Not only has technology dramatically transformed the brokerage business, but it has also revolutionized the fraud game. Now, hackers are finding new ways to play an age-old scam — the venerable “pump and dump.”

In the classic version of the pump and dump scheme, shady brokers and promoters would aggressively talk up a stock — usually in a thinly traded small- or micro-cap stock that was easy to move — to boost its share price. Then they would sell their own shares into this artificially created strength. The pumping was often carried out by cold-calling from old-fashioned boiler rooms; sometimes, the price run-up would be helped along by “wash” trading and other tactics designed to stimulate some artificial price momentum.

The advent of the Internet makes pump and dump schemes even easier to carry out. Using “spam” e-mail tactics, shady operators can reach vast numbers of potential investors with their bogus stock tips at virtually no cost. But the latest version of the ruse goes even further. Computer hackers are gaining access to investors’ online trading accounts and using the money to finance manipulative trading.

In late October, the North American Securities Admin-istrators Association, an umbrella group of state and provincial securities regulators in the U.S. and Canada, issued a warning to investors about “hack attacks.” They have been occurring on both sides of the border recently, resulting in millions of dollars in unauthorized trades.

“The number of these attacks on investors continues to rise as identity thieves increasingly target the securities industry,” says Joseph Borg, NASAA president and director of the Alabama Securities Commission. The NASAA went on to warn investors about the potential of falling victim to identity theft.

The NASAA warning follows an investor alert published in August by the Investment Dealers Association of Canada. The IDA reported then that it had received information about successful hack attacks on investors’ online accounts, although it wasn’t certain just how the accounts had been breached.

Alex Popovic, the IDA’s vice president of enforcement in Toronto, says the IDA is aware of 10 cases of online accounts being compromised, and that the breaches involve hundreds of thousands of dollars.

The hackers have used a couple of methods to gain access to accounts. All the account intrusions appear to have been the result of the hackers obtaining clients’ log-in information.

“We do know that — at least, in one instance — a ‘keystroke logging virus’ was installed on a client’s home computer,” Popovic says. “How or when it was installed is an open question.”

Other clients may have fallen victim to “phishing” — the practice of soliciting personal information through e-mails that purport to be from legitimate sources. Popovic says some affected investors may have inadvertently provided their account access information in response to e-mails requesting that they visit an attached Web site address and log into their accounts. Instead of their actual brokerage’s site, however, they are directed to a pirated site that looks much like the real thing but is a means of gaining access to personal data.

There doesn’t appear to be an enforcement role for the IDA in these cases. The attacks have apparently been carried out by people outside of IDA firms, which puts the perpetrators beyond IDA jurisdiction. Popovic declines to confirm whether there are investigations underway by other regulators or police agencies. “We have been working with a number of other organizations,” he says, “assisting them with regard to the intrusions online.”

BREACHES FROM OUTSIDE

The fact that the breaches appear to have come from outside brokerage firms themselves doesn’t mean there is nothing for firms to worry about. It appears that breaches of this kind aren’t covered by the standard insurance policies that firms are required to carry.

In a notice published in late October, the IDA said its insurance subcommittee had discussed the issue of hack attacks with an insurer and concluded such forms of fraud are not covered by the standard financial institution bond policy, which typically protects against only dishonest conduct by employees.

To protect against hacker fraud, firms have to get separate coverage. The IDA’s insurance subcommittee is looking at whether it should make such insurance mandatory for firms that provide online trading.

“We are in the process of conducting a member survey to see what the membership exposure is to this type of fraud,” says Maysar Al-Samadi, the IDA’s vice president of professional standards. “Once we have the facts, we will further discuss the issue internally and with our insurance subcommittee, to see whether we should make it a regulatory requirement for members to carry this additional coverage.”

@page_break@At this point, Popovic says, hack attacks appear to be more prevalent in the U.S. “We don’t know if that is merely a function of relative size of populations, or if the persons conducting these activities are more familiar with U.S. sites,” he says.

Nevertheless, he notes, the IDA will continue to work with its members to identify the various methods hackers are using to carry out the schemes “and how we might be able to harden online accounts against these types of activities,” he says.

The pump and dump, meanwhile, remains a classic securities industry scam. And even in the age of ever more technically sophisticated schemers, the classics never go out of style. IE