WHEN RACHEL WILSON WAS A KID, gripping tales of wartime code-breaking were her dad’s idea of bedtime stories – and the little girl was fascinated. “I became very interested in code making and code breaking, and also in serving my country,” says the Northern California native.
Following her passion, Wilson would grow up to lead first the National Security Agency’s counter-terrorism mission, and later its cyber-exploitation mission. Currently
Wealth Management’s cybersecurity chief, Wilson talks with Barron’s Advisor about how fraudsters are trying to gain an edge in data theft and how advisors can stay a step ahead. And she reveals how a bunch of cyber criminals “in a basement somewhere in Tehran” drew her to Wall Street.
Q: What is your job description?
A: My job is to make sure every system, every network, every application we field across 600 branches, 15,550 financial advisors and 3.2 million client relationships is as safe and secure as we can make it.
My team was formed at the beginning of 2017 out of recognition that the nature of our business model was changing. We wanted our advisors to be able to safely access the totality of Morgan Stanley’s intellectual property from anywhere, and we wanted our clients to do and see much more through Morgan Stanley online. Enabling these things meant we needed cybersecurity controls.
Q: What kinds of schemes are you protecting against these days?
A: Think about where we were with phishing campaigns years ago, when we got emails designed to make you open an attachment or go to a website and share personal information.
Well now we see a trend of spear-phishing email, which is designed specifically for you. These fraudsters will do an exorbitant amount of research into the person they are targeting. They are co-opting email accounts of real people and mining social media. Think of everything in your email. If someone can get into your email, read all your emails you have ever sent and received, then they know a lot about you. They’d have a good sense of who your financial service firms are, who your advisor is, how you communicate and your communication style. So what we see happen is, if you’re a financial advisor, you start receiving emails from someone who may sound just like your client, when in fact the account has been co-opted by the fraudster.
This is why financial service firms are so militant about not accepting instruction over email. They have low confidence that the email is truly from the person it says it is.
Q: So how are fraudsters getting ahead of the game, if advisors aren’t accepting instructions from clients electronically?
A: It is still possible. The hacker injects himself into a legitimate transaction. For example, the hacker gets into an email and gets ready for a significant transaction—maybe it’s a purchase or transfer or assets—and at the right moment sends instructions for assets to be transferred somewhere else. We see a ton of this with title companies and escrow accounts.
Q: And so how is this prevented?
A: If the financial advisor asks if a client sent instructions, and the client says yes, it still has to be a digit-by-digit verification of the transaction numbers.
Q: In those types of scams, the victim inadvertently reveals sensitive personal information to a criminal. If you’re super-careful not to do that, and do the digit-by-digit verifications, are there other ways you can still be vulnerable?
A: We see clients with malware infections. The malware sits in the background and harvests their keystrokes. It takes screen shots of wherever someone’s going, using all of that to harvest the login and passwords for credit card logins, banking and investment accounts. Then the hacker locks the individual out of their digital existence in one fell swoop. They go in at 1 a.m. and change all of the login and passwords and then that individual can’t get into their accounts.
In some examples, we also see hackers go after the mobile [phone] account, and they make it very difficult for you to be reached by anyone. The longer the window of time where they’re able to operate with freedom, [the greater the] margin for fraud opportunity.
Q: Who are the criminals?
A: Ten years ago, most of the activity going on online was by nation states’ intelligence agencies. What we’ve seen over the last five years is a proliferation of pretty advanced cyber-capabilities; things that once would have been the purview of nation states are available to traditional fraudsters.
Two things have happened: A lot of these high-end capabilities have been disclosed in various forms, in many cases by security researchers as they discover things that nation states are doing. They publish those tactics and they become known to those who would use them for ill. Also, there’s been a proliferation in the ability to learn about these capabilities. My son, how does he learn to do something? He watches a YouTube video.
Q: Where do these scams originate?
A: They are coming from all over the place, but it’s difficult to assess—they work hard to obfuscate where they are coming from. Many of these cyber actors are operating from areas where U.S. law enforcement doesn’t have a lot of jurisdiction or influence, where we don’t have extradition agreements. And even if we determine where they are and where they are trying to send money, in a lot of cases they use what we call mule accounts. The owner of the account is an innocent bystander.
Q: That sounds like a hopeless situation. Is it?
A: It is a cat-and-mouse game. I don’t think all is lost. In financial services we recognize we are such a prominent target that we’ve done a great job shoring up control. The cyber teams across financial services are constantly putting our heads together to hear about the latest activity and what can we do as a sector to guard against it. It’s a very collaborative space.
Q: Do the bad guys only go after really big accounts? Are the smaller ones safer?
A: It’s a bit of both. If you’re a prominent ultra-high-net-worth individual, publicly known and your wealth is apparent, certainly we see those folks targeted. They’re big fish and the payout has the potential to be very large. At the same time, those people are savvy and cognizant, so maybe they invest in more protection.
