By Les Abromovitz, Senior Director
On March 12, 2022, in South Florida, the computer screen of a seemingly sharp Ph.D. in her early seventies went crazy. A phone number appeared on her screen, purportedly for Microsoft. The supposed Microsoft customer service representative told the woman that her computer contained a trojan horse inserted there by an international gaming company. The representative lied that the gaming company had already received preapproval to take $4,500 from her Bank of America checking account and would soon be accessing the remaining $3,300.
He transferred the woman to another scammer who supposedly worked for the FDIC and was conducting an undercover investigation of a Bank of America employee. The scammer instructed the woman to take all of the cash from her Bank of America account and told her to deposit the money in a cryptocurrency ATM. The scammer kept her on the line and explained how to open the account in order to make the deposit. He also warned her that she should not tell anyone about the “investigation.” Soon thereafter, the woman’s new cryptocurrency account was emptied by the scammers.
Although Bank of America gives customers the opportunity to designate a trusted contact, this woman did not have one. The trusted contact undoubtedly would have seen the obvious red flags of fraud and stopped the woman from flushing her money into a cryptocurrency ATM.
RIAs should encourage clients to designate a trusted contact
Registered Investment Advisors (“RIAs”) should consider encouraging their clients to designate a trusted contact to protect their clients and fulfill their fiduciary obligations. On March 4, 2020, the SEC’s Office of Investor Education and Advocacy (“SEC OIEA”) and FINRA issued an Investor Bulletin that urged broker-dealer customers to add a trusted contact person to their brokerage account. On September 28, 2021, FINRA, and the North American Securities Administrators Association (“NASAA”) announced a new campaign designed to encourage investors to provide their financial firms with a trusted contact. The OIEA joined in the initiative.
FINRA Rule 4512 requires FINRA member firms to ask an investor for the name and contact information of a trusted contact person when they open or update a non-institutional customer’s account. Designation of a trusted contact person authorizes a broker-dealer to communicate with that individual in limited circumstances if the firm has a reasonable belief that the customer’s account may be exposed to possible financial exploitation.
Ohio’s Division of Securities strongly encourages investment advisors registered in that state to obtain clients’ trusted contact authorizations as a best practice. This trusted contact authorization can be similar to the trusted contact authorization executed between clients and custodians. According to The Ohio Investment Adviser and Investment Adviser Representative Handbook 3.0, the trusted contact authorization should be updated when necessary. There is no prescribed format for the authorization.
As part of their fiduciary duty, investment advisors should implement policies and procedures to protect senior investors. SEC examiners often request information about an RIA’s policies and procedures governing the firm’s efforts to obtain a client’s trusted contact.
Aside from encouraging clients to execute a trusted contact authorization, RIAs should consider educating them regarding scams and cyber-threats in their newsletters and during client meetings. It may also benefit RIAs if they alert clients to FBI Public Service Announcements (“PSAs”) describing fraudulent schemes that might ensnare their clients.
On November 4, 2021, the FBI warned the public of fraudulent schemes that leverage cryptocurrency ATMs and utilize Quick Response (“QR”) codes to facilitate payment. The FBI’s PSA reported that it has seen an increase in scammers who direct victims to use physical cryptocurrency ATMs and digital QR codes to complete payment transactions. The FBI observed that the scammer directs the victim to a physical cryptocurrency ATM to insert their money, purchase cryptocurrency, and use the provided QR code to auto-populate the recipient address. As was the case with this individual, the scammer communicates continually with the victim and provides step-by-step instructions until the payment is completed.
On March 16, 2022, four days after this woman was scammed, the FBI issued another warning:
Tech and Customer Support Fraud involves a criminal posing as technical or customer support/service to defraud unwitting individuals. Criminals may offer support to resolve such issues as a compromised email or bank account, a virus on a computer, or a software license renewal. Recent complaints involve criminals posing as customer support for financial institutions, utility companies, or cryptocurrency exchanges.
According to the FBI’s PSA, the use of cryptocurrency and cryptocurrency ATMs is an emerging method of payment that is integrated into the scheme.
Another lesson learned from this woman’s experience is that even the brightest client might be victimized by a scheme that most of us would recognize right away to be fraudulent. Having a trusted contact authorization in place might be a best practice, even when clients appear to be sharp and seasoned investors.
“Investor Bulletin: Please Consider Adding a Trusted Contact to Your Account,” March 4, 2020, https://www.sec.gov/oiea/investor-alerts-and-bulletins/ib_trustedcontact.
“FINRA, NASAA, and SEC OIEA Urge Investors to Establish a Trusted Contact to Increase Investor Protection,” September 28, 2021, https://www.nasaa.org/industry-resources/senior-issues/.
The Ohio Investment Adviser and Investment Adviser Representative Handbook 3.0, https://com.ohio.gov/static/documents/secu_OhioAdvisoryPackage.pdf.