View more on these topics

Under attack: Advisers warned of cyber risks of ‘insecure’ email

Advisers are exposing their clients to the risks of fraud and theft, experts warn as research reveals hundreds of firms are using non-secure email addresses.

Data from Matrix Solutions compiled for Money Marketing shows 9 per cent of advice firms use a webmail domain name as their company email address.

Of a sample of 4,945 firms, 427 use a webmail address. The most popular domains are btconnect.com, aol.com and gmail.com.

Protectmydata.co.uk director Gary Williams says: “Webmail is about as bad as it can get in terms of security.

“It bumps up against some of the fundamental security questions firms should be asking themselves: who can see my data, where is it and how long is it retained for? If Yahoo deletes your account, for instance, can you recover it?”

SimplyBiz joint managing director Matt Timmins adds: “Using webmail to transmit important data and client details is extremely risky. These accounts do not always have the security and controls in place that are needed to safely send and receive client data. They are prone to hacking, identity fraud, cloning and extracting data through robots.”

The Lang Cat principal Mark Polson says webmail has more “vulnerabilities” than other systems and advisers need to identify and mitigate those risks.

He says: “The majority of advisers use some form of webmail system. Even those who look like they have their own domain address can still be using webmail, because if you are using Microsoft Outlook there is a very good chance you have Outlook web access which is a form of webmail.

“If you have staff using their own devices like iPads then there are almost always potential issues with webmail. Certainly anything that is not run from a hyper secure environment is not secure: an environment where everything is checked on the way in and out, with additional authentication checks.”

Experts say using a webmail address could also make clients more likely to be taken in by scams.

IT security firm NCC Group director Sherief Hammad says: “If you use a webmail domain and one of your clients is approached by someone using another aol.com address, they would not immediately think that was strange.

“Their ability to understand when something is amiss is diminished. That in itself increases the risk of a security breach because a lot of the new scam techniques play on psychology and the way people interact.”

Intrinsically insecure

Regardless of the system being used, experts warn advisers against sending client information via email.

“Email is intrinsically insecure,” says Williams. “You need to work off the basis that if you are putting something in an email, someone else could see it. Protecting that information could be as simple as putting it in a zip file and password protection.”

Intelliflo executive chairman Nick Eatock says: “Advisers regularly send fact finds and portfolio reports via email. They contain a huge amount of detail about the client so if somebody is able to intercept that information it is a perfect source for identity fraud.”

Polson says advisers must be especially alert to these issues due to the sensitive nature of the information they hold.

He says: “Financial planners in particular hold really personal details about clients.

“There is a level of sensitivity that goes beyond numbers. For instance, you may have recorded that a client’s cashflow forecast says they can afford to get divorced in three years’ time.

“Sending any sensitive client information via email is a mug’s game. Even if it is secure when it leaves you, all kinds of things can happen to it on the way through.”

Scams

So what risks could advisers be exposing themselves to?

Standard Life warned earlier this month that it is seeing increasingly sophisticated scams where fraudsters hack into clients’ email accounts.

The hackers contact the client’s adviser, initially asking for information such as plan values, before asking them to encash investments to a new account. The provider warned advisers could be liable for any losses if they act on the instructions.

Hammad says advisers should not take client orders through email without carrying out additional verification checks.

He says: “A client could lose their phone or have their email compromised through a phishing exercise.

“Some advisers have processes in place where they either require a wet signature or phone the client on a known number and carry out a verification exercise similar to online banking.”

Towry head of private client Andy Cowan says: “We are seeing an increase in fraudulent emails sent from compromised client webmail accounts, as well as more sophisticated phishing scams.

“Typically these emails request that we provide personal information and cash from client portfolios. Some even piggyback on previous, genuine, client email correspondence.

“All email requests received from clients asking for personal information or a withdrawal are treated with a degree of scepticism and verified prior to the request being processed.”

Williams says potential scams fall into three major categories: phishing exercises, which attempt to extract money or information from users; account takeover, where an email account is hacked and messages sent to targeted contacts to extract information; and using email to deliver viruses to a user’s contact list.

He says: “If your account was hacked and a virus sent to your clients, that would plant seeds of doubt in their mind about how professional you are. The problems with webmail are made even worse by the fact the vast majority of people access emails on their smartphone without installing anti-virus software on their device.”

Hammad says advice firms themselves could be subject to a phishing attack.

He explains “A full-blown attack would involve an email to someone in the company coaxing them into sharing confidential information or information around their email account. It could impersonate their email provider or IT help desk, and include a link to what looks like their email provider.

