In a new twist, cyber-robbers are using ginned-up e-mail messages in attempts to con financial advisers into wiring cash out of their clients' online investment accounts.
If the adviser falls for it, a wire transfer gets legitimately executed, and cash flows into a bank account controlled by the thieves - leaving the victim in a dispute with the financial adviser over getting made whole.
Anecdotal evidence of this ruse - directed at financial planners, estate lawyers and other advisers who rely on e-mail and online banking to work with clients - has just begun to surface, say tech security and online banking experts.
"It's the Willie Sutton principle at work," said Adam Dolby, an independent banking security consultant. "Robbers go where the money is."
IDentity Theft 911, a theft-recovery service, is working on a case where a faked email led to a $35,000 transfer into a thief's account.
"That victim may be looking at a complete loss," investigator Mark Fullbright said.
In another recent caper, a veteran financial planner was fooled by a Gmail message appearing to arrive from an insurance company executive, said Adam Levin, IDentity Theft 911's chairman. The email carried instructions to wire $15,850 into an account at PNC Bank, worded in a casual style similar to past emails the financial adviser had received from the executive, Levin said.
Luckily, the financial planner phoned his client to clarify which account to pull the money from. "They determined it was a fraudulent email," Levin said.
Cybercriminals have discovered that investors now routinely rely on email to authorize personal advisers to execute financial transactions. Search engines and social networks have made finding and profiling potential victims, and their advisers, easy.
Taking over or impersonating someone's email account likewise isn't hard to do. "It's low-tech," said John Zurawski, a vice president at Authentify, supplier of single-use PIN codes delivered by cellphone text messages. "Instead of managing layers of malicious software, all the bad guys need is e-mail and phone skills."
This new scam is the latest strain of a long-running crime wave that preys mainly on small and midsize organizations. The banking industry has steadily been making it tougher for hackers to use computer infections to carry out wire transfer fraud against small organizations, said Jon Callas, chief technology officer at authentication firm Entrust.
"The shift to personal advisers and individual wire transfers is an indication that the well is running dry for them with small businesses and small government," he said.
Explore further: Caller ID spoofing scams aim for bank accounts