Security for Wealth Management: the anatomy of a BEC fraud and how to contain it
Wealth management firms concentrate exactly what financial crime wants most: ultra-high-net-worth clients and the precise map of their money. See how Decripte detects email fraud, contains the transaction, and designs the anti-fraud controls that stop the next investment from turning into a loss.
Direct answer
Protecting a wealth management firm starts with recognizing that the most targeted asset is not the custody system, but the trust-based email relationship between the private client and the advisor. The right defense stacks four layers: (1) an anti-fraud process with mandatory out-of-band verification for any payment instruction or change of banking details; (2) identity hardening with phishing-resistant MFA (FIDO2) and account takeover detection; (3) continuous email monitoring by a 24x7 SOC that hunts for malicious forwarding rules, anomalous logins, and lookalike domains; and (4) an Incident Response plan with a containment SLA of up to 1 hour, capable of triggering a bank freeze and recall within the window in which the money is still recoverable. Decripte offers a free exposure assessment at decripte.com.br/intelligence-center and structures all of these controls at decripte.io/start.
24/7
SOC monitoring email and accounts
<=1h
Decripte containment SLA
LGPD
Wealth data = personal data made sensitive by context
FIDO2
Phishing-resistant MFA for advisors and clients
In summary
- ›The dominant attack against wealth is not a system breach, it is email hijacking (BEC): the fraudster takes over the conversation between the private client and the advisor and reroutes the investment to a mule account.
- ›Out-of-band verification is the control that reduces losses the most: no payment instruction or change of banking details is executed without voice confirmation on a previously registered number.
- ›The financial recovery window is short — a bank freeze and recall must be triggered within minutes, which is why Decripte's containment SLA of up to 1 hour is decisive.
- ›Forwarding rules and hidden filters in the mailbox are the silent signature of an account takeover; Decripte's 24x7 SOC monitors exactly these signals.
- ›Compliance with the LGPD is not bureaucracy: the wealth data of a high-net-worth client is raw material for blackmail and fraud, and the ANPD requires notification of incidents posing relevant risk.
Cibersegurança para Wealth Management and Private Banking
Wealth management firms concentrate exactly what financial crime wants most: ultra-high-net-worth clients and the precise map of their money. See how Decripte detects email fraud, contains the transaction, and designs the anti-fraud controls that stop the next investment from turning into a loss.
Why wealth management is a priority target for financial crime
A wealth management firm occupies a peculiar position on the risk map of the financial system: it does not necessarily hold custody of the assets — they are frequently held at brokerages, banks, and partner fiduciary administrators — but it concentrates something equally valuable, namely complete knowledge of who the clients are, how much each one has, where it is allocated, when liquidity is available, and through which channels the money moves. For an attacker, this knowledge is worth as much as direct access to the account, because it makes it possible to pick the right victim, at the right moment, with the right pretext.
The client profile amplifies the problem. Ultra-high-net-worth individuals, business-owning families, executives, and investors with significant assets are individual targets for spear phishing — tailored social engineering attacks based on public and private information collected patiently. Unlike mass phishing, spear phishing against a private client is written with the advisor's name, the firm's jargon, the transaction history, and, in many cases, the exact context of an investment or redemption that is about to happen.
The most targeted asset is not the system, it is the conversation
In most frauds against wealth, the attacker never touches the custody system. They compromise a mailbox — the advisor's or the client's — and start operating from within a legitimate conversation. The fraud happens in text, with senders that appear genuine, about transactions that were in fact under way.
Add to this the asymmetry of incentive. The average ticket of a successful fraud in this sector is extremely high: a single diverted investment can represent hundreds of thousands or millions of reais. From the criminal's economic standpoint, this justifies investing weeks in reconnaissance, buying access to compromised mailboxes on underground forums, and building lookalike domain infrastructure. The wealth attacker is patient, funded, and specific — and the defense must match that profile.
