Security: Articles

High pressure emails and fake Internet addresses that try to sell false mutual funds are a constant danger for the active investor, wherever you happen to live.

Pax World Funds, one of the leading managers of socially and environmentally friendly investment strategies in the US recently worked with the Securities and Exchanges Commission, the American financial regulator, to shut down an unauthorised version of its website that had been offering outlandish promises of returns, as well as attempting to charge customers excessive fees for investment into phantom funds.

"Our eye-opening experience led us to conclude that mutual fund investors and investment companies need to know more about the dangers posed by 'phishing'," says Thomas Grant, president of Pax World Funds.

A typical 'phishing' scheme will use a seemingly legitimate email to deceive the recipient into thinking it is a message from a trusted company or government agency, rather than the con artist who is actually behind the communication. The purpose of a phishing scheme is simple: get the potential victim to disclose his or her account information, wire transfer details, credit card numbers, social security details, passwords, and other sensitive financial information.

This is just as common a strategy for fraudsters targeting bank account holders. They will frequently contact you via email, asking you to re-verify you account details. The reason might be because of a security or website upgrade, but such approaches should be ignored at all costs. In the case of mutual funds, phishing scams can lure victims into making phony transactions on a web site that looks exactly the same as that used by a legitimate company. Recent scams have even included cloned emails and bogus web pages ostensibly put forward in the name of government agencies, including in the US the likes of the Federal Deposit Insurance Corporation, the Office of the Comptroller of Currency, and even the Securities Investor Protection Corporation.

Pax World Funds has suggested the following tips that active fund investors should consider in order to avoid being defrauded by phishers.

Keep a sharp eye out for high-pressure emails urging you to divulge your personal information or to start making transactions at a new website. Phishers rely on urgent, even upsetting, statements in their emails in order to goad people into taking immediate action, before they think things through. You may be asked to provide or verify user names, passwords, credit card numbers, checking account withdrawal codes, social security numbers, and so forth. If you receive an email that warns you, with little or no notice, that your mutual fund account will be shut down unless you reconfirm your information related to that account, do not reply or click on the link in the email. Instead, contact the provider via phone to verify any requests independently. Do not use phone numbers suggested in the suspect email, use one from a non-electronic source, like a paper statement.

Only conduct web-based transactions on a secure page. If an email asks you to click through to what is supposedly the web page for your fund, ensure that it is really secure. Among the positive signs are a URL (web address) starting with "https" rather than simply "http". A padlock icon in your browser frame is additional evidence of a secure site. This should not be considered fool-proof, however, as phishers can always build a secure site of their own to fool you. The best approach is to use the legitimate site of your fund management firm every time you access your transaction site, if dealing online.

Be aware of the website addresses you're accessing. Is the site you are sending information to different from one you have used before for accessing your fund account? Does the URL address include the name of the fund management company along with additional words or numbers? These are possible signs of cloned or bogus sites. Phishers can even steal logos and artwork from the original site, along with using a similar address, to make you believe you're dealing with the legitimate company. Only use mutual fund addresses you have used before (e.g. by bookmarking them using your Internet browser). If in doubt, contact your fund manager by phone for confirmation.

Always keep a close eye on your fund statement. Are there missing trades? Are there trades there you didn't authorise? Is the statement late, or missing altogether (possibly because the phisher has already changed the delivery address, and effectively stolen your identity at some level)? Seek independent verification with the fund manager if you suspect any of the above.

There is now plenty of security available to combat phishing schemes. Using the most up-to-date version of your Internet browser helps. Providers of major Internet software packages like Microsoft include patches on their websites than can be downloaded to specifically combat phishing. EarthLink offers a free browser toolbar that alerts you before opening a web page if it is on a known list of phishing sites. Since some phishing emails can contain software that harms your computer or tracks your activities on the internet without your knowledge, it is worth maintain a firewall and up to date anti-virus software.

Finally, it always important that you report suspect sites or emails. Send a copy of suspect emails to your fund manager or bank. When doing so, make sure you include the entire original email with its original header information intact. It is also worth filing a complaint with law enforcement authorities, ideally in the jurisdiction in which your fund manager or bank is based.

Part of the problem with phishing schemes is that such rogue websites are difficult to shut down, particularly if the Internet Service Provider (ISP) providing them with access is outside the jurisdiction of the principal law enforcement authorities. While the vast bulk of such sites are eventually shut down, it is easy for fraudulent schemes of this nature to migrate to new service providers and Internet addresses. The only fool-proof way of stopping them is to convict the perpetrators, but even these can be the scapegoats of larger organised crime networks that can simply shift the scheme onto the shoulders of new footsoldiers.

Fund investors must remain vigilant, and maintain their Internet security software to its latest versions in order to foil phishing attempts. Scrutinise, and if necessary, independently verify any emails you are suspicious of, and you will go a long way towards foiling these schemes.