The Financial Industry Regulatory Authority, Inc. (FINRA) fined and suspended a financial advisor after he fell for a business email compromise (BEC) scam.
The U.S. self-regulatory organization found that William Darby, a former UBS Financial Services Inc. (“UBS”) financial advisor, had violated FINRA Rule 4511 and 2010. In response, Darby agreed to a fine of $7,500 and a suspension of work with any FINRA member organization in any capacity for a period of 45 calendar days. He consented to these sanctions without confirming or denying FINRA’s findings regarding the email security incident.
Darby and the BEC Email Scam
According to a Letter of Acceptance, Waiver and Consent (AWC) received by FINRA, digital fraudsters compromised the email account of a UBS customer in October 2018. They then abused that access to contact Darby, who was still employed by UBS at the time, and to request that he authorize three wire transfers totaling $511,870 from the customer’s account to third-party bank accounts under their control. Darby was unaware that the emails had originated from imposters, so he authorized the wire transfers.
FINRA noted that Darby violated several rules in authorizing the wire transfers the way he did. First, they found that he had not obtained verbal confirmation from the customer prior to authorizing the wire transfers from the customer’s accounts. As noted in the AWC:
On two separate occasions Respondent falsely advised his sales assistant that he had received verbal confirmation for the wires from the customer. The sales assistant entered that false information into the Firm's wire request attestation forms, thereby causing the Firm to have inaccurate books and records. By virtue of the foregoing, Respondent violated FINRA Rules 4511 and 2010.
Second, FINRA learned that Darby had executed the sales of securities in the customer’s account totaling $525,896. He did so to fund the wire transfers to the customer’s account, but he had not received the customer’s authorization beforehand. In so doing, he violated FINRA Rule 2010.
UBS terminated Darby’s employment in November 2018 on the grounds that he had violated the “firm disbursements policy by failing to call client to confirm disbursement requests yet instructed support staff to process the disbursements." A month later, Darby secured employment with another FINRA member firm. He was still employed there as of December 10, 2019.
Per the disciplinary agreement with Darby, FINRA will not pursue any additional actions against the financial advisor relating to this particular email attack if the AWC is accepted.
Terminations Following Security Incidents
What happened following the email security incident at UBS isn’t typical within most industries. John LaCour, founder and CTO of PhishLabs, made this point clear to KrebsonSecurity:
We’ve heard from some of our clients in the financial industry that have similar programs where there are real consequences when people fail the tests, but it’s pretty rare across all types of businesses to have a policy that extreme.
Nevertheless, UBS isn’t the only organization that’s taken this route. Here are a couple of other cases where an organization decided to fire someone after a successful email security incident:
- The Government of Lake City, Florida: In the summer of 2019, Lake City Manager Joe Helfenberg confirmed to WCJB that the municipality had fired Brian Hawkins, its IT Director, shortly after Lake City had suffered a digital attack. The security incident consisted of a “triplet threat” infection chain in which an Emotet infection was responsible for loading Trickbot, malware which in turn download Ryuk ransomware. Lake City ultimately paid $460,000 in ransom to regain access to its servers.
- FACC AG: In January 2019, officials at Austrian aerospace manufacturer FACC said that the company had suffered a business email compromise scam. FACC estimated that it lost upwards of EUR 50 million in the attack. Several months later, the Austrian aerospace manufacturer announced that it had fired its CEO, Mr. Walter Stephan, after he had “severely violated his duties” in relation to the email scam, noted the company.
Defending Against Email Attacks
The fact that a successful email attack sometimes results in the termination of an employee should serve as a reminder for organizations to bolster their email security. Not only should they invest in security awareness training for their entire workforce. They should also invest in a security solution like ZixProtect that’s capable of analyzing incoming email messages for malicious URLs, campaign patterns and suspicious IP addresses.
Learn how ZixProtect can strengthen your organization’s email security.