Failing to heed a warning from his firm, the man processed redemptions based on bogus email requests
Given the growing role of technology in financial advice, advisors have to be cautious and ensure that they’re doing everything possible to protect their clients’ information and assets. And while the industry at large should know the importance of cybersecurity by now, a recently approved settlement agreement provides a cautionary tale.
According to the notice from the MFDA, Paul Michael Halloran, a dealing representative with Quadrus Investment Services, lost more than $170,000 from a client’s account after he failed to realize that their email account had been hacked.
The fraud began on September 21, 2016, when Halloran received an email requesting for a summary of the client’s accounts. The email came from an account that the client (identified as “EY”) had previously used to communicate with Halloran. Without checking whether the email actually came from EY, he replied to the fraudulent email with EY’s investment statement.
The fraudster then asked Halloran to facilitate a withdrawal from EY’s investment account, ostensibly to fund a short-term investment domiciled in the UK. EY had executed a Limited Authorization Form (LAF) earlier that year, allowing Halloran to execute specific trading instructions without having to obtain her signature.
After Halloran explained that Quadrus could not be sent to another country, the fraudster asked that the funds be transferred to a third-party account in Canada, which they said belonged to a “business associate” who could then convey the money to the UK. Halloran replied that he could not send funds to a third party, but if he could get a void cheque by email, the redemption funds could be deposited directly into a bank account.
Around seven months previous, Quadrus had sent out an email to all its approved persons saying that third parties had hacked two clients’ accounts and made fraudulent redemption requests. The email contained various warnings, including descriptions of red flags and best practices to avoid cyber risks. In spite of this, as well as policies and procedures stating that transaction requests must be verified with the client, Halloran followed the subsequent instructions from the scammer.
The hacker emailed Halloran a void cheque on October 4, 2016, which included EY’s name and address. The cheque specified a bank account at a TD Bank branch in Toronto; EY’s home address was in Kingston. Between October 11 and November 4, Halloran processed redemptions amounting to $171,270.80 from EY’s accounts at Quadrus, following email requests sent by the fraudster.
In one exchange, the hacker asked that a $60,000 withdrawal be made from EY’s account. Halloran warned that a redemption from EY’s RRSP would result in DSC fees; the scammer acknowledged the warning, and Halloran sold units from EY’s non-registered account, TFSA, and RRSP to fulfil the total $60,000 requested after DSC fees and taxes.
It was only after November 21, when the fraudster asked for another $30,000 redemption, that Halloran contacted EY by phone. Upon discovering the fraud, EY and Halloran contacted TD bank and submitted a report to the police. Quadrus compensated EY in March 2017 fully for her losses.
Under the settlement agreement, Halloran was required to pay a fine of $15,000 in certified funds, as well as costs amounting to $5,000 in certified funds. The agreement also stated that he shall “in the future comply with MFDA Rules 2.1.1, 2.3.1(b), and 2.5.1 and 1.1.2.”