The Private Office, a Leeds-based IFA, experienced an email hack just 24 hours before the City watchdog told firms to prioritise cyber resilience.
An “illegitimate” email sent from the address of one of the firms chartered financial planners, Roger Clarke, on March 23 told recipients to click on a document link regarding an ‘agreement’ with the firm.
The subject line of the email, which was sent from the IFA’s server domain ‘theprivateoffice.com’, read: ‘Complete today (23/03/22) agreement from The Private Office’.
It is unclear how many people received the email. Mark Taber, an accountant and campaigner against fraud, shared a copy of the email on Twitter after someone who is not a client of The Private Office was sent it. They shared it with Taber to understand “whether it was a scam”.
An email sent out in response by The Private Office’s cyber security team said: “Yesterday afternoon at around 12:10 you may have received an email from Roger Clarke at The Private Finance Office regarding an agreement, with a link to a portal.
“Unfortunately, this email was not legitimate and seems to be an attempt at gathering credentials by an external, unconnected third party.”
The firm said upon discovering the issue and “within a few minutes of the email being sent”, Clarke’s email account was “immediately disabled” and credentials changed.
“A full security review is currently being undertaken by our third party cyber security partner, however there is no indication that any data has been compromised.”
The Private Office “strongly recommend[ed]” recipients to delete the email and “immediately change the password for all accounts” which use the same credentials as the ones people may have entered when trying to log in to the fraudulent portal.
FTAdviser has approached The Private Office for comment.
FCA warns firms on cyber resilience
A day after The Private Office’s email server was hacked, the Financial Conduct Authority published a warning to firms recommending they follow their actionable guidance “as a priority” to reduce their risk of “cyber compromise”.
The regulator linked to guidance laid out by the National Cyber Security Centre, designed to help firms increase their cyber security vigilance in response to Russia’s invasion of Ukraine.
The FCA told firms: “You should consider your ability, and that of your third-party providers, to withstand a cyber attack. You should take all appropriate steps to shore up your controls, including raising staff awareness: that may, for example, include re-running staff ethical phishing campaigns. Consider if your staffing levels are appropriate to deal with an elevated cyber risk.”
Anthony Rafferty, the chief executive of fintech Origo, said a core element of cyber security for providers, platforms and financial advice firms has to be securing their email communications.
“Email is vulnerable to hacking and attack, yet personal and confidential information is still being sent within open emails, which if obtained by malicious or criminal organisations can be used against individuals and companies,” he explained.