AI is making cyberscams harder to detect. Here’s how to thwart them.
Whether it’s vishing, quishing, smishing, or old-school spear phishing, it takes more than instinct to spot cyberattacks.
Earlier this year, financial advisors across the country opened emails from the CIO at the Securities and Exchange Commission. Written in a professional tone and bearing the regulator’s official seal, the electronic missives asked advisors to confirm their “best email address" for secure communications going forward.
But there was a catch: Although the emails convincingly mimicked the tone, layout and authority of an SEC communication they weren’t from the agency at all. Instead, they were part of a sophisticated phishing campaign aimed squarely at advisors.
Although online scams are as old as the internet, poor grammar, odd phrasing and spelling mistakes used to be common giveaways. But with artificial intelligence fueling the work of malicious actors, spotting fake communications across platforms is harder than ever. Today’s attackers can mimic a colleague’s tone, reference real transactions and produce polished messages that look completely legitimate. A fraudulent invoice or payment request can blend seamlessly into normal workflows. Even experienced professionals who spend their careers evaluating risk can be fooled.
For financial advisors the stakes couldn’t be higher. Client trust, reputations and billions of dollars in assets are all at risk. Here are new phishing trends every financial advisor should have on their radar along with practical ways to deal with them.
Spear phishing. Spear phishing is a highly targeted type of phishing with a personal touch. Instead of casting a wide net, attackers tailor their emails to a specific individual or firm. The SEC describes it as the use of “fraudulent emails and copycat websites" that trick someone into handing over valuable information.
The tactic isn’t new, but AI has changed the game and powered the reach of these emails. Spear phishing messages are now faster to produce, smarter in how they mimic real communications, and much more difficult to spot. The online space provides a candy shop of information publicly available to scammers—just think of information shared in profiles, company bios, and posts on LinkedIn alone. It isn’t an onerous task for a scammer to craft a phishing email based on this data that then looks authentic and relevant.
AI tools also give scammers the ability to generate countless versions of these customized emails. This volume helps them slip past traditional spam filters and land directly in an advisor’s inbox.
What advisors should do: Slow down and verify. If an email purportedly from a client asks for money to be moved or requests sensitive details, confirm it through a separate, preapproved channel such as a known phone number or secure video call. Train your team to build this pause-and-check habit into daily practice.
Vishing (voice phishing). A quick call from a client urging you to wire funds or approve an urgent transfer can feel authentic in the moment, especially under pressure. Yet a client’s or colleague’s familiar voice over the phone is no longer a guarantee of authenticity. Criminals are now voice phishing using AI-generated voice clones that can sound uncannily like someone you know, which is why this is known as vishing or voice phishing.
A swindler only needs a few seconds of recorded audio, perhaps from a webinar or online clip, to generate a convincing voice model. The result is a scam that can feel far more personal than a suspicious email.
What advisors should do: Always verify. Set clear callback protocols and only process financial requests after confirming them through a preapproved number or secure video call. This applies whether the advisor is working from home or in the office and whether the device is personal or company-issued.
Quishing (QR phishing). QR codes have become so common that most people scan them—whether on restaurant menus, event brochures or compliance notices—without thinking. Cyber hacks are as much about psychology as they are about technology and QR phishing exploits user trust in the ubiquitous icons. By embedding malicious links into a QR code, criminals can bypass the suspicion an email link might raise.
For advisors, the danger often appears in professional settings. A QR code on a brochure or digital PDF at a conference or attached to what looks like a regulatory update might seem legitimate, but it can be just as deceptive as a phishing email. One quick scan can redirect you to a spoofed login page designed to steal your credentials.
What advisors should do: Treat QR codes with the same caution as links. If you didn’t expect it, don’t scan it. Instead, type the official web address into your browser or navigate through known, trusted portals.
Smishing (SMS phishing). With more advisors working remotely, cyber attackers are turning increasingly to text messages. Messages about account issues or urgent compliance verification might look like they come from a custodian or regulator when they are, in reality, just another form of phishing.
What advisors should do: The urgency factor can feel ramped up on texts, so it’s important to treat all unsolicited texts with suspicion. Only log in to work systems and platforms through trusted apps or bookmarked sites, not links received by SMS. Be aware that regulators such as Finra and the SEC don’t communicate about account or compliance matters via text, so any message of this kind should be treated as suspicious.
In conclusion. The broad takeaway is that financial advisors can no longer rely on instinct alone to spot and stop cyberscams. Verification must be built in at every step: Use multifactor authentication, clear approval workflows, and escalation protocols for any request, especially those that fall outside routine patterns.
Using technology solutions to build a strong security posture and maintain hyper awareness around every email, phone call and text message remains one of the most effective ways to protect your organization. But cybersecurity cannot be left solely to the IT department; it belongs to everyone in the organization. Awareness and vigilance must become part of daily routines firmwide.
Niall Mackey is the commercial director of Topsec Cloud Solutions. His team helps organizations strengthen their email security and build resilience against advanced phishing threats.
Editor’s note: Guest commentaries like this one are written by authors outside the Barron’s Advisor newsroom. They reflect the perspective and opinions of the authors. Submit feedback and commentary pitches to advisor.editors@barrons.com.
topics
