Advisers are exposing their clients to the risks of fraud and theft, experts warn as research reveals hundreds of firms are using non-secure email addresses.
Data from Matrix Solutions compiled for Money Marketing shows 9 per cent of advice firms use a webmail domain name as their company email address.
Of a sample of 4,945 firms, 427 use a webmail address. The most popular domains are btconnect.com, aol.com and gmail.com.
Protectmydata.co.uk director Gary Williams says: “Webmail is about as bad as it can get in terms of security.
“It bumps up against some of the fundamental security questions firms should be asking themselves: who can see my data, where is it and how long is it retained for? If Yahoo deletes your account, for instance, can you recover it?”
SimplyBiz joint managing director Matt Timmins adds: “Using webmail to transmit important data and client details is extremely risky. These accounts do not always have the security and controls in place that are needed to safely send and receive client data. They are prone to hacking, identity fraud, cloning and extracting data through robots.”
The Lang Cat principal Mark Polson says webmail has more “vulnerabilities” than other systems and advisers need to identify and mitigate those risks.
He says: “The majority of advisers use some form of webmail system. Even those who look like they have their own domain address can still be using webmail, because if you are using Microsoft Outlook there is a very good chance you have Outlook web access which is a form of webmail.
“If you have staff using their own devices like iPads then there are almost always potential issues with webmail. Certainly anything that is not run from a hyper secure environment is not secure: an environment where everything is checked on the way in and out, with additional authentication checks.”
Experts say using a webmail address could also make clients more likely to be taken in by scams.
IT security firm NCC Group director Sherief Hammad says: “If you use a webmail domain and one of your clients is approached by someone using another aol.com address, they would not immediately think that was strange.
“Their ability to understand when something is amiss is diminished. That in itself increases the risk of a security breach because a lot of the new scam techniques play on psychology and the way people interact.”
Regardless of the system being used, experts warn advisers against sending client information via email.
“Email is intrinsically insecure,” says Williams. “You need to work off the basis that if you are putting something in an email, someone else could see it. Protecting that information could be as simple as putting it in a zip file and password protection.”
Intelliflo executive chairman Nick Eatock says: “Advisers regularly send fact finds and portfolio reports via email. They contain a huge amount of detail about the client so if somebody is able to intercept that information it is a perfect source for identity fraud.”
Polson says advisers must be especially alert to these issues due to the sensitive nature of the information they hold.
He says: “Financial planners in particular hold really personal details about clients.
“There is a level of sensitivity that goes beyond numbers. For instance, you may have recorded that a client’s cashflow forecast says they can afford to get divorced in three years’ time.
“Sending any sensitive client information via email is a mug’s game. Even if it is secure when it leaves you, all kinds of things can happen to it on the way through.”
So what risks could advisers be exposing themselves to?
Standard Life warned earlier this month that it is seeing increasingly sophisticated scams where fraudsters hack into clients’ email accounts.
The hackers contact the client’s adviser, initially asking for information such as plan values, before asking them to encash investments to a new account. The provider warned advisers could be liable for any losses if they act on the instructions.
Hammad says advisers should not take client orders through email without carrying out additional verification checks.
He says: “A client could lose their phone or have their email compromised through a phishing exercise.
“Some advisers have processes in place where they either require a wet signature or phone the client on a known number and carry out a verification exercise similar to online banking.”
Towry head of private client Andy Cowan says: “We are seeing an increase in fraudulent emails sent from compromised client webmail accounts, as well as more sophisticated phishing scams.
“Typically these emails request that we provide personal information and cash from client portfolios. Some even piggyback on previous, genuine, client email correspondence.
“All email requests received from clients asking for personal information or a withdrawal are treated with a degree of scepticism and verified prior to the request being processed.”
Williams says potential scams fall into three major categories: phishing exercises, which attempt to extract money or information from users; account takeover, where an email account is hacked and messages sent to targeted contacts to extract information; and using email to deliver viruses to a user’s contact list.
He says: “If your account was hacked and a virus sent to your clients, that would plant seeds of doubt in their mind about how professional you are. The problems with webmail are made even worse by the fact the vast majority of people access emails on their smartphone without installing anti-virus software on their device.”
Hammad says advice firms themselves could be subject to a phishing attack.
He explains “A full-blown attack would involve an email to someone in the company coaxing them into sharing confidential information or information around their email account. It could impersonate their email provider or IT help desk, and include a link to what looks like their email provider.