Five vectors that concentrate the sector's risk
- ›Spear phishing against private clients and advisors, with tailored pretexts
- ›Wire transfer fraud (BEC) hijacking legitimate investment and redemption conversations
- ›Leakage of wealth data used for blackmail, extortion, and target selection
- ›Account takeover of email and portals, with the installation of hidden forwarding rules
- ›Insider threat — improper access or exfiltration by someone inside the operation
BEC: the scam that defines the threat in wealth management
BEC is the acronym for Business Email Compromise. It is the category of fraud that moves the most money in digital financial crime and the one that best describes the concrete risk facing a wealth management firm. The mechanics are deceptively simple, which is why they are so effective: the attacker gains visibility into an email conversation — by compromising the client's, the advisor's, or a third party's mailbox in the chain — and, at the moment a financial transaction is being negotiated, injects a fraudulent instruction that reroutes the money.
There are important variations. In direct compromise, the attacker has access to the real mailbox and replies from within the legitimate thread — this is the most dangerous scenario, because the fraudulent email comes from the genuine address. In spoofing and lookalike, they do not have access to the mailbox, but they create a near-identical domain (swapping a letter, using .com instead of .com.br, or visually similar characters) and impersonate the advisor or the client. In CEO fraud, they impersonate a figure of authority — the founding partner, the head of the desk — to pressure a subordinate into executing an urgent, confidential transfer outside the standard procedure.
Urgency and secrecy are the fingerprint of the scam
Almost every BEC carries two ingredients: time pressure ("I need this to go out today") and a request for confidentiality ("don't mention this to anyone, it's a sensitive operation"). These two elements exist precisely to switch off the controls that would protect the victim — checking with another person and out-of-band verification. Training advisors and clients to distrust urgency combined with secrecy is one of the cheapest and most effective defenses there is.
What makes BEC so lethal in wealth is that it exploits the very nature of the service. The relationship between a private client and an advisor is built on trust and speed — the client expects an email instruction to be handled promptly, and the advisor is trained to serve. The scam turns that virtue into an attack surface. That is why the central countermeasure is not technological, it is procedural: instituting, without exception, out-of-band verification for any transaction or change of banking details.
Signs that a financial instruction email may be fraud
- ✓A change of banking details for an already-known beneficiary, with any justification
- ✓Unusual urgency combined with a request for secrecy or to not involve other people
- ✓A sender address with a subtle difference (a swapped letter, .com vs .com.br domain, an odd subdomain)
- ✓A break in the pattern of tone, timing, language, or the correspondent's signature
- ✓A request to change the channel of the conversation ("reply only to this email", "don't call me right now")
- ✓An instruction to an account whose holder differs from the expected beneficiary
Is wealth management and private banking data already exposed or up for sale? Find out now — for free.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
Account takeover and the forwarding rule no one sees
Before a wire transfer fraud exists, there is almost always an account takeover — the seizure of control of an email account. The attacker obtains the credential through phishing, through a leaked reused password, or through brute force against accounts without MFA. But the step that defines a mature attack is what they do after getting in: they install silent persistence to keep visibility even if the victim changes the password.
The classic technique is the hidden forwarding rule. Inside the compromised mailbox itself, the attacker creates a rule that forwards copies of messages — usually filtering by words such as "transfer", "TED", "investment", "PIX", "contract", "banking details" — to an external address, and simultaneously moves those messages to a folder the victim does not check, or marks them as read. The result is that the advisor or client keeps using email normally, unaware that every financial conversation is being mirrored to the criminal in real time.
The forwarding rule is the signature of a mature ATO
When a SOC finds a newly created auto-forwarding rule to an external domain in an advisor's mailbox, it is rarely a coincidence. It is the most reliable indicator of compromise that the adversary is already inside and building the stage for a BEC. Early detection of this rule is the difference between stopping the scam during preparation or discovering it only after the loss.
Other signs of account takeover that continuous monitoring should capture include: logins from geographies incompatible with the user's routine (impossible travel — two accesses in distant locations within a physically impossible interval), the use of legacy email protocols that bypass MFA, the creation of new application tokens, changes to password recovery methods, and anomalous spikes in the volume of sent or deleted items. In isolation each may be noise; correlated, they draw the attack.
