Securities and Exchange Commission charged a trader with hacking into user accounts and manipulating stock prices. Four brokerage firms were also charged in the case for being unregistered and still allowing the trader to make trades in the U.S. securities market, according to a complaint filed by the SEC in a federal court in San Francisco.
A trader in Latvia was charged with breaking into online brokerage accounts 159 times between 2009 and August 2010, the SEC said Jan. 26. Igors Nagaicevs allegedly manipulated prices for more than 100 securities listed with the New York Stock Exchange and NASDAQ exchanges by making unauthorized purchases and sales, making $874,896. His stock fraud scheme may have cost investors more than $2 million, according to the SEC complaint.
Nagaicevs is accused of setting up accounts with eight unregistered brokerage firms, four of which are based in the United States to trade in the U.S. securities market. He then hacked into online accounts at other broker dealer companies and used their client investors’ cash funds to make unauthorized trades of stock and securities, the SEC said in a complaint filed in a federal court in San Francisco. The unregistered brokerage accounts made the trades in accounts using the company names, allowing Nagaicevs to make the trades anonymously.
“Nagaicevs engaged in a brazen and systematic securities fraud, repeatedly raiding brokerage accounts and causing massive damages to innocent investors and their brokerage firms,” said Marc J. Fagel, director of the SEC’s San Francisco regional office.
Nagaicevs allegedly generated profits of $14,000 in 32 minutes by driving up the stock price of a NYSE-listed company using the hacked accounts, and then buying and selling securities at those artificial prices through the anonymous brokerage accounts. The broker-dealer companies were forced to reimburse the investors who had been hacked.
Four firms-Alchemy Ventures, KM Capital Management, Zanshin Enterprises and Mercury Capital-face charges for giving Nagaicevs access to the markets despite not being registered. Associates at Mercury and Zanshin have agreed to settle for $35,000 each in fines. If these firms had been registered brokerage firms, they would have been required to implement safeguards, which would have flagged Nagaicevs’ malicious activity much sooner.