“They type in their password and, completely unaware they have been hacked, the attacker has access to all their email traffic. They could use that to email administrators to get access to different systems and data. Once they have got one person they will use that to access the rest of the organisation.”
What do advisers need to do to ensure they and their clients are protected against online security risks?
Williams says the first step advisers should take is to get a business email address and get it hosted with a reputable provider.
He says: “Advisers should then put an additional layer of security on their email. You can buy simple products costing a few pounds per month which put a filter between your email and the outside world.”
Another option is email encryption, which protects email content being read by anyone but the recipient through a security question although Hammad says clients may find this difficult to use.
Other experts recommend using a secure client portal to communicate with clients and send documents or sensitive information.
Polson says: “Client information gets uploaded into the portal, and the client is sent a vanilla email saying you need to log into the portal to receive an update. That is a lot more secure than email.”
But some argue that having to sign into a portal takes away the ease of use of email.
And EY cyber team partner Cheryl Martin says while technology can help reduce risks, it will not be a “silver bullet”.
She says: “You have to balance the risk against the cost. What is the cost of installing and maintaining a secure client portal, and what happens if it is compromised?”
Eatock, however, says communicating with clients via a portal is no more complicated than using regular email.
He says: “We introduced secure mail to our portal a few years ago. We combine it with our mobile app so clients get a notification when they receive a secure message. To be able to say to your clients that every message you send to us is completely secure is very reassuring.”
Experts say advisers should have authentication processes in place before acting on client requests sent via email.
Threesixty managing director Phil Young says advisers first need to understand the type of information fraudsters are likely to ask for, such as requests for policy numbers, change of address and instructions to encash.
He says: “A simpler and more intuitive option than email encryption or a client portal is to call the client on a telephone number known to you on receipt of an instruction. To verify the request has come from them, you could ask them for a client PIN number or a security question with the answer stored as part of your fact find.
“The questions would need to be sophisticated enough to cover some information a fraudster might not already have such as a memorable date. Also bear in mind that if you store this information electronically you need to protect this very securely as well.”
Experts say advisers need to ensure all their staff and clients are aware of the risks.
Martin says firms should have internal policies covering issues such as what information staff can send via email and who they should contact if they have been subject to an attack.
Williams says: “Don’t assume that staff know what they are doing, because scammers are very creative and are always trying to come up with something new.
“If you are a firm with a number of advisers, particularly self-employed advisers where the controls tend to be looser, you need to educate, educate, educate.”
And Finance & Technology Research Centre director Ian McKenna says: “Advisers need to make sure all communications with their client are totally secure, including those which come from the client. If a client sends you sensitive information via email, you need to politely explain they are putting themselves at risk.”
Tim Page, director, Page Russell
This is a growing issue and what worries me most is the increasing sophistication of the scams. Email scams are becoming regular occurrences and advisers need to be absolutely on top of this.
Justin King, managing director, MFP Wealth Management
I do not view email as a secure medium at all, regardless of the type of account. We only discuss client details over the phone with the client, or through our server which clients have log in details for. But we have to expect the providers to have greater security than we do because they are the gate keepers to the money.
Email is like putting client details on a postcard
Webmail is really dangerous because it is not designed for business communications. If you are using a webmail account, how are you going to archive everything, and can you readily access information? You are entirely beholden to the email provider, which could decide to no longer provide the service.
In addition to that, what does it say about your business if you are using a gmail account?
Regardless of the email system you use, sending an email is like putting a postcard in a letterbox: anyone can read it. You need to either be using a secure email system, or email encryption.
There are serious criminals out there using programmes designed to sniff out financial information. These people monitor information over months and years, taking little snippets at a time until they build up a picture which is enough for them to commit serious fraud.
It is a breach of the Data Protection Act to send confidential information via unencrypted email.
The information that advisers hold about their clients is incredibly valuable to financial criminals and advisers cannot be too vigilant.
This has been on the agenda for many years, but it has never been treated with the gravity it deserves. The fact a firm would even consider using a webmail address suggests they need to think a lot more carefully about their email security.
Up until now the industry has thought about this as an issue about communications between them and providers but this is very much a client communication issue too. It is not just about how you send information to your clients but how they send information to you. Every time you receive an email from a client with sensitive information, you should say to them politely that they are putting themselves at risk.
I have no doubt we are going to hear some horror stories about this in the coming months; the potential rewards for financial criminals are just too great.
Ian McKenna is director of Finance & Technology Research Centre