Controls that cut off account takeover at the root
- ✓Phishing-resistant MFA (FIDO2 / security keys) on all advisor accounts and across the operation
- ✓Blocking of legacy protocols (basic IMAP/POP/SMTP) that bypass multi-factor authentication
- ✓Automatic alerting for any new forwarding or external redirection rule
- ✓Detection of impossible travel and of logins outside the geographic and device pattern
- ✓Periodic review of application tokens, active sessions, and registered recovery methods
- ✓A policy of unique, strong passwords, checked against leaked credential databases
Leakage of wealth data: the fuel for blackmail
The second major risk axis, alongside wire transfer fraud, is the leakage of wealth data. A wealth client base is a dossier of extremely high value: names, tax IDs, asset composition, corporate and family structures, offshore accounts, relationships with offshore entities and holding companies, spending and liquidity patterns. This body of information has its own market. It is not sold only for direct fraud — it feeds blackmail, extortion, express kidnapping, and the fine selection of the next BEC victims.
From a regulatory standpoint, this data is personal data protected by the General Data Protection Law (LGPD). Although the LGPD treats specific categories as "sensitive" (racial origin, religious conviction, health, biometrics, among others), the financial data of a private client, given the context and the magnitude of the risk its leakage represents, demands the highest level of protection and justifies being handled as critical information. An incident that leaks this base generally constitutes a situation of relevant risk or harm to the data subjects, triggering the duty to notify the ANPD and those affected.
What the LGPD requires in the face of a wealth data leak
The LGPD requires that security incidents that may entail relevant risk or harm to data subjects be reported to the National Data Protection Authority (ANPD) and to the affected data subjects within a reasonable time frame. Decripte conducts the forensic investigation, scopes what was leaked, supports the preparation of the incident report, and guides the controller in the decision and the content of the notification, within the parameters of the ANPD's regulations.
The leak is rarely an isolated event. In many investigations, the database is exfiltrated months before any visible fraud, and used surgically: the attacker knows that client X has a redemption scheduled, knows the name of the advisor who handles them, knows the approximate amount. When the BEC arrives, it already comes calibrated with real data. That is why protection against leakage — access control, encryption, exfiltration prevention, and monitoring — is not a front separate from fraud: it is the same war, played earlier.
Insider threat: the risk that lives inside
Not every threat comes from outside. In wealth management, legitimate access to ultra-sensitive information is distributed among advisors, desk operators, back-office areas, compliance, and technology. The insider threat can be malicious (an employee who decides to exfiltrate the client base to sell it, or who collaborates with external fraudsters) or unintentional (someone who falls for phishing, shares credentials, or handles data negligently).
Internal risk is especially delicate in this sector because trust is part of the product. The controls, therefore, must be designed to reduce opportunity and increase traceability without turning the operation into an environment of permanent distrust. The principle of least privilege — each person accesses only what their role requires — is the foundation. On top of it are built segregation of duties (whoever initiates an operation is not the one who approves it) and the immutable audit trail of who accessed which data and when.
Controls against the insider threat
- ✓Least privilege: access to client data restricted to what is strictly necessary per role
- ✓Segregation of duties in the payment chain — initiating, approving, and releasing are distinct roles
- ✓An immutable audit trail of access to and exports of wealth data
- ✓Alerting for bulk exports, anomalous downloads, and access outside of hours/context
- ✓A structured offboarding process that revokes access immediately upon termination
- ✓A no-blame reporting culture for honest mistakes, separating error from bad faith
Decripte's 24x7 SOC treats the insider threat with the same behavioral lens used for the external attacker: what matters is the deviation from the pattern. An advisor who always accesses five accounts a day and suddenly exports the entire base in the early hours of a Friday triggers the same alert as a login from a foreign IP. The defense does not presume guilt — it observes anomaly and investigates.
What would an incident in wealth management and private banking cost? See your real risk before it happens.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
How Decripte detects and contains a fraud in progress
The difference between a scare and a loss, in a wire transfer fraud, is measured in minutes and hours. Once the fraudulent instruction is executed and the money leaves, the recovery window closes quickly: the attacker moves the funds through a chain of mule accounts, often scatters it across withdrawals and PIX, and within a few hours the trail becomes hard to reverse. That is why containment must be immediate — and why Decripte's containment SLA of up to 1 hour is a core capability, not a contractual detail.
