A sweeping campaign of phishing emails masquerading as a shared Google doc invite has infected troves of Google users on Wednesday, accessing their contacts lists to spread the attack further.
On Wednesday afternoon, the Internet lit up with reports of phishing emails disguised as invites to a shared document in Google Docs. In many cases, the email appeared to be sent from someone the recipient actually knew — another victim of the attack who had already had their account compromised.
They also resembled the typical Google Docs invite perfectly, with the lone exception of including the recipient “hhhhhhhhhhhhhhhh at mailnator.com.”
Once clicking “Open in Docs,” however, victims were asked to grant access to their account to a fake Google Docs app, which promptly took advantage of that access to raid the victim’s contacts list and use it to send out identical phishing emails to replicate the attack.
Google reacted swiftly to the attack by shutting down the rogue app and adding warnings to suspected phishing emails. But with an untold number of accounts already compromised, the fallout from this attack could be far from over.
What to do:
- Tell your users not to click on any Google Docs invitations they received on Wednesday.
- If they suspect their Google account may have been compromised: Tell them to go to https://myaccount.google.com/u/0/permissions to check what apps have authorized access. If they see a “Google Docs” app authorized on Wednesday they should remove it as well as any other apps they don’t recognize.
- Make sure you’re prepared for additional phishing emails from compromised accounts by reminding users to be on high alert and by ensuring you have the right malware protection in place.
Get the full details on the phishing campaign in our latest blog post (Barkly’s
SEC Explores Ways To Strengthen Compliance Of Independent Advisers (Mark Schoeff, Investment News) – At a recent compliance conference, the acting director of the SEC’s Office of Compliance Inspections and Examinations (OCIE) noted that the SEC has increasing concern about the rise of independent advisers affiliating with RIA platforms as “1099” advisers, as opposed to investment adviser representatives who are salaried employees of the RIA. The problem is that SEC examiners are finding a different level of compliance amongst employee representatives versus independents, who almost by definition are more independent and less tied to the parent RIA, and therefore may be less tied to the firm’s compliance oversight and processes, not unlike the challenge of overseeing independent 1099 brokers at an independent broker-dealer. As a result, acting director Peter Driscoll suggested that the SEC may soon publish a Risk Alert about the issue, implying that RIAs with independent 1099 advisers may soon get more scrutiny about how they exercise compliance oversight of those advisers in their upcoming SEC exams (which, although infrequent, are trending higher as OCIE tries to increase its exam cycle frequency). Notably, though, the top SEC concern for advisors at this point is still cybersecurity, and there will likely be more guidance forthcoming on that issue soon as well.
From True North Networks
WARNING – There is currently an aggressive attack campaign underway against a previously undisclosed vulnerability in Microsoft Word, which can be used to quietly install different kinds of malware — even on fully-patched computers. The bug can be exploited on all versions of Microsoft Office, including the latest Office 2016 version running on Windows 10.
The vulnerability cannot bypass the Office Protected View, which should be turned on by default. You can verify those settings using the following steps:
Step 1: Start Word, click File and then choose Options
Step 2: Click Trust Center and then Trust Center Settings
Step 3: Click Protected View, all three of the options listed there should be checked
Step 4: Click OK and you’re done!
Unlike most document-related vulnerabilities, this zero-day bug doesn’t rely on macros (macros use built in code to execute pre-scripted command actions) — in which Office typically warns users of risks when opening macro-enabled files. There is currently no patch for this bug, but Microsoft is expected to release a fix with its next round of security updates. Once released, you will receive the patch within your regularly scheduled patch window. In the meantime, be extra cautious when opening Microsoft Word attachments.
The Department of Labor (“DOL”) published its final rule delaying the applicability dates of its rule changing the definition of the term “fiduciary” (the “Fiduciary Rule”) by 60 days, as proposed. The new timeline for compliance with the Fiduciary Rule is as follows:
- June 9, 2017 – The Fiduciary Rule becomes applicable.
- June 9, 2017 – Firms relying upon the BIC Exemption must comply with Impartial Conduct Standards but no additional conditions.
- June 9, 2017 through December 31, 2017 – the Transition Period (discussed below). During the Transition Period, DOL will review the Fiduciary Rule and report on the factors outlined in the Presidential Memorandum.
- January 1, 2018 – Firms relying upon the BIC Exemption must come into full compliance.
