The quest to find out who stole your clients
Finding paying clients is what usually makes or breaks a retail Forex brokerage company, so many FX companies consist mostly of a marketing/sales department, because acquiring and retaining customers is the most important (and, probably, the most difficult) thing a broker can do to be profitable.
One way to lose your hard-earned clients is if some dishonest competitor gets access to a whole list of your clients — their names, emails, phone numbers, and payment histories — and targets their advertisement campaign at them directly, by emphasizing your shortcomings and their own advantages, even if untrue.
In this article, we will take a look at how MetaTrader 4-based retail brokerages can protect themselves from theft of their clients’ contact details.
Who steals clients, why, and how
Obviously, the beneficiary of your client database theft is your competitor. Nobody would mind extending their mailing list with thousands of emails of fresh traders eager to make a live deposit. Every sales department dreams of an opportunity to get a thick list of leads with full names, phone numbers, and valid addresses.
But how could it happen that your full list of clients that you’ve cultivated carefully with years of honest operations would end up in your competitor’s hands?
First, of course, it could be a server security breach — your website could get hacked, or your trading server’s passwords could be guessed. We will not be discussing this possibility in this article. It is a very broad topic well beyond our interest here. To mitigate such risk, you should hire competent IT personnel.
Secondly, your employees could leak or sell your clients’ personal data to third parties. They say that if you go to a bar in Limassol on Friday night, $1,000 could get you a full client database from an FX company across the street. If your chief dealer or IT guy think that they are under-compensated, they might have an easy time making up that difference.
Finally, your technology partners could “borrow” your clients’ information rather easily. If you installed a plugin into your MetaTrader 4 server or logged into some third-party tool with your manager’s login and password, it would take less than 10 seconds for an untrustworthy IT vendor to sneak all traders out without leaving any traces. Some technology providers might even launch their own retail Forex brokerage division eventually.
Certainly, there are other, less common possibilities, but for the sake of brevity, we will concentrate on the second and third cases.
What are brokers’ options to protect their client base?
Protecting your clients’ information is a two-step process:
- Preventing third parties from being able to steal your database
- Making sure that, should the database get stolen, you know exactly who did it
These are some pretty obvious things.
You should make sure that both your employees and technology providers are trustworthy. Ask for references from other brokerages in advance, and make sure you don’t give direct RDP, Radmin, or unsupervised TeamViewer access to your server. Don’t issue MT4 Administrator or unrestricted MT4 Manager credentials for newcomers.
If you ever share passwords with new technology providers, make sure you change them after the job is done — even if their account managers wish you the best, you don’t want to bet your database on the trustworthiness of all their temporary interns or soon-to-be-fired personnel.
Making punishment inevitable
Eventually, no matter how paranoid you get, there’s always a chance that some things might slip beyond your attention. “One of the greatest checks on crime is not the cruelty of punishments, but their inevitability” (“On Crimes and Punishments”, Beccaria). One of the most effective ways to prevent theft is making sure that every time it happens, you can find out who did it.
The problem is that there’s probably no way to pinpoint theft of a client base with 100% certainty, but there are many more or less reliable ways to figure it out indirectly.
After the database is stolen, and you know the approximate time when it happened. Of course, you should consult your Windows Event Logs for RDP access entries, you should check MT4 Journal logs to see who used their MT4 Manager account, and check what plugins were installed in that time frame.
But how do you know whether the theft has indeed been committed, and when? Here’s the trick.
Finding the thief with one curious trick
Let’s say that your competitor gets their hands on your database of numerous clients. What do they do? They probably launch an email campaign to let future customers know about their unique proposition. If you add a new fake email to your database every two weeks, when eventually some of the emails receive a message from one of your competitors, you can be sure that the database was stolen after you generated that particular email address, and probably before you made the next one.
- Make sure that you make those “fake” emails on public email services and not on your company’s domain, as they will be easy to filter out (please note that big email providers like Gmail, Yahoo, and Hotmail all require a phone number for new email registration and don’t allow too many emails to be associated with the same phone number).
- Devise believable names. Mehmet Bilgin with the email address: [email protected] will be less likely to be noticed as fake by thieves than Dummy4 with the email address: [email protected]
- Don’t just put those fake clients at the end of your client list, but try replacing your old inactive clients from years ago with your “traps,” so that your defense pattern is less predictable.
- Don’t bother checking all those fake emails at once. Take 15 minutes to learn how to set up auto-forwarding from those numerous mailboxes to your main account, so that you can catch those newsletters with no extra effort.
- Automate the process in-house or contact your trusted software vendor. Although the steps are rather easy, it could get a bit tedious for one person to manage all these details.
By employing this simple technique, you can easily pinpoint when the database was stolen and recall what happened during that time: was it that extra-cheap agent commission plugin that you installed, or was it that sales intern who resigned after one month of work?
From my experience, so many brokers are oblivious about the dangers of their client database getting stolen. They install server plugins from people they’ve never heard of and give eternal unrestricted machine access to everyone who requests it. At the same time, retail Forex brokering is a highly competitive business that employs quite many people with floating morals who are more than willing to save themselves the effort of extending their client base.
The issue is made worse by the fact that usually it is very easy to make a copy of the whole database, leaving little to no traces, and the victim will almost never figure out when information was compromised. There’s no real way to effectively prevent every chance of stealing because of the way MetaTrader 4 works.
However, by using the easy trick described in this article, a broker can be more proactive in defending its clients’ personal data and finding the wrongdoers.