There has been much discussion about whether or not the cold-calling ban is worthwhile. My view is that it is a positive step in the right direction, but we have a long way to go to ensure clients are protected against the scams and cyber attacks that threaten their finances.
The problem, of course, is that the bad guys will not abide by the rules and will carry on trying to catch out the vulnerable.
Education is key to keeping clients protected. Every firm has a duty to share tips and advice about safe interactions online and the importance of validating anyone who comes along with an “unmissable” offer.
However, it is not just about the clients. Advice firms need to be especially vigilant, with robust procedures in place to make sure we do not fall prey to cyber-criminals either and put our clients in jeopardy as a result.
One of the biggest threats clients face is the possibility of hacked email accounts. We carry out much of our correspondence via email these days and it is normal to receive a request to move money around or to put together financial information. But hackers are an intelligent bunch. A quick review of email exchanges could well reveal the existence of certain investments and potentially give the hacker access to the amounts involved.
The hackers are convincing: they write in good English and can mimic the tone of earlier exchanges, such as the way the client signs off.
Knowing the client well is fundamental to protecting them from malicious attacks of this sort. If something is unexpected and out of character, alarm bells will ring. But that only goes so far. If the request has a ring of normality about it, it may not be easy to spot as a fraud.
Many of the clients that email us regularly are on first name terms with their adviser team. The relaxed, friendly relationship with the client is something we encourage and promote but it creates its own risks. The informality can lead to a false sense of security. Would you question a message that asks after your family or mentions your holiday before throwing in a request for a withdrawal?
So how can we protect ourselves and our clients from this happening? Quite simply, by having the very strictest of procedures to control how we operate and by instilling into our staff the importance of adherence to these controls at all times.
We have put together some straightforward rules about how we respond to clients’ emailed or written requests for changes to their portfolio. We always require original signed documents for withdrawals and will never take action with clients’ investments without confirming their identity, including speaking with them using a phone number we already hold on file, where there is any doubt.
We use passwords, agreed verbally with the client, to secure sensitive documents such as valuations. Where possible, we encourage clients to use our online client portal to view documents and communicate with us. Even with that, we will take additional steps to validate identity when transfers of money are involved.
We cannot afford to take anything for granted. It is our responsibility and we cannot shirk it.
Carl Lamb is managing director of Almary Green