For financial professionals only
Throughout 2022, Parmenion’s Information Security Manager Sarah Coles will be bringing you her top tips on information security for you and your clients. This month, she warns of the rise in ‘social engineering’ and what you can do about it.
Social engineering is where individuals are manipulated for their personal information. It’s a threat that is growing fast, with a 270% increase in attacks in 2021*.
If your customers fall for a social engineering attack such as phishing, the chances are you may also be targeted. Attackers often take over the email accounts they have compromised to spread further attacks.
For example, you may have received a phishing email from a known supplier asking you to pay an invoice you’re not expecting, only later for the supplier to ask you to ignore it as they believe their account has been compromised.
If you receive their warning too late, you may already have provided your personal details and your own contacts could now be receiving malicious emails from your account. Even more alarming, you might receive instructions to download a file which turns out to be malicious and deploys ransomware on your device, and company systems. And so, the scam continues. That’s how easily your customers security habits can impact your own.
Attackers can also use customers’ compromised accounts to reset their passwords to the platforms they use. This locks the customer out and could allow the attacker to gain enough detailed knowledge to get through standard security checks and begin making fraudulent attempts such as changing bank account details or submitting withdrawal requests.
Prevention is better than cure – actions to help avoid the initial attack
Most cyberattacks are unsophisticated attempts to gain information, so a few basic principles can help protect you and your customers.
- Remind your customers to set unique passwords during onboarding. If they have reused a password for efficiency, make sure they know how to change it when they’re set up with the help of a password manager.
- Encourage them to use Multi-Factor Authentication (MFA) if available. Then even if a customer’s password is leaked, the attacker will be unable to access the customer’s account without their MFA linked device.
- Be clear on the types of communication your customers can expect from you to help them identify suspicious calls, emails or texts – eg tell them “we will never call you and ask for your password’.
- Let them know where they can find your trusted contact information and encourage them to seek a second opinion when receiving unexpected communication or urgent requests.
- Remind customers to logout of their account once they’ve finished whatever they are doing. This will help avoid unauthorised access, especially when using shared devices.
If you’d like to keep up to date with threats, the Government’s National Cyber Security Centre website is a great resource, providing a weekly roundup of the high-profile threats that may impact your business.
Another fantastic free resource is the HaveIBeenPwned site which lets you check if your (personal or business) email or phone number has been involved in a data breach and is publicly available across the internet.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity. Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.