Morgan Stanley client accounts breached in social engineering attacks

Image: Morgan Stanley/BleepingComputer

Morgan Stanley Wealth Management, the wealth and asset management division of Morgan Stanley, says some of its customers had their accounts compromised in social engineering attacks.

The account breaches were the result of vishing (aka voice phishing), a social engineering attack where scammers impersonate a trusted entity (in this case Morgan Stanley) during a voice call to convince their targets into revealing or handing over sensitive information such as banking or login credentials.

The company said in a notice sent to affected clients that, "on or around February 11, 2022," a threat actor impersonating Morgan Stanley gained access to their accounts after tricking them into providing their Morgan Stanley Online account info.

After successfully breaching their accounts, the attacker also electronically transferred money to their own bank account by initiating payments using the Zelle payment service.

"As you are aware, on or around February 11, 2022, you were contacted by a bad actor claiming to be with Morgan Stanley," the alert reads.

"The bad actor was able to obtain information relating to your Morgan Stanley Online account, subsequently accessing this account and initiating unauthorized Zelle payments."

A Morgan Stanley spokesperson told BleepingComputer that "there was no data breach or information leak from Morgan Stanley."

Morgan Stanley systems "remain secure"

The Morgan Stanley division added that it disabled the accounts of all customers affected by these attacks and that its systems "remain secure."

"This compromise was not a result of any action of Morgan Stanley Wealth Management and our systems remain secure," the company explained.

"Your Morgan Stanley Wealth Management account has been flagged to our Customer Call Center so that any callers into the Call Center will be prompted with additional verification. Your previous Morgan Stanley Online account was also disabled."

Morgan Stanley provides recommendations on how to defend against vishing attacks and other types of social engineering scams, advising customers not to answer calls from phone numbers they don't recognize.

"Also, be guarded when providing your personal data by phone. Make sure the person asking for the information is from a legitimate organization, and is who they claim to be," the company says.

"You can always hang up and call the organization back using a phone number found through a trusted source – such as the company’s official web site or perhaps a financial statement."

Morgan Stanley disclosed a data breach in July 2021 after the Clop ransomware gang stole personal information belonging to its customers by hacking into the Accellion FTA server of Guidehouse, one of Morgan Stanley's third-party vendors.

Morgan Stanley is an American leading investment banking and global financial services firm providing investment banking, securities, wealth, and investment management services worldwide.

Its customer list includes corporations, governments, institutions, and individuals from across the globe, from over 41 countries.