The digital transformation of financial services brings convenience to our clients and enhances the way we do business. However, it also provides cyber criminals with the opportunity to defraud online users and steal valuable information and/or financial assets. Users who are less equipped with cybersecurity knowledge are more vulnerable to becoming victims of cyber threats and online fraud.
Cyber criminals may impersonate or claim affiliation with Morgan Stanley and create fraudulent websites, email domains, mobile applications, social media accounts and e-commerce accounts; send emails or text messages; and make phone calls in order to, among other things, solicit business or monetary payments from users.
Online Investment Scams involve fake and misleading investment opportunities that often appear to be low risk with an unreasonably high return. Bad actors often leverage social media platforms, such as online chat groups, fake investment comparison sites, gaming or gambling websites, or even dating applications—as well as texts and email—to find potential victims and execute their scams.
Bad actors may also create spoofed domains or fake mobile applications in order to impersonate trusted contacts or brands that appear to be affiliated with legitimate organizations in order to pull off scams. High-yield bonds and cryptocurrency investments are two of the most common types of online investment scams.
Generally, investment decisions should not be made based purely on information promoted through a social media platform or via text or email, especially if investment opportunities seem too good to be true. Seek professional advice if in doubt about any investment opportunity, and always authenticate the details of an investment before making a transfer of funds.
Important Notice – Morgan Stanley does not send unsolicited investment offers via email and does not conduct business over social media. If you receive information regarding an investment opportunity offered by or affiliated with Morgan Stanley from anyone other than your existing Morgan Stanley financial advisor/sales representative, you should treat that investment opportunity with suspicion. If you are uncertain or have reason to believe that it is fraudulent, contact your Morgan Stanley Client Representative immediately.
Business Email Compromise (BEC) is online fraud committed through spoofed or compromised email accounts. A user may receive an email that appears to be from a known source or trusted sender requesting information or a fund transfer. Typically, there is an unexplained urgency and/or a request for a change of payment instructions.
Generally, payment instructions should be authenticated using a separate, more secure channel. For example, in addition to email verification, details may be confirmed verbally by calling a trusted phone number (i.e., a call-back verification). Experts in fraud protection advise that you be sure to check for anomalies in payment instructions and compare emails such as banking information update requests against legitimate emails you have received in the past.
Important Notice – Give special attention to the email domains of incoming emails. Emails from Morgan Stanley will always be from one of our official email domains, not from public domains (e.g., @gmail.com, @icloud.com). If you are uncertain or have reason to believe that an email is fraudulent, contact your Morgan Stanley Client Representative immediately.
Social Media Impersonations occur when a bad actor creates an account on a social media platform for the purpose of impersonating an individual or an organization. The bad actor then uses the fake account to gather sensitive information from users or to solicit business and/or monetary payments from users.
Important Notice – Verify the identity of anyone you encounter in online communications before providing them with any personal or financial information. If you are uncertain or have reason to believe that a person or organization claiming to represent Morgan Stanley is fraudulent, contact your Morgan Stanley Client Representative immediately.
Recruitment Scams take place when a bad actor advertises fake job openings, job application coaching and/or interview training online. A fee is usually charged with the promise of an interview or internship/job opportunity. The bad actor may also pose as a career consultant and contact victims through social media platforms (e.g.,Telegram, WeChat). They may even impersonate staff of the targeted organization in order to issue fake employment records or reference letters.
Important Notice – Morgan Stanley does not offer interviews, internships, jobs, job application coaching, interview trainings or any form of career consultancy through third parties, nor do we offer “pay-to-work” internship arrangements. If you are uncertain or have reason to believe that an offer of employment or employment-related services is fraudulent, contact Morgan Stanley immediately.
Phishing starts with an email that often looks like it’s from a trusted or legitimate source. The email will ask you to take an action—usually click on a link or download an attachment. The link typically takes you to a website that seeks to steal your personal information or attempts to entice you to download malicious software (or “malware”) onto your computer. Opening the attachment may infect your computer with malware.
Once the malware infects your computer, a hacker can use it to look at personal documents and information saved on your computer, such as a tax return. They can also capture the keystrokes on your computer (or take screenshots of sites you visit) in order to harvest your logins, passwords and other sensitive information. After hackers steal your information, they’ll often try to access your bank accounts or contacts, or sell your data to other cyber criminals.
Never click on a link or open an attachment from an unsolicited source, and don’t provide personal information when responding to an email request from an unknown party.
Ransomware is a type of increasingly prevalent malware that accesses, locks and encrypts a user’s files. The bad actor then demands that the user pay a ransom to retrieve the encrypted files.
Credential Stuffing Attacks occur when a bad actor uses stolen account credentials to gain unauthorized access to a user’s online account. A user is more vulnerable to this attack if they recycle usernames and passwords across different online platforms.
Identity Theft occurs when a bad actor uses stolen personal information to commit fraud—for example, applying online for a bank loan or credit card in someone else's name. The personal information is often obtained through phishing or other online scams.
Additional Tips for Fraud Prevention
- Create and save bookmarks of important and/or often-visited banking and brokerage websites in your internet browser to avoid inadvertently entering login credentials on a fraudulent website (i.e., misspelled domain).
- Enable multi-factor authentication (MFA) to log onto any websites or applications used for financial transactions or that have access to your personal information. MFA is an additional layer of protection, beyond username and password, meant to verify your identity.
- Keep your software, operating system and internet browser up to date. Software companies continuously improve security and offer new bug fixes with every update released. Installing updates as soon as they are available can help you better protect your devices against malware.
- Run a reputable antivirus product on all of your devices regularly, including your desktop, laptop, tablet and mobile device. This will help prevent your devices from becoming infected with malware and may identify and address any existing infections.
- Only download applications from legitimate app stores and never from a third-party app store, website or QR code. Third-party app stores or pop-up applications are more likely to contain malware.
- Do not use identical or similar passwords across multiple websites and applications. If a bad actor compromises one of your accounts, all of your other accounts using that same password could be at risk.
- Do not click on links or open attachments in unsolicited emails or text messages. Doing so may install malware on your device.
- Avoid using public Wi-Fi hotspots in unsecure locations, such as coffee shops, airports and hotels. Instead, use a private mobile network and create a personal Wi-Fi hotspot with your phone if possible. If you do use public Wi-Fi, rely on a virtual private network (VPN) to prevent your internet activities from being intercepted by bad actors.
- Limit the sharing of personal information on social media platforms and prioritize safeguarding your accounts. Make sure your security settings are as secure as possible. Never share your personal information or login credentials with anyone.
If you come across any websites, mobile applications, e-commerce accounts or social media accounts in the name of or affiliated with Morgan Stanley; or receive emails, text messages or phone calls from Morgan Stanley that you are uncertain about or which you believe to be fraudulent, please contact your Morgan Stanley Client Representative immediately.