Containment within 1 hour because money has an expiration date
In a BEC fraud, each hour that passes after the transfer drastically reduces the chance of a bank recall. Decripte's Incident Response operates with a containment SLA of up to 1 hour precisely because, in this sector, the speed of the response converts directly into money recovered or lost. Triggering a freeze, notifying the financial institution, and freezing the destination account are actions that are worth more the earlier they happen.
Detection, ideally, happens before the transfer. The 24x7 SOC monitors the signals that precede the scam — the newly created forwarding rule, the impossible login, the recently registered lookalike domain resembling the firm's, the spike in emails about payment. When these signals correlate, the team acts on the preparation of the attack, closing the door before the fraudulent instruction reaches the client or the back office.
When the fraud is already under way, the response combines three simultaneous fronts: technical (revoking sessions, ejecting the attacker from the mailbox, removing malicious rules, resetting credentials with MFA), financial (engaging the financial institution for a freeze and recall, guiding the client, filing a police report), and narrative containment (establishing which conversation is legitimate and which is fraudulent, re-establishing a trusted communication channel outside the compromised email). Coordinating these fronts under pressure is exactly what a mature Incident Response plan delivers.
Compliance as trust infrastructure
In wealth management, compliance is not merely an obligation — it is part of the value proposition. The private client entrusts their wealth to whoever demonstrates governance. Decripte structures the firm's compliance so that it is, at the same time, real defense and a commercial asset.
The LGPD is the central axis: mapping the personal data processed, the legal basis for each processing activity, retention and disposal policies, access controls and encryption, and an incident response plan that addresses the duty to notify the ANPD. For firms regulated by the CVM and related to the Central Bank, sector-specific cybersecurity and continuity requirements are added. Where there is card processing, PCI-DSS applies. And ISO 27001 certification provides the information security management system framework that organizes all of this in an auditable way.
The typical regulatory map of a wealth management firm
- ›LGPD — protection of clients' personal data and the duty to notify incidents to the ANPD
- ›CVM and Central Bank regulation — cybersecurity, continuity, and operational risk management requirements
- ›ISO 27001 — an auditable information security management system, frequently required by institutional clients
- ›PCI-DSS — when there is processing of payment card data in the operation
- ›SOC 2 — a controls report increasingly requested by corporate clients and international partners
Decripte treats compliance as a consequence of good controls, not as documentary theater. Real security is implemented first — MFA, monitoring, out-of-band verification, segregation of duties — and then what actually exists is documented and audited. This path produces certifications that withstand the scrutiny of a sophisticated client and a regulator, rather than paperwork that collapses at the first incident.
Pentest and offensive validation: discover before the criminal does
Controls are only worth something if they work under attack. Decripte's Pentest simulates, in an authorized and controlled way, exactly what a real adversary would do against the firm: spear phishing campaigns against advisors and staff, account takeover attempts, exploitation of lookalike domains, testing of client portals and partner integrations, and assessment of the anti-fraud process's resistance to a BEC scenario.
The value of a pentest in this sector is not only in finding a technical flaw in a portal — it is in testing the human and procedural link, which is where the fraud actually happens. A well-designed exercise answers concrete questions: if an attacker sends an email changing banking details to the back office, does the out-of-band verification procedure hold the operation? If an advisor's mailbox is compromised in a lab, does the monitoring detect the forwarding rule? Does the trained private client identify the lookalike?
What a wealth pentest should cover
- ✓Targeted social engineering (spear phishing) against advisors and the operations team
- ✓Resistance of the anti-fraud process to an end-to-end simulated BEC scenario
- ✓Security of client portals, logged-in areas, and integrations with partners and custody
- ✓Identity hygiene: MFA coverage, legacy protocols, exposure of leaked credentials
- ✓External surface reconnaissance: lookalike domains, exposed data, public leaks
- ✓Effectiveness of SOC detection against real account takeover techniques
The pentest findings feed directly back into the design of controls and the training roadmap, closing the cycle of discover, fix, and validate again. Security in wealth is not a project with an end — it is a continuous regime of testing and adjustment, because the adversary does not stop either.
