Why passphrases aren’t enough to keep clients safe

As artificial intelligence becomes more robust, financial advisors need a method to verify a client’s identity for every transaction that doesn’t happen in person. Advisors can’t rely on recognizing someone’s voice stating their vital information, because scammers can clone voices with AI and steal a client’s identifying information.

But a commonly recommended technique, passphrases, is insufficient for protecting clients from fraudulent transactions. A passphrase is a unique sequence of words advisors ask their clients to recall to verify their identity during voice or video calls, which has a similar function to passwords used to login to online accounts.

Most people are just as likely to forget a passphrase as they would a password, said Jason Pereira, financial planner and senior partner with Toronto-based Woodgate Financial.

Instead, Preet Banerjee, a wealth management consultant and partner with Toronto-based investment analysis firm Wealthscope, recommended using common two-factor authentication methods for every virtual interaction.

At the beginning of any voice or video call, an advisor or their staff could push a one-time code to a client’s smartphone through text messaging or an authentication app and ask the client to read the code back.

“There are ways to automate this way to verify a client’s identity without having to memorize a passphrase for every person that you deal with on a regular basis,” Banerjee said. “That is much more manageable.”

For now, automated two-factor authentication for client calls is still “relatively uncharted,” Banerjee said. In the interim, advisors can tell clients they’ll spend a few minutes at the beginning of each call to go over previous interactions and confirm details that they’ve learned about each other over time to make sure they’re speaking to the right person.

Advisors should ask for information that only the client would know and be aware of which transaction types require extra scrutiny, Pereira said. For example, any request to move money out of an account and redirect it to someplace new is a major red flag.

Verification questions could include what they last discussed, recent transactions or where they said they wanted to go on holiday next year. Advisors who have frequent contact with clients will know more about them and be less susceptible to fraud.

Nonetheless, advisors may want to set up face-to-face meetings for large transactions as a surefire way of verifying a client’s identity, Banerjee said.

Advisors who meet with clients less often can still enhance security by mixing standard security questions with intimate knowledge, Pereira said. Staff can ask for the middle three SIN digits instead of the commonly used first or last three, and ask the client when they last met with the advisor and what was discussed. Taking detailed notes during meetings creates more verification material.

“There’s no replacement for knowing your clients when it comes to protecting them from fraud,” Pereira said. “[It’s] a combination of client knowledge and awareness of the situation.”

Scammers don’t just impersonate clients — some impersonate advisors to defraud their clients, Banerjee said. He said his social media profile was cloned by scammers who tried to sell cryptocurrencies and online trading programs to his followers. Advisors need to educate clients to be suspicious of anything requiring urgency and remind clients to call the advisor’s office if they have questions.

As advisors use new ways to detect and deter AI cloning, scammers will try to leapfrog that technology to circumvent it, Banerjee said. “It’s basically going to be a technological arms race.”