Cyber Security: Being aware and staying vigilant

Over recent years, we have seen how clients now manage their finances in a way that best fits their lifestyle thanks to the move to online financial services.

However, while trying to make our lives easier, these technological developments have made us all more susceptible to fraud and have given rise to new opportunities for cybercriminals.

These individuals and groups have successfully evolved their tactics to keep up with emerging financial technology. Following a survey from Saltus Wealth index of 2,000 people with assets of £250k+, 41% of respondents were found to have been victims of financial crime in the past year alone.

While Crowe Financial Planning (FPUK) have implemented measures to protect client finances from this risk, cyber attackers will take the opportunity to exploit even minor gaps in security systems and protocols.

Impact on client wellbeing

The frequency of sophisticated phishing schemes and malware attacks is one reason why there are more and more threats to the wellbeing of clients. In fact, research by Saltus recently discovered that the most common method for cyber criminals to infiltrate accounts was online shopping scams, with 24% of victims being targeted in this way.

This is followed by investment scams (20%), and pension scams (15%). By falling victim to cyber criminals, individuals lost almost £13,000 on average.

Beyond the immediate financial losses incurred, the process of retrieving lost funds can be costly, time-consuming and stressful. Funds also remain uninvested until such time that they are retrieved. Especially in volatile markets, clients' inability to capitalise on these investment opportunities could increase their portfolio risk and chance of potential losses.

Practical tips 

To minimise this risk, below are three key pieces of guidance we feel are best practice for our clients to be aware of.

1. Secure connections
   
   Many of the hacking attempts we witness today are aimed at gaining access and control of a client's email account. If successful, criminals can read the entirety of clients' correspondence and imitate them, they could gain access to other websites, including those where clients' banking or investments are held.
   
   To tackle the relatively low level of security offered by email interactions, Crowe FPUK will be sending a separate communication to all clients later this month to outline our plans to reduce the risk of cyber security in how we share key information with you. For additional protection, we would also recommend not using public WiFi but instead to wait for access to a secure WiFi network or to use your mobile data.
   
   
2. How to spot email phishing
   
   The first step in how to spot email phishing comes with understanding what a phishing email is.
   
   The most accurate definition of a phishing email is an email sent to a recipient with the objective of making the recipient perform a specific task. The attacker may use social engineering techniques to make their email look genuine and include a request to click on a link, open an attachment, or provide other sensitive information, such as login credentials.
   
   Socially engineered phishing emails are the most dangerous. They are constructed to be relevant and appear genuine to their targets. The recipient is more trusting of the email and performs the specific task requested in the email. The results can be devastating. If the recipient clicks on a link to a malware-infected website, opens an attachment with a malicious payload, or divulges their login credentials, an attacker can access a network undetected.
   
   Emails demanding urgent action
   
   Emails threatening a negative consequence, or a loss of opportunity unless urgent action is taken, are often phishing emails. Attackers often use this approach to rush recipients into action before they have had the opportunity to study the email for potential flaws or inconsistencies.
   
   Emails with bad grammar and spelling mistakes
   
   Another way to spot email phishing is bad grammar and spelling mistakes. Many companies apply spell-checking tools to outgoing emails by default to ensure their emails are grammatically correct. Those who use browser-based email clients apply autocorrect or highlight features on web browsers.
   
   Inconsistencies in email addresses, links and domain names
   
   Another way to spot phishing is by finding inconsistencies in email addresses, links and domain names. Does the email originate from an organisation that you correspond with often? If so, check the sender’s address against previous emails from the same organisation. Look to see if a link is legitimate by hovering the mouse pointer over the link to see what pops up. If an email allegedly originates from (say) Google, but the domain name reads something else, this likely to be a phishing attack.
   
   Emails requesting login credentials, payment information or sensitive data
   
   Emails originating from an unexpected or unfamiliar sender that requests login credentials, payment information or other sensitive data should always be treated with caution. Spear phishers can forge login pages to look similar to the real thing and send an email containing a link that directs the recipient to the fake page. Whenever a recipient is redirected to a login page or told a payment is due, they should refrain from inputting information unless they are 100% certain the email is legitimate.
   
   Too good to be true emails
   
   Too good to be true emails are those which incentivise the recipient to click on a link or open an attachment by claiming there will be a reward of some nature. If the sender of the email is unfamiliar or the recipient did not initiate the contact, the likelihood is this is a phishing email.
   
   
3. Introduce strong software controls
   
   Crowe FPUK would recommend that you only use strong passwords that are at least 12 characters long, and include upper and lowercase letters, numbers, and symbols. This password should not be repeated across different accounts and should be stored within password management software. Where possible, you should enable two-factor authentication to add another layer of protection.
   
   Please also remember to regularly update your operating systems, browsers, apps, and security solutions whenever an upgrade becomes available. Downloading antivirus software and firewalls also minimises the occurrence of successful hacking and malware.