Anatomy of a BEC diverting a private client's investment (anonymized real example)
Real, de-identified example
This is an anonymized real example, built from real fraud patterns in the sector, and does not identify a Decripte client. A wealth management firm serves ultra-high-net-worth clients. One of them, a businessman with significant assets, is negotiating with his advisor the allocation of a substantial investment into a new product. The conversation, as usual, happens by email. Weeks earlier, without anyone noticing, the client's personal mailbox had been compromised via phishing, and the attacker installed a hidden forwarding rule that mirrored to an external address every message containing words such as 'investment', 'transfer', and 'banking details'. The criminal followed the investment negotiation in real time, waiting for the moment of the payment instruction.
Reconnaissance and compromise (weeks earlier)
The attacker compromises the client's mailbox through targeted phishing, captures the credential and, since there was no phishing-resistant MFA, maintains persistent access. They install a forwarding rule that silently filters and mirrors every financial conversation to an address under their control, moving the copies to a folder the client does not check. They begin observing the investment negotiation without interfering.
Fraud injection (day of the scam)
At the exact moment the advisor sends the details for the payment of the investment, the attacker springs into action. Using a lookalike domain nearly identical to the firm's, they send the client an email impersonating the advisor, stating that 'due to an internal update' the destination banking details have changed, and requesting urgency and secrecy so as not to delay the allocation window. The email comes with the correct tone, signature, and context, because the attacker read the entire real conversation.
Detection
Decripte's 24x7 SOC, which was monitoring the firm's email environment, fires two correlated alerts: the recent registration of a lookalike domain resembling the firm's, and an anomalous message pattern involving a change of banking details combined with urgency and secrecy. The SOC analyst escalates the case immediately, before the payment was released, and triggers Incident Response.
Containment (within the SLA of up to 1 hour)
Decripte establishes contact with the firm through a secure channel outside email and instructs the immediate suspension of any payment related to that investment. The advisor confirms, by phone call to the client's previously registered number, that the banking details were never changed — out-of-band verification breaks the fraud. The transaction is blocked before release. The lookalike domain is reported for takedown.
Eradication
The investigation identifies the client's compromised mailbox, removes the malicious forwarding rule, revokes all active sessions, resets credentials, and deploys phishing-resistant MFA. The team maps everything the attacker had visibility into while inside and scopes the extent of exposed data to assess notification duties.
Recovery
The investment flow is resumed through a verified channel and with the correct banking details confirmed out of band. The firm re-establishes trusted communication with the client, who is advised on the hygiene of their personal mailbox. The operation returns to normal with no financial loss.
Lessons and new controls
Decripte institutes, as firm policy, mandatory out-of-band verification for any payment instruction or change of banking details, with a callback to a previously registered number. It deploys continuous monitoring of forwarding rules and lookalike domains, expands FIDO2 MFA to clients and staff, and conducts spear phishing training focused on the urgency-plus-secrecy pattern.
Outcome with Decripte
The fraud was stopped before the money left because early detection by the 24x7 SOC combined with containment within the SLA of up to 1 hour and a simple, decisive procedural control — out-of-band verification. The financial loss was zero. More important than the avoided incident, the firm came away with a structured anti-fraud regime: no transaction again depends on blind trust in an email. This is the security standard Decripte designs for wealth management — starting with a free assessment at decripte.com.br/intelligence-center and structuring the controls at decripte.io/start.
Don’t wait for the incident. Start hardening wealth management and private banking today.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
How Decripte responds to a fraud incident in wealth management
Incident response in the wealth management sector is a race against the financial clock: the goal is to stop the fraud before the money leaves, or recover it while it is still traceable. Decripte executes this response in coordinated steps, with a containment SLA of up to 1 hour.
- Triage and immediate activation: upon receiving the alert — from the SOC, the client, or the firm — Decripte classifies the severity and activates the Incident Response team, establishing a secure communication channel outside the potentially compromised email.
