Morgan Stanley Wealth Management, the wealth and asset management division of Morgan Stanley, says some of its customers had their accounts compromised in social engineering attacks. The account breaches were the result of vishing, also known as voice phishing, a social engineering attack where scammers impersonate a trusted entity (in this case Morgan Stanley) during a voice call to convince their targets into revealing or handing over sensitive information such as banking or login credentials. In a notice sent to affected clients, the company said that on or around February 11, 2022, a threat actor impersonating Morgan Stanley gained access to their accounts after tricking them into providing their Morgan Stanley Online account info. After successfully breaching their accounts, the attacker also electronically transferred money to their own bank account by initiating payments using the Zelle payment service.
“As you are aware, on or around February 11, 2022, you were contacted by a bad actor claiming to be with Morgan Stanley,” the alert reads. “The bad actor was able to obtain information relating to your Morgan Stanley Online account, subsequently accessing this account and initiating unauthorized Zelle payments.” A Morgan Stanley spokesperson told reporters that “there was no data breach or information leak from Morgan Stanley.” The Morgan Stanley division added that it disabled the accounts of all customers affected by these attacks and that its systems remain secure. “This compromise was not a result of any action of Morgan Stanley Wealth Management and our systems remain secure,” the company explained. “Your Morgan Stanley Wealth Management account has been flagged to our Customer Call Center so that any callers into the Call Center will be prompted with additional verification. Your previous Morgan Stanley Online account was also disabled.”
Morgan Stanley provided recommendations on how to defend against vishing attacks and other types of social engineering scams, advising customers not to answer calls from phone numbers they don’t recognize. “Also, be guarded when providing your data by phone. Ensure the person asking for the information is from a legitimate organization and is whom they claim to be,” the company says. “You can always hang up and call the organization back using a phone number found through a trusted source – such as the company’s official website or perhaps a financial statement.”