If Morgan Stanley’s CEO Can Be Duped, So Can You
When it comes to cybersecurity, even the heads of major brokerages could probably use some training. The latest victim of an email hoax is none other than Morgan Stanley CEO James Gorman, the New York Post writes.
Gorman, who headed Merrill Lynch’s private client business prior to joining Morgan Stanley in 2006, fell for an email hoax earlier this month from a known prankster who goes by the Twitter handle @SINON_REBORN, according to the paper. In a series of emails, Gorman believed he was replying to Morgan Stanley director and former U.K. chancellor Alistair Darling, according to the Post.
The prankster used a classic phishing scam approach: he emailed a photo of Darling and apologized for sending it to Gorman instead of a journalist working on a feature, the paper writes. The prankster then sent a “rambling, ornately written story,” according to the Post, that connected a fishing trip to risk management, to which Gorman replied, “Great personal story to make a critical point!” Morgan Stanley reps confirm the exchange to the paper.
Gorman isn’t the only CEO of a major financial firm to fall for an email hoax, the Post writes: the same prankster previously duped Lloyd Blankfein, CEO of Goldman Sachs, Citi CEO Michael Corbat and Barclays chief Jes Staley, according to the paper.
The goal of the pranks appears to be to shine light on cybersecurity gaps. On June 7, @SINON_REBORN tweeted that he hasn’t made any money from the pranks, according to the Post.
“Those with responsibilities to others need to seriously consider how they handle email correspondence,” he wrote, according to the paper. “Anyone could do what I did.”
Financial regulators, meanwhile, have been increasingly focused on cybersecurity – particularly in light of the WannaCry ransomware attack earlier this year that affected companies and institutions in more than 100 countries.
Earlier this week, the SEC warned financial advice firms that they could be doing far more to ramp up their cyberdefenses. The regulator’s latest stage of cybersecurity exams revealed that more than half of U.S. investment advice firms fail to perform vulnerability and penetration tests, while about a quarter don’t even conduct risk assessments.