- Transaction containment: the number one priority is to prevent the money from leaving. Decripte instructs the suspension of any suspicious payment and, if the transfer has already occurred, immediately engages the financial institution for a freeze and recall attempt, within the SLA of up to 1 hour.
- Out-of-band verification: confirmation by voice, on a previously registered number, of whether the instruction and the banking details are legitimate. It is the step that definitively separates the real operation from the fraud.
- Ejecting the attacker: active sessions are revoked, credentials are reset with phishing-resistant MFA, and forwarding rules and any persistence mechanisms installed in the compromised mailbox are removed.
- Forensic investigation and scoping: Decripte reconstructs the attack timeline — when the attacker got in, what they saw, what they exfiltrated — to scope the extent of exposed data and the impact.
- Assessment of regulatory duties: with the scope defined, the controller is advised on the obligation and the content of the notification to the ANPD and the affected data subjects, in accordance with the LGPD and applicable regulations.
- Recovery and secure resumption: the legitimate financial flow is resumed through a verified channel, with details confirmed out of band, and trusted communication with the client is re-established.
- Lessons learned and hardening: the incident report is produced and the controls that prevent recurrence are deployed — mandatory out-of-band verification, email monitoring, and expanded FIDO2 MFA.
How Decripte structures a wealth management firm's security
Incident response puts out the fire; structure prevents the next one. Decripte organizes wealth management security around pillars that attack the root cause of fraud — the dependence on blind trust in email — and build lasting resilience.
Anti-fraud process with out-of-band verification
The most decisive control in the sector is not technological, it is procedural. Decripte institutes the inviolable rule that no payment instruction or change of banking details is executed without voice confirmation, on a previously registered number, independent of email. This breaks BEC at the root, because it moves the decision to a channel the email attacker does not control.
Identity and email hardening
Phishing-resistant MFA (FIDO2) for advisors, staff, and, where possible, clients; blocking of legacy protocols that bypass MFA; a policy of unique passwords verified against leaks; and continuous account takeover monitoring, with alerting for malicious forwarding rules, impossible logins, and anomalous token creation.
24x7 SOC and early detection
Uninterrupted monitoring of the email and identity environment, correlating signals that precede fraud — newly registered lookalike domains, spikes in messages about payment, anomalous user behavior. The goal is to detect the preparation of the scam, not merely react to the loss.
Wealth data protection and least privilege
Least-privilege access control, segregation of duties in the payment chain, encryption of sensitive data, an immutable audit trail, and exfiltration prevention. It simultaneously mitigates external leakage and the insider threat.
Auditable compliance
Structuring of the LGPD, alignment with CVM and Central Bank requirements, and the ISO 27001 framework (and PCI-DSS / SOC 2 where applicable), so that compliance reflects real controls and functions as a commercial asset before sophisticated clients and regulators.
Offensive validation and continuous training
Periodic pentest that simulates the real adversary — spear phishing, account takeover, end-to-end BEC — and training of advisors and staff focused on the urgency-plus-secrecy pattern. The findings feed back into the controls, closing the cycle of discover, fix, and revalidate.
Recommended plans for Wealth Management and Private Banking
Incident Response
When a wire transfer fraud is under way, every minute is worth money. Decripte's containment SLA of up to 1 hour makes it possible to block the transaction and trigger the bank recall within the window in which the funds are still recoverable, in addition to conducting the forensic investigation and fulfilling the LGPD notification duties.
See plan →24x7 SOC
BEC and account takeover have signals that precede the loss — hidden forwarding rules, impossible logins, lookalike domains. Uninterrupted monitoring detects the preparation of the scam and acts before the fraudulent instruction reaches the client or the back office.
See plan →Pentest
In wealth, fraud happens at the human and procedural link. The pentest validates, in an authorized way, whether the anti-fraud process withstands a simulated BEC, whether advisors recognize spear phishing, and whether the monitoring detects the account takeover — before the real criminal tests it for you.
See plan →Compliance
The wealth data of private clients demands real governance under the LGPD, and the CVM/Central Bank and ISO 27001 framework is frequently a prerequisite for institutional clients. Decripte turns compliance into an effective control and an asset of commercial trust.