Q: How do scammers target potential victims?
A: They do scams of a broad swath of the internet to see who is vulnerable. They work to monetize that. There’s been a focus recently on some of the local and regional banks, brokers and advisors. Hackers know they don’t have the same investment pool and they haven’t hired the same level of cybersecurity experts as many of the larger firms. I’m spending more and more time in this job working at the local level.
Q: Ransomware attacks have been in the news lately, crippling cities such as Baltimore and Atlanta. Are financial companies vulnerable?
A: Fraudsters are entirely opportunistic; everything from local government to school districts have been targeted, but lots of companies experience this too—from global large companies to smaller companies, law firms, accounting firms, any place fraudsters can get where there is significant data that they can hold for ransom. Even individuals on their personal computers.
I never recommend paying a ransom. We recommend having data appropriately backed up. We see a lot of people paying, and what happens is you pay the first $50,000 in bitcoin equivalent and they give you a little bit of data back, then they ask you for more for the rest of the data and at that point, there’s no going back.
Ransomware attacks have been more lucrative this year than ever. There’s actually some talk now about making it illegal to pay ransoms, because the more people pay, the more it incentivizes the criminals.
Q: Should all advisors be concerned?
A: Yes, given that they are responsible for and have access to client information and can move assets between accounts, they should absolutely be concerned and talking to clients.
Q: What can they do?
A: Talking to your clients about cybersecurity well in advance of anything happening is critical. An ounce of prevention is worth a pound of cure. Be skeptical of email, cautious about downloading anything. Aside from advisors having the conversations, financial service firms are trying to make strong authentication technologies available to clients. Multi-factor authentication is the best we can do; it can go a long way to preventing this fraud. This goes beyond a login and password. We give clients different options for how they want to authenticate their accounts.
Even simple behavioral things are important, like not using the same password for a banking or brokerage account that you use anywhere else on the internet. Use a unique password for a high-consequence account.
Q: Do clients generally understand the importance of following procedure? Are they cooperative?
A: We survey our clients every year and ask them what they’re most concerned about. For the last two years the answer is not volatility, natural disasters, it is data protection. The wealthier the individual, the more likely they answer cybersecurity and data protection.
Q: Can you quantify the cybercrime problem?
A: The numbers are staggering. Cybercrime damages are expected to be at $6 trillion by 2021.
Q: Any other newer types of fraud to keep an eye out for?
A: What we’re seeing is counterintuitive, somewhat. It’s around paper. Firms recognize cyber fraud is so big, so they’re introducing controls like multi-factor authentication, call-back verification. But it’s like squeezing a balloon. This has forced fraudsters back to traditional frauds circa 1986: check washing. If they can get a hold of a name and address on a check, they take the name, account number and routing number and just print new checks. That’s a huge issue, because there are no digital forensics for the signatures on checks.
When an advisor puts you in investments, you look at basis points of return. We look at fraud the same way: How many basis points of fraud did we experience against a payment channel? Things like checks, even debit cards, have higher basis points of fraud than many of the digital transaction methods. If a client uses electronic bill payment, you reduce the exposure of the routing number and account number and when moving through the online process, they use strong authentication and we have the digital forensics to give us a higher degree of assurance that the activity is legitimate.
Q: What does the future for cybersecurity look like for U.S. financial service companies?
We aren’t breeding new cybersecurity specialists fast enough. We don’t have enough people to fill these jobs. This leaves me concerned. We need to get more people, men and women, involved in STEM early on to think about cybersecurity as an option. I spend a lot of my giveback time talking at schools about cybersecurity, telling young people that it is a hugely rewarding field.
Q: After years at the NSA, was there a single event that prompted you to think about getting into the financial world?
A: It was never my plan. I thought I was going to be a lifer in government. But there was a moment that changed my mind. It was back in the 2012 to 2014 timeframe, a crazy time where essentially the Iranian government had made it part of its strategy to retaliate against economic sanctions around their nuclear program, and they started conducting distributed denial of service attacks. This means they throw a whole bunch of packets (units of data) against websites so customers can’t log in. They’re never going to sail an aircraft carrier into New York harbor, but they put a bunch of guys in a basement in Tehran and they wreak some disruption. It’s a way to hit back.
This was frustrating because the relationship between the financial sector and government entities was not as robust. Now, we work together to better secure ourselves. But before, it was difficult to sit by and watch these attacks happen and not be in a position to help defend Wall Street, which is a critical piece of the U.S. infrastructure.
I thought if I ever leave government, I would come to the financial service sector. We’re protecting Wall Street, but it’s really protecting main street. It’s people’s life legacy. This is the next step in my patriotic journey.
Q: Thanks, Rachel.