“They type in their password and, completely unaware they have been hacked, the attacker has access to all their email traffic. They could use that to email administrators to get access to different systems and data. Once they have got one person they will use that to access the rest of the organisation.”

Solutions

What do advisers need to do to ensure they and their clients are protected against online security risks?

Williams says the first step advisers should take is to get a business email address and get it hosted with a reputable provider.

He says: “Advisers should then put an additional layer of security on their email. You can buy simple products costing a few pounds per month which put a filter between your email and the outside world.”

Another option is email encryption, which protects email content being read by anyone but the recipient through a security question although Hammad says clients may find this difficult to use.

Other experts recommend using a secure client portal to communicate with clients and send documents or sensitive information.

Polson says: “Client information gets uploaded into the portal, and the client is sent a vanilla email saying you need to log into the portal to receive an update. That is a lot more secure than email.”

But some argue that having to sign into a portal takes away the ease of use of email.

And EY cyber team partner Cheryl Martin says while technology can help reduce risks, it will not be a “silver bullet”.

She says: “You have to balance the risk against the cost. What is the cost of installing and maintaining a secure client portal, and what happens if it is compromised?”

Eatock, however, says communicating with clients via a portal is no more complicated than using regular email.

He says: “We introduced secure mail to our portal a few years ago. We combine it with our mobile app so clients get a notification when they receive a secure message. To be able to say to your clients that every message you send to us is completely secure is very reassuring.”

Experts say advisers should have authentication processes in place before acting on client requests sent via email.

Threesixty managing director Phil Young says advisers first need to understand the type of information fraudsters are likely to ask for, such as requests for policy numbers, change of address and instructions to encash.

He says: “A simpler and more intuitive option than email encryption or a client portal is to call the client on a telephone number known to you on receipt of an instruction. To verify the request has come from them, you could ask them for a client PIN number or a security question with the answer stored as part of your fact find.

“The questions would need to be sophisticated enough to cover some information a fraudster might not already have such as a memorable date. Also bear in mind that if you store this information electronically you need to protect this very securely as well.”

Education

Experts say advisers need to ensure all their staff and clients are aware of the risks.

Martin says firms should have internal policies covering issues such as what information staff can send via email and who they should contact if they have been subject to an attack.

Williams says: “Don’t assume that staff know what they are doing, because scammers are very creative and are always trying to come up with something new.

“If you are a firm with a number of advisers, particularly self-employed advisers where the controls tend to be looser, you need to educate, educate, educate.”

And Finance & Technology Research Centre director Ian McKenna says: “Advisers need to make sure all communications with their client are totally secure, including those which come from the client. If a client sends you sensitive information via email, you need to politely explain they are putting themselves at risk.”

Adviser views

Tim Page

Tim Page, director, Page Russell

This is a growing issue and what worries me most is the increasing sophistication of the scams. Email scams are becoming regular occurrences and advisers need to be absolutely on top of this.

kingjustin

Justin King, managing director, MFP Wealth Management

I do not view email as a secure medium at all, regardless of the type of account. We only discuss client details over the phone with the client, or through our server which clients have log in details for. But we have to expect the providers to have greater security than we do because they are the gate keepers to the money.

Expert view

McKenna-Ian-MM-2014-700.jpg

Email is like putting client details on a postcard

Webmail is really dangerous because it is not designed for business communications. If you are using a webmail account, how are you going to archive everything, and can you readily access information? You are entirely beholden to the email provider, which could decide to no longer provide the service. 
In addition to that, what does it say about your business if you are using a gmail account?

Regardless of the email system you use, sending an email is like putting a postcard in a letterbox: anyone can read it. You need to either be using a secure email system, or email encryption.

There are serious criminals out there using programmes designed to sniff out financial information. These people monitor information over months and years, taking little snippets at a time until they build up a picture which is enough for them to commit serious fraud.

It is a breach of the Data Protection Act to send confidential information via unencrypted email.

The information that advisers hold about their clients is incredibly valuable to financial criminals and advisers cannot be too vigilant.

This has been on the agenda for many years, but it has never been treated with the gravity it deserves. The fact a firm would even consider using a webmail address suggests they need to think a lot more carefully about their email security.

Up until now the industry has thought about this as an issue about communications between them and providers but this is very much a client communication issue too. It is not just about how you send information to your clients but how they send information to you. Every time you receive an email from a client with sensitive information, you should say to them politely that they are putting themselves at risk.

