A few weeks ago I had an absolute nightmare of a day when my work email account got hacked.
The hacker sent out a message to around 500 of my email contacts saying: “Good morning, I hope this email finds you well. Please see attached for your records. Alternatively, you can also access by copying the highlighted link and pasting in browser: [with a link that I’m obviously not going to post here]. It would be greatly appreciated if you could review at your earliest opportunity. Many thanks, Lois”.
They even used my email signature, and I found out from a few people who had replied to “me” that the hacker had replied to them assuring them that the email was definitely from me and the link was fine to click.
They also created an Outlook “rule”, which meant that all emails with an @ sign in the address would be immediately deleted. This meant I did not receive any emails from about 11am when the attack happened, until the wonderful IT team retrieved all of my lost emails. It also meant I assumed I’d lost access to my emails.
I felt pretty helpless. All I could do was post on LinkedIn telling people to delete the email and not click the link and hope the majority would see it.
Most people, thankfully, realised it was a scam. Anyone who knows me knows I do not use ‘email language’ like “I hope this finds you well”. And I certainly never request things at another person’s “earliest opportunity”. But I know some people clicked the link and I have no idea what the hacker was after. Money, I presume.
Our company IT team sorted it all out pretty quickly and got me back access to my email account. But there was a big chunk taken out of my working day where I didn’t have access even to my laptop while they investigated and changed my passwords.
I’m still not sure how this happened. I’m generally pretty good at sniffing out a scam, so I don’t think it was due to anything I clicked on.
I have noticed a marked increase in phishing emails coming into my inbox recently, and they often trick even my email spam filter.
They are easy to avoid if you’re cynical and paying attention, but I fear for older people or anyone in vulnerable circumstances, who are much more likely to fall for these kinds of scams.
And things are getting worse. An article by the International Monetary Fund back in April noted that cyber-attacks have more than doubled since the Covid-19 pandemic.
This is largely because hackers are constantly evolving. A report by security software company Egress – published in 2021 – pointed out that cybercriminals are constantly devising new ways to bypass traditional anti-phishing technologies.
In fact, it said, 98% of all phishing cases rely on social engineering, where victims are manipulated into supplying confidential information to a supposedly legitimate sender.
Financial advice firms may be wondering what all of this has to do with them.
Fraser Jack, founder of Australian firm The Cyber Collective, used to run a financial planning practice before he became a consultant. He says that, back then, he thought cybercrime was a “vague concept” that was not relevant to him or his business. But a 2019 report by Boston Consulting Group found that financial services organisations are 300 times more likely to be the victim of a cyber-attack than other types of companies.
And, in September last year, international law firm RPC revealed that UK financial services firms had reported a more than a threefold increase in the number of cyber-security breaches to the Information Commissioners Office (ICO) in 2023 compared to the previous year.
It said that during the year to June 2023, 640 cyber security breaches were reported to the ICO, up from the 187 from the year to June 2022. The pensions sector saw the biggest rise, from six in 2021/22 to 246 in 2022/23.
The IMF article said attacks on financial firms account for nearly one-fifth of the total. Banks are the most exposed but advice firms, which hold a huge amount of client data, are certainly not immune.
“In the wild west of cybercrime, someone trying to steal your client data is less of a case of ‘if’ and more of a case of ‘when’,” Fraser Jack wrote, in an article on The Cyber Collective’s website.
It makes sense. I know if I were a cybercriminal I’d target financial advice businesses, with all their minted clients. If you have no morals, why wouldn’t you go for them?
We know it goes on. Back in February last year, Aviva-owned Succession Wealth, which has around 200 advisers and 20,000 clients, suffered a cyber-attack, off the back of which it said it had launched an investigation and “notified the appropriate authorities”. It also introduced “further security measures”.
At the time the company would not elaborate on the nature of the attack, or give details about the security measures it had brought in.
This was a high-profile attack that was widely reported on in the media. But it is by no means the only attack of this nature on a financial advice firm.
Compliance consultancy B-Compliant said in December last year that an advice firm had contacted it to report that it had been targeted by a phishing email purporting to be from the Financial Conduct Authority. The recipient had noticed a spelling mistake and reached out to see if it was genuine. It was not.
This, B-Compliant warned, goes to show that hackers aren’t just targeting big firms. Everyone within the sector is fair game and SMEs in particular can be seen as low-hanging fruit, as they are thought to have less infrastructure and controls in place.
Cybersecurity is a key priority for the Bank of England and the financial regulators.
Late last year, the BoE insisted that all financial firms should be testing their resilience to cyber-attacks through CBEST – a targeted assessment that allows regulators and firms to better understand weaknesses and vulnerabilities and take “remedial actions”.
“True and meaningful cyber resilience cannot be delivered or achieved without a whole-organisational, continuous effort,” it said.
“We strongly encourage firms/FMIs to build and reinforce resilience through a strong foundation of cyber hygiene practices.”
As technology becomes more advanced and the world becomes more connected, cybercriminals are becoming more sophisticated. Financial advice firms of all sizes must be ready.
You must be logged in to post a comment Login