Responding to Digital Identity Theft: A Guide for Financial Advisors

18Mar

Responding to Digital Identity Theft: A Guide for Financial Advisors

By Peaks Perspective , , ,

The Oasis Group is seeing a rise in financial advisor impersonations on WhatsApp. Cybercriminals use the picture, name, and even some biographical details from the financial advisor’s website. They combine this information with data from the advisor’s Broker Check or LinkedIn profiles, such as employment history. The cybercriminal uses this information to create a fake WhatsApp account that impersonates the financial advisor.

The cybercriminal uses the fake account to promote an investment to get unsuspecting investors to buy shares. Then the cybercriminal sells a large position of that investment at the pumped-up price. This is called a pump and dump scheme, and it is on the rise on WhatsApp.

As a financial advisor, discovering that cybercriminals have impersonated you to perpetrate investment fraud can be both professionally damaging and personally distressing. Beyond the immediate concern of having your reputation exploited, there’s the troubling reality that innocent investors may have lost money because they trusted what they believed was your expertise and guidance.

When you discover your identity has been used in a pump and dump scheme on WhatsApp or other platforms, taking swift, decisive action is essential. This guide outlines the specific steps you should take to report the crime, protect your clients, and help authorities bring the perpetrators to justice.

Notify your compliance department

Your first step should be to notify your compliance department immediately, as they have established processes for handling identity theft and may have resources to assist with reporting. These processes should be outlined in your firm’s Incident Response Plan, and it should include the contact information for local law enforcement and the Federal Bureau of Investigation (“FBI”).

I’ve written in the past about the importance of an Incidence Response Plan. It is essential in today’s cybersecurity environment to have one and it is not your Disaster Recovery Plan. DR plans cover computer outages. IR plans cover cybersecurity incidents.

Reporting Impersonation to Local Law Enforcement

You should document and report the impersonation to your local police department. This starts with a paper trail that outlines when you were made aware of the issue and the specific steps that you took to resolve the issue. This can be critical should the SEC, FINRA, another regulatory body, or law enforcement examine your response.

The following sections will outline how to report the alleged crime. You will note that I use the phrase ‘alleged’ in all cases because the establishment of a crime is best left to law enforcement professionals.

Take the following steps to provide your local police department with the information that they need:

  1. Gather evidence: Before reporting, collect screenshots of the fake profile, any communications you’ve received about it, and documentation from clients who may have encountered the impersonator. Include dates, times, and detailed notes about how you discovered the impersonation.
  2. Contact your local police department: Visit your local police station in person or call their non-emergency number to file a report. Ask specifically to file a report about identity theft and potential financial fraud.
  3. Be prepared with specific information:
    • Your complete identification details
    • All evidence of the impersonation
    • Names and contact information of any alleged victims who have reported interactions with the impostor
    • Information about the stocks being promoted in the scheme
    • Any financial losses reported by the alleged victims
  4. Request documentation: Ask for a copy of the police report and a case number. These will be essential for other reporting steps and may be necessary for communications with your firm’s compliance department and law enforcement.
  5. Follow up: Establish a point of contact at the police department and follow up regularly on the status of the investigation.

While local law enforcement might not have jurisdiction over international cybercrime, this report establishes an official record of the crime and may be essential for insurance purposes or regulatory requirements.

Filing an IC3 Complaint with the FBI

When alleged victims report potential financial losses due to your impersonation, the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) becomes a critical reporting venue. Your Chief Compliance Officer should take the following steps to notify the FBI:

  1. Navigate to the IC3 website: Visit www.ic3.gov and click on the “File a Complaint” button.
  2. Create an account or log in: Follow the prompts to establish your credentials in the system.
  3. Complete the complaint form thoroughly:
    • Provide your complete contact information
    • Include detailed information about the impersonation
    • Specify that the alleged crime involves securities fraud and identity theft
    • List all known alleged victims who have allegedly lost money
    • Provide exact details of alleged financial losses if known
    • Upload evidence including screenshots and correspondence
  4. Be specific about the scheme: Detail how the criminals operated, which stocks they promoted, and the specific techniques they used.
  5. Note your professional status: Clearly indicate that you are a licensed financial advisor and that your professional identity was stolen to lend credibility to the alleged crime.
  6. Submit and record your complaint number: After submission, you’ll receive a complaint ID number. Your Chief Compliance Officer must keep this for your firm’s records.

