8 tips for keeping your email secure: A guide for financial advisers (CPD accredited)
Your email is the single most important digital key to your professional life – and the first thing an attacker will try to compromise. As a financial adviser, your email account can be a vault of confidential client communications and the link to other sensitive sites and services. Cybercriminals know this, which is why email remains one of the most common attacks targets in the financial sector. The FCA have recently urged advisers to remain vigilant and report any scam emails impersonating the regulator. This guide outlines 8 key things you can do to protect yourself, your clients, and your business from email-related cyber threats.
1. Don’t rely on just a password
Your password is like the lock on your front door – it’s helpful, but not enough on its own. If a hacker gets past it, they have full access to all your confidential information. Hackers canget hold of your password through phishing emails, credential leaks from other sites that expose reused passwords, and/or brute-force attacks which allow hackers to guess weak passwords.
How to protect yourself
· Use Multifactor Authentication (MFA) – this adds an extra security step, like a code sent to your phone or authenticator app, making it harder for attackers to break in. Use an authenticator app (like Microsoft Authenticator or Google Authenticator) rather than SMS-based codes.
· Enable passkeys - Passkeys are a new, safer way to log in without using passwords. They’re stored securely on your device and can only be used with your fingerprint, face recognition, or device PIN. They can’t be stolen through fake websites and are much harder for hackers to crack.
· Never reuse passwords – if one gets leaked, hackers can try it on all your accounts.
· Use a password manager – to create and store complex passwords securely.
2. Watch out for phishing from trusted contacts
Phishing emails are crafted to trick even smart, tech-savvy users. But it’s not just your email that’s at risk – your clients, suppliers, and trusted contacts can also be targeted. If an attacker hacks your supplier’s email, they could use it to send you fake invoices or ask for a fraudulent bank transfer, with a much higher success rate.
How to protect yourself:
- Always verify unusual requests by calling the sender directly using a known phone number – especially requests involving money.
- Always check and verify sender addresses (look for subtle typos in email addresses).
- Hover over links before clicking to check if they are legitimate urls. If anything looks suspicious, don’t click it!
3. Be careful what you send by email
Email is not always completely secure, so be careful when communicating sensitive client data. It can be intercepted in transit or accessed by unauthorised parties if either sender or recipient accounts are compromised.
How to protect yourself:
· Avoid sending sensitive data (like full account numbers, personal or financial information) in the body of an email.
· Use secure document-sharing platforms or encrypted portals for sensitive data (e.g. Microsoft 365’s encrypted message feature or OneDrive links only accessible with permission).
· If you must send sensitive files via email, always:
o Password-protect the files
o Share the password via a separate channel (e.g. phone or SMS).
4. Monitor and review account activity
A common trick hackers use is setting up auto-forwarding rules in your email. This allows them to silently receive copies of your messages without logging in. Attackers access your email once (perhaps through phishing), set up auto-forwarding to their own address and then even if you change your password, they still receive sensitive information.
How to protect yourself:
Check your email settings for auto-forwarding rules as well as regularly checking:
· Login history and unusual account activity
· Access granted to third-party apps
· Recovery email and phone number accuracy
· MFA settings and authenticator backup options
5. Secure the devices you use
Your email is only as secure as the device you access it from, so it’s important to practice good security habits.
How to protect yourself:
· Use a PIN, password, or biometric lock on phones, laptops, and tablets.
· Enable automatic updates on operating systems and apps.
· Use disk encryption (technology that scrambles your information so it’s unreadable) to prevent data recovery if your device is lost or stolen.
· Avoid public Wi-Fi or use a Virtual Private Network (VPN) for added security.
· Be cautious about what you install / download and use an antivirus tool.
6. Stay informed and train your team
Staying informed about cyber threats, or new scams and online tricks will help you spot early warning signs. You can then take fast, proactive steps to help keep yourself protected online.
How to protect yourself:
· Keep yourself and any staff up to date with the latest phishing and security threats.
· Report and share phishing emails you’re receiving, so colleagues are aware of scams currently in circulation to help others avoid falling for them.
· Consider running phishing tests or short awareness sessions, to anyone who has access to sensitive email content.
7. Set up recovery options
Setting up recovery options will ensure you can quickly regain access and secure your account if it’s ever compromised.
How to protect yourself:
· Use a trusted phone number and backup email for account recovery. Make sure you use a unique password for your backup email account.
· Regularly check and update your recovery details to make sure they haven’t been tampered with.
8. Be careful with out-of-office (OOO) replies
An OOO message might seem harmless, but it can give attackers valuable insights into when you’re unavailable, how to impersonate you and who they might want to target.
How to protect yourself:
· Use separate internal and external OOO messages. Internal messages can include more details for colleagues.
· Keep external OOO messages vague. Instead of sharing dates, say: “I’m currently unavailable and will respond as soon as possible.”
Conclusion: 8 steps to secure emails
Your email account is a gateway to your business. Treat it like a vault – lock it down, keep it monitored, and use multiple lines of defence to reduce the risk of a breach, including:
1. Enabling MFA, or passkeys.
2. Watching out for phishing from trusted contacts
3. Using strong, unique passwords.
4. Being cautious with what you send.
5. Staying informed of new scams.
6. Securing your devices and settings.
7. Setting up recovery options.
8. Keeping OOO replies vague.
For more information on how to stay safe online and learnings from recent cyber-attacks in the news, take a look at our ‘Lessons from Zoom scams and the M&S hack’ article.
Take the CPD-accredited keeping your emails safe test here
Test your understanding with these multiple-choice questions and receive a CPD certificate worth 30 minutes of CPD.
Never miss an update
The cyber landscape is constantly evolving, staying informed and proactive can help businesses mitigate risks.
Sign up to our fortnightly 'Adviser Insight' newsletter for expert insights - use the 'Sign up' button on the left-hand side to receive our updates.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.
