Wealth Management Account Takeover – An old scheme with a new twist

Brokerages and financial institution that offer wealth management services need to be on the lookout for a fraud scheme that hinges on taking over wealth management accounts.
The simple description of it is, a criminal buys a stock, manipulates the stock price higher, and then sells his position, making a profit. It’s a classic “pump & dump” scheme (i.e. pump up the price, then dump the stock). But this time it has a new, modern twist.
Fraud Incident Details
1. Criminals identify target stocks they’ll use for this scheme, typically thinly traded securities where even modest volume can have an impact on price. And they buy shares to hold in their own account.
2. They compromise a brokerage or wealth management account, or more likely many accounts, and begin reconnaissance, monitoring frequency of activity and account balances.
3. When the time is right, they sell holdings in the compromised accounts and use the proceeds to buy shares in their target stock. They will do this across all of the accounts they’ve compromised, pushing the price higher. They often also will send emails, posing as an analyst or advisor, encouraging others to buy the stock, further inflating the price. The initial buy action can demonstrate market interest in the stock to the readers of the email, validating the prediction for a nice run-up.
4. Once the stock price has risen sufficiently, the criminal will sell his position, reaping a nice gain relative to his purchase price, and leaving his victims’ accounts in tatters.
What’s New About this Scheme?
Pump & dump schemes have been around for a long time, historically relying on email to get others to bid the price up. In this new version, the criminal is taking an active role in inflating the price by compromising brokerage and wealth management accounts and using other people’s money to force the price up.
Who’s Hurt?
Even though the criminal is manipulating the stock price, which is illegal, he is not actually stealing money from anyone, so one might wonder who really is hurt by this scheme.
The victims whose accounts have been compromised are hurt because their portfolio has been completely rearranged. The criminal may have sold stocks that the victim didn’t want to sell, realizing a gain with tax implications, and the victim ends up with some holdings that they never wanted, and the value of which may fall below the purchase price once the criminal dumps his holding, resulting in a loss for the victim.
The other victims are the financial institutions with whom the victimized investors have placed their money and their trust. They will have some unhappy account holders wondering how the FI could allow the trades to go through, possibly having to provide restitution to the victims in the interest of avoiding losing the business. And they risk suffering damage to their brand and reputation.
Prevention Tips
To execute this scheme, criminals need to log into their victims’ brokerage or wealth management accounts. By modeling account access behavior, financial institutions could detect anomalies that indicate the account has been compromised. Specific signals could include:

  • The account was accessed from a device with a different operating system, browser, or other characteristics
  • The account was accessed through a different network or Internet service provider using a different IP address
  • Timing of the account access was inconsistent with when (time of day, day of the week) the victim typically accesses their account
  • The frequency of access was inconsistent with previously established patterns. For example, the victim typically only accesses his account once a month, and then there’s a flurry of multiple logins over just a couple of days.
  • A combination of all of the above, especially when the variation of any one factor seems minor all by itself.

Guardian Analytics Fraud Detection Analytics automatically models the login activity of every account holder to detect unusual or suspicious characteristics of all subsequent account accesses.