Your IndustryApr 6 2021

How advisers can become targets of cyber crime

twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
How advisers can become targets of cyber crime

For one adviser, who wished to remain anonymous, the problem came in the form of an innocuous looking email.

The result was a hacking attack that penetrated the Microsoft 365 system he uses, and was then able to email all of the contacts in his system. However, no harm was done and the adviser was able to end the issue.

He says: "The danger is that clients and other people get an email that looks like it came from me, and I think some people might have done, but they contacted me directly about it as well." 

David Fleming, chief technology officer at Mitigo, a cyber security company that has many clients in the financial services sector, says an attempt to access an adviser's client and business data via the Microsoft 365 system is “one of the most common forms” of cyber attack.

You might get someone who posts something on their personal social media account, and that can be enough to get a cyber criminal into the phone, and to access the work contacts David Fleming, Mitigo

He explains: “The issue is advisers and financial services professionals tend to use that system, which is fine, but [they] plug it into off-the-shelf products which may not be very secure.

"The system itself has got the tools, but people don’t have them, because they use free plug-ins or off-the-shelf products alongside the system." 

He adds: "The other issue is with mobile phones. Obviously they are increasingly indispensable to people’s working lives, and the barrier between a phone for work and one for personal use is breaking down.

"So you might get someone who posts something on their personal social media account, and that can be enough to get a cyber criminal into the phone, and to access the work contacts.”

Covid's impact

The pandemic has also had a profound impact on the data security of many businesses.

Paul Holland, chief executive of cyber security company Beyond Encryption, says: “Decades worth of change happened in days,” as companies endeavoured to work remotely. 

He says a major issue for advice companies is that individuals may have enabled remote access to company facilities to allow people to work from home better, but this has also created the challenge of ensuring they can access the systems they need securely.

Fleming says many company's IT departments “focused on productivity in the early days of the pandemic, they focused on making sure staff were set up to work from home, but perhaps they didn’t focus on doing it safely.”

He says this has led to an increase in “ransomware” attacks, whereby data is stolen from workplaces, with the hackers then trying to sell it back to the company concerned. 

There have also been incidents where hackers threaten to publicly release data that could embarrass the clients of the company, and in this way, attempt to extort money twice for the same hacking activity. 

Fleming says the single most important thing an adviser can do to protect the data under their control is to implement “multi-factor authentication.”

This means that, in order to login to a system or programme, a user is asked for more than just a username and password. By asking for more than this, it becomes very difficult for a hacker to get in. 

The aforementioned anonymous adviser says this is the policy he has adopted since his own company was hacked, and his experience so far has been positive. 

He says: "The experience has made me a subject matter expert on cyber security after what happened, and having become aware that accessing the data through the Microsoft 365 system is the most common form of attack, I have started to use multi-factor authentication."

Size doesn't matter

Fleming says a major obstacle his business encounters among many advisers is they believe their company to be “too small” for a cyber criminal to attack.

But he adds: “The important thing to realise is these attacks are randomised, the attackers use technology to try to pierce the defences of multiple companies and then see which ones they get into.”

Holland, whose clients include platform and asset management company Aegon, says a particular challenge for those in his profession who deal with financial services companies is that many such businesses often have “very old and paper-based systems, and as such technology has not kept up with the threat from hackers.

"One of the things we do is employ ethical hackers who can test systems and find where the weaknesses are. But we have to do it in a way that is intuitive for people who are not technologists to be able to use.”

He says the biggest threat faced by financial services companies is that of mis-directed email, that is, emails which appear to come from an adviser's account, and impersonate the adviser, and are used to then request information from clients, or to read previous client emails to access sensitive information.

Fleming says lots of companies already have the capacity to implement multi-factor authentication, but “see it as a hassle” to turn it on.

Fleming says: “Among our clients, some people call us in and say they didn’t fall for an email scam. They are quite savvy people. But when we look at the email logs, we can see they did fall for something. These types of email scams are far more sophisticated now than they [used to be].”

Holland says advisers should move away from the practice of emailing sensitive information as an attachment to an email, and instead use a system such as Unipass or Last Pass to transmit the data. 

A report carried out by the Department for Digital, Culture, Media and Sport, shows that around 82 per cent of cyber attacks were email-related, and of that total, 13 per cent were related to ransomware. 

Fleming adds there is not a “silver bullet” solution to preventing such attacks, but the key is to be hyper aware of what could happen, and have staff policies in place to govern how data and security are handled. 

David Thorpe is special projects editor of FTAdviser