As noted above, the final rule adopted a 60-day delay of the applicability date of the Fiduciary Rule from April 10, 2017 to June 9, 2017. The applicability dates of the Best Interest Contract Exemption (the “BIC Exemption”) were also extended to June 9, 2017.
The BIC Exemption already provided for a “Transition Period” between the original applicability date of the Fiduciary Rule and January 1, 2018, the date when fiduciaries relying on such exemptions are expected to be in full compliance. The final rule does not change the full compliance date for those exemptions.
The final rule does simplify compliance with the BIC Exemption during the Transition Period. During the Transition Period, fiduciaries will only be required to comply with the “Impartial Conduct Standards” and not the other conditions of such exemptions, such as the affirmative disclosure requirements. The Impartial Conduct Standards require that fiduciary advisers make recommendations that are in the customer’s best interest (subject to a prudence and loyalty standard), receive no more than reasonable compensation, and not make materially misleading statements.
The final rule also delays the applicability date for the streamlined “Level Fee Fiduciary” exemption within the BIC Exemption until June 9; however, during the Transition Period, Level Fee Fiduciaries that are eligible for the Transition Period relief under the full BIC Exemption may comply with those conditions (i.e., only the Impartial Conduct Standards) instead.
The future of the Fiduciary Rule continues to be uncertain. DOL has requested comments from interested stakeholders on the issues raised by the Presidential Memorandum by April 17. Next steps will remain unclear until senior DOL officials are confirmed. Further delays are possible, followed by modifications or rescission of the rule.
Some things to consider when you receive a request for a wire transfer or check from a client:
- Confirm the request with the client via phone BEFORE you send them anything to sign. If a hacker is controlling their email, they will see the request and have the client’s account number and any other information included in the request.
- Confirm all information regarding the wiring bank with the receiving party BEFORE completing the wire request paperwork. Scenario – hacker obtains control of real estate agent’s email, changes the wiring instructions that are sent to your client for that transfer to escrow for the new home they are buying. You receive the instructions and confirm with the client. You, the real estate agent and the client are unaware that you are about to send all that money to someone other than the escrow company. My recommendation is that all such instructions should be confirmed directly with the escrow or receiving agency.
A few minutes of work up front can save a nightmare and a lot of time down the road. Do the due diligence.
The Department of Labor released a proposed rule to extend the applicability date of its fiduciary rule under ERISA. The proposal includes a 15-day comment period and would extend the rule’s April 10 compliance date to June. 9.
Fred Reish, partner in Drinker Biddle & Reath’s employee benefits and executive compensation practice group in Los Angeles, notes that a 6-month delay had been widely expected.
“During the shortened period, the DOL will take comments for 15 days on whether the proposed rule should be finalized and will take comments for 45 days on a list of questions about the impact of the fiduciary regulation and the exemptions,” Reish explains.
After the comments are received and reviewed, Labor will then issue a final rule extending the applicability date to June 9, Reish adds. “Once drafted, it will be sent to the Office of Management and Budget for another review. The goal is obviously to get the final rule on the extension of the applicability date approved and published by April 10. We expect that to happen at the end of March or early April.”
My take on this – once again another unclear message from the Department of Labor regarding the April 10th applicability date.
The No-Action Letter discussed in yesterday’s blog contains seven conditions that, if met, would allow an adviser to escape the need for a surprise exam:
1. The client provides an instruction to the qualified custodian, in writing, that includes the client’s signature, the third party’s name, and either the third party’s address or the third party’s account number at a custodian to which the transfer should be directed.
2. The client authorizes the investment adviser, in writing, either on the qualified custodian’s form or separately, to direct transfers to the third party either on a specified schedule or from time to time.
3. The client’s qualified custodian performs appropriate verification of the instruction, such as a signature review or other method to verify the client’s authorization, and provides a transfer of funds notice to the client promptly after each transfer.
4. The client has the ability to terminate or change the instruction to the client’s qualified custodian.
5. The investment adviser has no authority or ability to designate or change the identity of the third party, the address, or any other information about the third party contained in the client’s instruction.
6. The investment adviser maintains records showing that the third party is not a related party of the investment adviser or located at the same address as the investment adviser.
7. The client’s qualified custodian sends the client, in writing, an initial notice confirming the instruction and an annual notice reconfirming the instruction.