Information security never ceases to be a hot topic. Here, Sarah Coles looks at three recent cyber security updates and shares her takeaways on how you can stay protected.
Are you really speaking to your client? The rise of phone-based social engineering
Attackers are increasingly picking up the phone and calling their targets to persuade them to share sensitive information or make account changes that can lead to a breach.
What’s changed is the level of sophistication. These aren’t random scam calls anymore — they’re often well-organised operations run like real businesses. Recent reporting highlights how criminal groups now operate “caller-as-a-service” models, with defined roles, training, scripts, and even performance metrics — much like a legitimate sales team. Some are even recruiting fluent English speakers, and in some cases, preferring female callers to sound more credible and build trust quickly on calls.
Attackers are also expanding beyond traditional phone calls. Platforms like Microsoft Teams are now being used to impersonate internal IT or support teams, contacting employees directly and guiding them through fake “security checks” or login processes. Combined with personal information gathered from previous data breaches, these calls can feel highly convincing, making it much harder to distinguish a scam from a legitimate request.
For financial advisers, the risk is particularly high because attackers may impersonate clients and contact your firm directly. Without consistent verification processes, it only takes one conversation for a scammer to request password resets, update contact details, or bypass security controls. The danger isn’t just individual awareness — it’s whether everyone across the business applies the same level of scrutiny when handling calls.
Key takeaways:
- Treat phone calls with the same caution as emails.
- Always verify requests using known contact details, never rely on how convincing a caller sounds, and ensure consistent security checks are followed across the business.
- Attackers are now exploiting conversations, not just systems - and a strong, consistent approach is the best way to stop them.
When trusted software turns against you – supply chain compromises
We’ve seen several widely used software component compromises recently (Axios Trivvy, and LiteLLM), showing how cybercriminals are increasingly targeting trusted tools rather than individual firms. In these cases, attackers gain access to developer credentials and use them to publish malicious updates to legitimate software packages. Because the updates come from a trusted source, organisations that relied on them unknowingly installed the compromised versions into their systems. This type of attack, known as a supply chain attack, is particularly dangerous because it bypasses traditional security checks. Instead of tricking users directly, it exploits the trust placed in established software providers.
The same tactic is being seen elsewhere, including with browser extensions. Attackers are purchasing legitimate extensions or taking over developer accounts, then pushing malicious updates to users who already have the extension installed. From the user’s perspective, nothing appears unusual — and the tool they’ve always trusted simply updates in the background. But behind the scenes, it may begin capturing login credentials, monitoring activity, or accessing sensitive data.
Key takeaways:
- Cyber risk can come from the tools and providers you rely on every day.
- To mitigate risk and help protect client data, ensure supplier due diligence and ongoing monitoring, limit the number of applications and extensions in use, and ensure proper controls are in place, such as restricting unapproved software and monitoring unusual behaviour.
- Strong password practices and multi-factor authentication are critical, as compromised credentials are often the starting point for these attacks.
When legitimate emails become the scam – call-back phishing
Recent campaigns have shown attackers manipulating legitimate website alerting features to send phishing emails generated from genuine and trusted company platforms, with attacker-controlled content embedded inside. This means the email passes the usual security checks and spam filters and appears completely authentic to the recipient.
In one example, emails were sent from the email.apple.com domain, notifying people of an iPhone purchase via PayPal. The emails look real because they are generated by a trusted platform — in this case, Apple’s email notification system.
In another example, cybercriminals exploited Microsoft’s Azure alerting service to send emails that looked like genuine security or billing notifications warning of unauthorised changes.
These emails rely on the victim calling the number provided to investigate the issue. Once through to the scammer, they’ll attempt to steal payment information or gain remote access to their device.
Key takeaways:
- Treat emails that push urgency with scepticism, even if it’s from a trusted sender.
- Even emails from well-known brands can be part of a scam if the underlying feature has been abused.
- Slow down when you see urgent messages about payments, invoices, or account activity, especially those prompting you to call a number or act quickly.
- Always verify requests by going directly to the official website or using a known contact method, rather than relying on the information provided in the message.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.
