Responding to Digital Identity Theft: A Guide for Financial Advisors

Notify your compliance department

Your first step should be to notify your compliance department immediately, as they have established processes for handling identity theft and may have resources to assist with reporting. These processes should be outlined in your firm’s Incident Response Plan, and it should include the contact information for local law enforcement and the Federal Bureau of Investigation (FBI).

I’ve written in the past about the importance of an Incidence Response (IR) Plan. It is essential in today’s cybersecurity environment to have one, and it is not the same thing as your Disaster Recovery (DR) Plan. DR plans cover computer outages. IR plans cover cybersecurity incidents.

Reporting impersonation to local law enforcement

You should document and report the impersonation to your local police department. This starts with a paper trail that outlines when you were made aware of the issue and the specific steps you took to resolve the issue. This can be critical should the SEC, FINRA – another regulatory body – or law enforcement examine your response.

The following sections outline how to report the alleged crime. You will note I use the phrase “alleged” in all cases because the establishment of a crime is best left to law enforcement professionals.

Take the following steps to provide your local police department with the information they need:

1. Gather evidence: Before reporting, collect screenshots of the fake profile, any communications you've received about it, and documentation from clients who may have encountered the impersonator. Include dates, times, and detailed notes about how you discovered the impersonation.
2. Contact your local police department: Visit your local police station in person or call its nonemergency number to file a report. Ask specifically to file a report about identity theft and potential financial fraud.
3. Be prepared with specific information:
   • Your complete identification details
   • All evidence of the impersonation
   • Names and contact information of any alleged victims who have reported interactions with the impostor
   • Information about the stocks being promoted in the scheme
   • Any financial losses reported by the alleged victims
4. Request documentation: Ask for a copy of the police report and a case number. These will be essential for other reporting steps and may be necessary for communications with your firm's compliance department and law enforcement.
5. Follow up: Establish a point of contact at the police department and follow up regularly on the status of the investigation.

While local law enforcement might not have jurisdiction over international cybercrime, this report establishes an official record of the crime and may be essential for insurance purposes or regulatory requirements.

Filing an IC3 complaint with the FBI

When alleged victims report potential financial losses due to your impersonation, the FBI's Internet Crime Complaint Center (IC3) becomes a critical reporting venue. Your chief compliance officer should take the following steps to notify the FBI:

1. Navigate to the IC3 website: Visit www.ic3.gov and click on the "File a Complaint" button.
2. Create an account or log in: Follow the prompts to establish your credentials in the system.
3. Complete the complaint form thoroughly:
   • Provide your complete contact information
   • Include detailed information about the impersonation
   • Specify that the alleged crime involves securities fraud and identity theft
   • List all known alleged victims who have allegedly lost money
   • Provide exact details of alleged financial losses, if known
   • Upload evidence including screenshots and correspondence
4. Be specific about the scheme: Detail how the criminals operated, which stocks they promoted, and the specific techniques they used.
5. Note your professional status: Clearly indicate that you are a licensed financial advisor and that your professional identity was stolen to lend credibility to the alleged crime.
6. Submit and record your complaint number: After submission, you'll receive a complaint ID number. Your chief compliance officer must keep this for your firm’s records.

The FBI may contact you for additional information. While it doesn’t investigate every complaint individually, your report contributes to its intelligence gathering and may help identify patterns that lead to larger investigations.

Reporting the fake account to WhatsApp and Meta

Removing the fraudulent profile is crucial to preventing further alleged victims. WhatsApp is owned by Meta, the parent company of Facebook. It can be incredibly difficult to remove the fraudulent account with WhatsApp and Meta. Unrelenting persistence and patience are your allies in this effort. Take the following steps to remove the account:

1. Report directly within WhatsApp:
   • Your IT team should open WhatsApp and navigate to the fake profile
   • Screen-capture all the profile information for evidence
   • Tap on the profile name to view profile information
   • Scroll to the bottom and select "Report contact"
   • Select "They're pretending to be me or someone I know"
   • Complete the reporting process by following the prompts
2. Escalate to Meta (Facebook):
   • Visit Facebook's Help Center to access the dedicated form for reporting impersonation accounts across Meta platforms
   • Complete all required fields, specifying that this is a professional impersonation related to financial fraud
   • Provide links to your legitimate professional profiles or website
   • Upload your identification documents when prompted to verify your identity
3. Follow up persistently:
   • Document all report reference numbers
   • If the initial report doesn't result in account removal within 48 hours, submit a follow-up
   • Consider having your firm's legal department send a formal notice
4. Request urgent handling: Emphasize that the impersonation is actively being used to commit financial fraud, which may expedite review.

Being impersonated in a financial fraud scheme can feel like a personal violation, and the knowledge that investors may have been harmed using your professional identity adds a layer of distress that shouldn't be minimized. Remember that you are a victim in this situation, even as you take steps to remedy it.

By taking decisive action, you not only protect your professional reputation but also contribute to the broader fight against financial fraud. Remember that swift action can help minimize damage to both your practice and potential victims of these sophisticated schemes.

The financial services industry is built on trust relationships. While cybercriminals may attempt to exploit that trust, your authentic commitment to your clients' financial security remains your most powerful asset – one that no impersonator can truly replicate.

John O’Connell, founder and CEO of The Oasis Group, specializes in helping wealth management and technology firms solve their most complex challenges. His newest online training courses serve as a leading source of education for financial professionals at all levels in their careers. With modules ranging from cybersecurity to custodian markets and more, The Oasis Group enables firms and enterprises to upskill, learn at their own pace, and rewatch lessons to reinforce specific learning objectives. Get an additional 20% off any course with coupon code ADVISORPERSPECTIVES.

A message from Advisor Perspectives and VettaFi: To learn more about this and other topics, check out some of our webcasts.

Read more articles by John O’Connell