The FBI may contact you for additional information. While they don’t investigate every complaint individually, your report contributes to their intelligence gathering and may help identify patterns that lead to larger investigations.

Reporting the Fake Account to WhatsApp and Meta

Removing the fraudulent profile is crucial to preventing further alleged victims. WhatsApp is owned by Meta, the parent company of Facebook. It can be incredibly difficult to remove the fraudulent account with WhatsApp and Meta. Unrelenting persistence and patience are your allies in this effort. Take the following steps to remove the account:

  1. Report directly within WhatsApp:
    • Your IT team should open WhatsApp and navigate to the fake profile
    • Screen capture all the profile information for evidence
    • Tap on the profile name to view profile information
    • Scroll to the bottom and select “Report contact”
    • Select “They’re pretending to be me or someone I know”
    • Complete the reporting process by following the prompts
  2. Escalate to Meta (Facebook):
    • Visit Facebook’s Help Center to access the dedicated form for reporting impersonation accounts across Meta platforms
    • Complete all required fields, specifying that this is a professional impersonation related to financial fraud
    • Provide links to your legitimate professional profiles or website
    • Upload your identification documents when prompted to verify your identity
  3. Follow up persistently:
    • Document all report reference numbers
    • If the initial report doesn’t result in account removal within 48 hours, submit a follow-up
    • Consider having your firm’s legal department send a formal notice
  4. Request urgent handling: Emphasize that the impersonation is actively being used to commit financial fraud, which may expedite review.

Being impersonated in a financial fraud scheme can feel like a personal violation, and the knowledge that investors may have been harmed using your professional identity adds a layer of distress that shouldn’t be minimized. Remember that you are a victim in this situation, even as you take steps to remedy it.

By taking decisive action, you not only protect your professional reputation but also contribute to the broader fight against financial fraud. Remember that swift action can help minimize damage to both your practice and potential victims of these sophisticated schemes.

The financial services industry is built on trust relationships. While cybercriminals may attempt to exploit that trust, your authentic commitment to your clients’ financial security remains your most powerful asset—one that no impersonator can truly replicate.

Subscribe to The Peaks Perspective Newsletter.

Join our newsletter to get topics like this delivered straight to your inbox every month!
Subscribe Now

 

Share this post

Author

Related Posts

24Feb

Financial Advisor’s Role as Lifelong Financial Coach

Financial advisors have one of the most important jobs out there -... read more

01Apr

Achieving Focus Through Diagnostic Interviewing

Financial advisors have one of the most important jobs out there -... read more

19Jun

Where Does AI Fit in Your Firm’s Future?

This article provides a brief guide to the AI technologies available today,... read more

21Jul

Preparing for the Changing Landscape in Cybersecurity

This article examines the challenges associated with the SEC’s proposed rule, the... read more

17Sep

Secure Your Digital Life by Using Multiple Email Accounts

In today's fast-paced digital world, where cyber threats are always lurking, safeguarding... read more

13Feb

Ransomware Group BlackCat/ALPHV Weaponizes SEC Disclosure Rules

The digital era has brought with it an increase in cyber threats... read more

16Jan

Why You Should Start Your Year With a Technology Assessment

Wealth management firms are grappling with an increasing demand for transparency, personalization,... read more

16Nov

Unlocking Success: Key Considerations for Selecting the Perfect Technologies for your Wealth Management Firm

Wealth management firms are grappling with an increasing demand for transparency, personalization,... read more

17Dec

The Limitations of SOC2 Audits in Preventing Cybersecurity Breaches: A Critical Analysis

SOC2 audits have become the de facto standard for demonstrating security compliance... read more

19May

Why You Should Not Use Your Company Email for Personal Purposes

Do you use your company email for personal purposes? If so, you... read more