Morgan Stanley's wealth and asset management division, Morgan Stanley Wealth Management, says that social engineering attacks have compromised some of its customers' accounts.
Vishing (also known as voice phishing) is a social engineering attack in which scammers impersonate a reputable business (in this case Morgan Stanley) over the phone to persuade their targets to expose or pass over sensitive information such as banking or login credentials.
According to a notice sent to impacted clients, a threat actor portraying Morgan Stanley acquired access to their accounts "on or around February 11, 2022" after deceiving them into submitting their Morgan Stanley Online account information.
The attacker also electronically transferred money to their accounts after successfully compromising their own accounts.
The alert reads, "As you are aware, on or around February 11, 2022, you were contacted by a bad actor claiming to be with Morgan Stanley. The bad actor was able to obtain information relating to your Morgan Stanley Online account, subsequently accessing this account and initiating unauthorized Zelle payments."
A Morgan Stanley spokesperson told BleepingComputer that "there was no data breach or information leak from Morgan Stanley."
The Morgan Stanley division also stated that all affected customers' accounts had been disabled, adding that its systems "remain secure."
The company explained, "This compromise was not a result of any action of Morgan Stanley Wealth Management and our systems remain secure. Your Morgan Stanley Wealth Management account has been flagged to our Customer Call Center so that any callers into the Call Center will be prompted with additional verification. Your previous Morgan Stanley Online account was also disabled."
Morgan Stanley advises customers not to answer calls from numbers they don't recognise as a way to protect themselves from vishing attacks and other sorts of social engineering frauds.
"Also, be guarded when providing your personal data by phone. Make sure the person asking for the information is from a legitimate organization and is who they claim to be. You can always hang up and call the organization back using a phone number found through a trusted source – such as the company’s official website or perhaps a financial statement," the company further recommended.
Morgan Stanley announced a data breach in July 2021 when the Clop ransomware group hacked into the Accellion FTA server of Guidehouse, one of Morgan Stanley's third-party providers, and stole personal information belonging to its clients.
Morgan Stanley is a significant investment banking and global financial services corporation based in the United States that offers investment banking, securities, wealth management, and investment management services around the world.