See plan →Frequently asked questions
What is a BEC fraud and why is it the greatest risk for a wealth management firm?
BEC (Business Email Compromise) is the fraud in which the attacker hijacks or imitates an email conversation to reroute a financial transfer. It is the greatest risk in wealth because it exploits the relationship of trust and speed between the private client and the advisor: the fraudster does not breach the custody system, they insert themselves into a real investment or redemption negotiation and divert the money to a mule account. The central defense is mandatory out-of-band verification.
What is out-of-band verification and why is it so important?
It is confirming a financial instruction through a channel different from the one it arrived on — typically a voice call to a previously registered number, when the instruction came by email. It is the most effective control against BEC because the attacker who controls the email does not control the client's phone. No transaction or change of banking details should be executed without this confirmation.
How do I know if an advisor's or client's mailbox has been compromised?
The signs include forwarding rules you did not create, messages that disappear or appear as read without having been opened, logins from locations incompatible with the routine, and clients reporting emails the advisor did not send. The hidden forwarding rule to an external domain is the most reliable indicator of account takeover. Decripte's 24x7 SOC monitors exactly these signals.
If the money has already left in a fraud, is it still possible to recover it?
It depends fundamentally on speed. The sooner the financial institution is engaged for a freeze and recall, the greater the chance of reversal, because the attacker takes time to scatter the funds across mule accounts. That is why Decripte operates with a containment SLA of up to 1 hour — in this sector, the speed of the response converts directly into money recovered.
Does a leak of client data require notifying the ANPD?
As a rule, yes. The LGPD requires notification of the ANPD and the data subjects when the incident may entail relevant risk or harm. A leak of wealth data of high-net-worth clients usually falls under this hypothesis, given the potential for blackmail and fraud. Decripte scopes the extent, supports the incident report, and guides the notification decision within the ANPD's regulations.
Does ordinary MFA solve the account takeover problem?
It reduces it, but does not eliminate it. MFA via SMS or code can be bypassed by sophisticated phishing and notification fatigue attacks. That is why Decripte recommends phishing-resistant MFA (FIDO2 / security keys) for advisors and staff, in addition to blocking legacy email protocols that bypass multi-factor authentication entirely.
How to address the risk of an internal employee leaking the client base?
With least privilege (each person accesses only what is necessary), segregation of duties in the payment chain, an immutable audit trail, and alerts for bulk exports or anomalous access. The SOC treats the insider threat through the lens of behavioral deviation — without presuming guilt, but investigating anomaly. Decripte structures these controls so as to protect without eroding the operation's trust.
Where should a firm start structuring its security?
With the assessment. Decripte offers a free exposure evaluation at decripte.com.br/intelligence-center, which identifies lookalike domains, leaked data, and blind spots in the environment. From the assessment, the priority controls are structured — out-of-band verification, FIDO2 MFA, and monitoring — at decripte.io/start. To speak directly with Decripte, use /contato.
Sector terms
- BEC (Business Email Compromise)
- Fraud in which the attacker compromises or imitates an email account to insert themselves into a legitimate financial conversation and reroute a transfer to an account under their control. It is the main financial threat against wealth management firms.
- Out-of-band verification
- Confirmation of an instruction through a channel independent of the one on which it was received — for example, calling a previously registered number to validate a payment order that arrived by email. It is the most effective control against BEC.
- Account takeover (ATO)
- Seizure of control of a legitimate account (email, portal) by an attacker, usually followed by silent persistence, such as the installation of hidden forwarding rules to mirror financial conversations.
- Spear phishing
- A highly targeted social engineering attack, tailored to a specific victim based on information collected about them, in contrast to mass phishing. Common against private clients and advisors.
- Insider threat
- A threat originating from within the organization, whether malicious (an employee who exfiltrates or collaborates with fraud) or unintentional (negligence, falling for phishing). Critical in wealth due to the distributed access to ultra-sensitive data.
- Lookalike domain
- A domain created to resemble that of a legitimate organization, with subtle differences (a swapped letter, a different extension, similar characters), used to deceive victims in phishing and BEC attacks.
Decripte protects and responds to incidents in wealth management and private banking.
Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.
