Email and social media accounts are still popular platforms for hackers who are looking to access personal information in order to gain control of financial assets.
Data from Action Fraud confirms that 22,530 people had their social media or email accounts hacked in 2023. This resulted in victims losing a total of £1.3 million.
From phishing scams to social engineering, the methods being used to hack these accounts are becoming increasingly sophisticated, but this is not a far off, distant future that we need to watch out for. This is happening now.
The aim is to get money out of the victim. Potentially, they may be blackmailed into sending funds to the criminal. Or the information within their accounts could be used to impersonate them.
Consider a client that you’ve known for a number of years, imagine her name is Lindsey and she has both an ISA and Pension account. It’s almost time to set up an annual review with her so you send an email asking to set up a meeting. A week or so goes by and you receive the following email:
Hi,
Thanks for the email. I’ve actually just changed my bank. Do you need my details or can I do this online? I’ll look at my diary and get back to you with a date to discuss the annual review.
Thanks,
Lindsay
Anything untoward? Firstly, I mentioned the client’s name is Lindsey, but the email received is from ‘Lindsay’. We’ve seen cases where someone sets up a fake email account with a similar spelling to the client’s real name and uses that to try and impersonate the client. Although people can have different writing styles and spelling mistakes, typically they would spell their own name correctly.
Secondly, the misspelled name alongside a request to change bank details is another red flag. If a fraudster has hacked into the clients’ email, but doesn’t have access to their bank account, they may try to redirect funds to an account that they’re able to access.
What can we do to limit the chances of falling for this type of scam?
1. Consider using encrypted email services or secure client portals instead of standard email communications.
2. Before acting on any requests by email, verify the identity of the sender through alternative means. This could be a phone call or an in-person meeting. This is particularly important when implementing any changes to bank details or address.
3. It’s important to talk to your clients so that they’re aware of the risks of email hacking and encourage them to be vigilant against any suspicious emails or requests that they may receive too. Consider including helpful articles on this on your blog or company newsletters.
There are other best practices you can adopt too:
4. Implement multi-factor authentication on all email accounts and any systems that contain sensitive client information. This adds an extra layer of security by requiring more than just a password to access accounts.
5. Organise regular training sessions for team members on the latest cybersecurity practices and phishing attack prevention. Let them know how to recognise suspicious emails and the importance of reporting them.
6. Enforce a strong password policy that requires complex passwords that are changed regularly. Avoid using the same password across multiple sites and encourage the use of password managers.
7. Stay up-to-date on trends and news, particularly any regulatory guidelines and best practice announced. Take a look at the FCA’s review of fraud controls and complaint handling here.
While high-profile cyber security incidents often affect large corporations, smaller businesses aren’t immune to these threats. Alarmingly, statistics reveal that 81% of UK businesses affected by cyber security attacks are small to medium-sized enterprises. This underscores the critical need for robust cyber defences across all sectors of business.