I have no doubt we are going to hear some horror stories about this in the coming months; the potential rewards for financial criminals are just too great.

Ian McKenna is director of Finance & Technology Research Centre

Recommended

carltonhood
1

Profile: Old Mutual Wealth’s Carlton Hood on the right way to deliver vertical integration

If you meet Carlton Hood, Old Mutual Wealth’s customer director, don’t mention meerkats. Hood was chief executive of the price comparison website Confused.com when rival firm Compare The Market unleashed its popular ‘Compare The Meerkat’ advertising campaign in 2009. “That was the biggest challenge of my career,” he jokes. On a more serious note, Hood […]

Chris-Hannant-glances-from-a-profile-pose-700.jpg
15

Apfa writes to Govt over ‘unjustifiable’ hike in adviser fees

Apfa has written to the major political parties to urge a rethink of what it terms an “unjustifiable” 10 per cent increase in advisers’ FCA fees. In a paper on proposed fees published in March, the FCA said A13 advisers will pay £74.9m in 2015/16, up by 10 per cent from £68m in 2014/15. The […]

David-Cameron-wide-shot-in-2012-700.jpg
1

Advisers back Tories as election looms

A poll of more than 1,200 Money Marketing readers has found overwhelming support for the Conservaties, with distant rivals being Ukip. Some 52 per cent of those polled said they would vote Conservative, while 15.5 per cent pledged their backing to Nigel Farage’s party. The figures represent a marked contrast to national polls where the Conservatives […]

'Feeling the Squeeze'

Royal London carried out a UK wide survey with 2,500 consumers age 35-44 over the summer. The survey found that over a third, 34 per cent, said their finances felt Squeezed and so were struggling to meet day-to-day expenses, despite 87 per cent being aware that they need to save more. However, the survey did […]

Newsletter

News and expert analysis straight to your inbox

Sign up

Comments

There are 5 comments at the moment, we would love to hear your opinion too.

  1. I get rather annoyed by the increasing numbers of experts pushing their own agendas, implying there’s a big scandal happening right now. It’s complete rubbish to say it’s a breach of the DPA to send confidential data by unencrypted email. The Information Commissioner has made no such statement. Sending information by email is not the same as putting it on a postcard. In fact bearing in mind out of 500 million items of post every week, Royal Mail manage to lose 400,000 items, email suffers far less from a theft point of view!

    Whilst the actual transmission of data does pass through countless points where data can in theory be accessed, it doesn’t really happen (at the moment). However, that’s not to say IFAs should be complacent to the potential risks because in the longer period of years rather than months, cyber attacks will get more sophisticated, so it certainly would be prudent to make use of encrypted attachments, as then you’re reducing risk.

  2. We're all doomed!!!! 23rd April 2015 at 12:44 pm

    The Information Commissioner has said this, Adam. In 2012, in fact….

  3. Of course you could put your client’s correspondence in a padlocked box and post it to them, asking them to put their own padlock on it and send it back to you.

    When you get it back, you could then take your padlock off and return it with theirs still on, so that they can remove it, open the box and read the contents.

    That seems a bit of an overkill, though.

  4. I’ve previously spent a lot of time going through their web site, and I certainly couldn’t see any specific reference. There’s various suggestions that portable devices should be encrypted but no actual requirement for example. In respect of email, in their “IT Top Tips” they merely say “Consider whether the content of the email should be encrypted or password protected” and “If you send a sensitive email from a secure server to an insecure recipient, security will be threatened. You may need to check that the recipient’s arrangements are secure enough before sending your message”.

  5. In February this year Panacea Adviser announced their latest partnership with BESecure Mail (BESM) to deal with all the issues highlighted and more. The standard service is FREE.

    With BESecure Mail

    —YOU continue to use your normal email address(es) & preferred system (Outlook 2010+ / Apple Mail)

    — YOU retain full control of your data – message(s) and attachment(s)

    — YOU control who opens them

    — YOU decide how to identify your intended recipient

    — YOU hold your encrypted data in your personal BESM folder

    — YOUR data is always encrypted by us

    — WE never store or see your information or the security parameters you set

    BE Secure Mail affords the sender of a message the ability to host, monitor and control an email in such a way as to enable recipient identity verification and ‘revocation’ rights whilst working within the confines of their existing email address(es) and email systems is the ‘key’ to success.

    http://www.panaceaadviser.com/main/st10519.htm

    Simples:)

Leave a comment