Earlier this week, Morgan Stanley Wealth Management said cybercriminals broke into accounts using social engineering attacks, according to reports.
Using voice-based phishing, or “vishing,” attackers impersonated the trusted financial firm during phone calls to customers, where they encouraged customers to reveal sensitive personal and financial information including banking or login credentials. The fraud attacks, which largely took place in February, resulted in fraudsters electronically transferring money to their own bank account by initiating payments using the Zelle payment service. The small number of clients impacted by the attack were reimbursed, according to a statement from Morgan Stanly Wealth management.
“Unfortunately, the scam that affected some Morgan Stanley Wealth Management customers is not new,” said TAG Cyber Senior Analyst Gary McAlum. He pointed out that this was not so much a breach of Morgan Stanley’s IT systems as it was an account takeover scam that targets individual customers and uses social engineering techniques to circumvent normal authentication controls.
“Many other bank customers have been hit with this type of scam in the past,” said McAlum. “What makes this a particularly effective fraud technique is the impersonation of a bank employee, typically representing themselves as a fraud analyst.”
In attacks such as these, the fraudster will often spoof caller ID to reflect the customer’s financial institution and start the call by “needing to authenticate” the customer first, said McAlum. In some cases, there may be another fraudster involved who is actually on a call with a bank customer service representative or online at a credential’s recovery screen.
“Even if an authentication code is involved, the fraudster will ask the customer to read back the code allowing them, or a partner, to re-use that code to gain access to the account,” he added. “Unauthorized money movement is usually the result. This is a difficult situation for consumers to deal with and the main defense is to be very skeptical of an unexpected call from your financial institution, hang up, and immediately call the institution back on a known valid number, either from a bank statement, online account, or as listed on the back of a credit card.”
Morgan Stanley maintains that its own systems were not compromised in this attack. “This compromise was not a result of any action of Morgan Stanley Wealth Management and our systems remain secure,” the company explained in a public release. “Your Morgan Stanley Wealth Management account has been flagged to our Customer Call Center so that any callers into the Call Center will be prompted with additional verification. Your previous Morgan Stanley Online account was also disabled.”
Tessa Mishoe, senior threat analyst with cybersecurity specialist firm LogicHub, said, “Emails, social media messages, text messages, and even phone calls are all well-known avenues for phishing attacks.”
In this case, Mishoe said, a phone call phishing attack was used to breach unknowing users' account data. “The attackers impersonate a trusted group or person to gain a user's trust, then use that relationship to coax a password or similar sensitive information from their target,” Mishoe said.
“Users should not trust the phone number a call originates from, as phone numbers can easily be spoofed,” Mishoe said. “Most legitimate organizations will not call you first and request sensitive information from you. If you aren’t sure, hang up and call the number on the service's card or website.”
Morgan Stanley also experienced a significant data breach in July 2021, where a ransomware gang stole personal information from the company’s customers, using access through a third-party vendor.