News and articles

Beware of email account attacks

For financial professionals only

Since the pandemic began, we’ve received reports of over 20 adviser firms falling victim to business email account takeovers. This is where an attacker gains access to an adviser’s business email account. This most typically occurs through them unknowingly providing their personal information in a previous phishing attack, often from personal accounts using the same security/password details, or their information being sold on the dark web. Prior to the pandemic, we only saw a couple of reports over a 5-year period.

Cybercrime on the rise

When considering the quick shift to remote working, it isn’t surprising that cyber-crime has risen, with the NCSC confirming cyber-attacks on the UK has hit a new record high [1]. A recent report identified financial services as being one of the hackers’ favourite targets, with reported attacks on the industry jumping from 44% in 2020 to 55% in 2021 [2].

Once the attacker accesses your email account, they can send phishing emails to your contacts on your behalf, which proves difficult for the recipient to spot. In fact, a recent report described how a hacker managed to gain control of an FBI email address, and send spam emails to their recipients [3]. These emails appear genuine as they’re sent from a legitimate account, but often seek to continue the attack by pointing to nefarious links and directing the recipient to enter their personal information or distribute malware. Fortunately, in cases where our staff have recognised these attacks and reported it to the advisers, their cyber / IT teams have already been working on a solution, and no Parmenion customers were affected.

A scattergun approach

Criminals often adopt a scattergun approach using automated bots, aiming for businesses that may not understand the vulnerabilities they have. Companies who have suffered a cyber-attack before are more likely to be targeted again, with a recent report showing over a quarter (28%) of firms have been targeted five times in the same year [2]. It’s worth considering that if an attacker has control of your email account, they can also reset passwords for accounts tied to that email address. If you experience a targeted attack, your platform provider account passwords may change, providing the hacker access to your and your clients’ data.

Protecting your data

Our systems, processes and infrastructure monitoring are designed to protect you and your clients.

In the event we receive phishing emails that suggest your email account has been hacked, we’ll always contact you to let you know and check your Parmenion account logs for any password reset requests or unusual account activity. Additionally, we have further supplementary controls in place for high-risk actions such as changing bank account details or withdrawals, well as systemic monitoring, log tracking and physical protections to make sure we jointly protect your client’s wealth and their data.

Turn on multi-factor authentication (MFA)

We’ve recently introduced MFA, a new security feature that makes it almost impossible to have your access or identity hacked. MFA is widely recognised as the best way to protect your company from these kinds of attacks. MFA requires you to provide at least two pieces of evidence to prove your identity, for example using something you have (an app on your phone or tablet) as well as something you know (username and password) to log in to an account. Using it makes it far less likely that your account could be compromised than with single-factor authentication, where you only need something you know (a username and password) for access. With MFA enabled, a password alone will not be enough to provide access to your account and reset your password, adding an additional layer of protection for your business and customers. MFA underpins most banking apps, and because it’s been evolving for over 10 years in parallel industries, we’ve been able to learn from their experiences to shape our own implementation.

Preventing attacks on your business

As well as enabling MFA wherever possible:

  • Urge employees to avoid using the same passwords for multiple services.
  • Promote the use of password managers.
  • Never share accounts / logins – if advisors and para planers are sharing a single login, it is difficult to identify anomalies and potential attacks.
  • If unavoidable, ensure you change any shared passwords when staff leave.
  • If you suspect you’ve been breached or your passwords were leaked, change them immediately – utilising sites such as haveibeenpwned.com

Talk to us today about switching on MFA

We offer MFA for our platform and it only takes 2 minutes to setup. Take a look at our quick guide and please speak to your Regional Sales Manager once you’re ready to switch it on.

[1] Sky News, Cyber Attacks on the UK hit new record – with COVID vaccine research prime target, Nov 2021

[2] Hiscox Cyber Readiness Report 2021

[3] NBC News, Hacker sends spam to 100,00 from FBI email address, Nov 2021