Why you need to be aware of cybercrime in lockdown
For intermediaries only
Staying safe under the current pandemic crisis is more than about taking precautions to safeguard our physical health, writes Anthony Rafferty, it is also about protecting against threats to our financial health.
Sadly, while the effects of the crisis have brought out the best in people - key workers in hospitals bravely continuing to work knowing they are coming into contact with Coronavirus, which has taken the lives of colleagues, for example – it has also highlighted the worst in the human race as criminals have significantly increased their attempts to steal cash and savings from people at a time when they are more vulnerable.
At the start of the year, I was asked what I thought would be one of the top concerns for financial services businesses in 2020 and cybercrime was among them, as organisations that manage highly confidential data, such as pension details and personal financial information, are becoming a top target for hackers.
Scamming was already a problem for our industry prior to the coronavirus pandemic, but attempts by criminals to trick people into giving away personal and financial information or scamming them with fake pension and investment schemes has reportedly increased significantly in the past two to three months, preying on people who have seen their investments and pension income impacted and who are financially vulnerable.
This threat has been addressed by nationwide awareness-raising campaigns run by the Financial Conduct Authority (FCA) and The Pensions regulator (TPR) – itself reportedly the target of over 300,000 cyber-attacks in 2019.
With huge numbers of financial services staff now working from home, vulnerability of companies has increased too. A high profile example was security weaknesses in the video conferencing system Zoom, which were highlighted by the government's National Cyber Security Centre and the Information Commissioner's Office.
Recent news items highlight the issue consumers face. The first, issued on 6 May reported that, since 23rd March, HM Revenue & Customs had formally asked Internet Service Providers (ISPs) to remove 292 scam web addresses exploiting the coronavirus outbreak, according to data obtained under a Freedom of Information (FOI) Act by Griffin Law.
This followed on from a warning two weeks beforehand of a scam email letter purporting to be from Jim Harra, First Permanent Secretary and Chief Executive of HMRC, relating to the government's Coronavirus Job Retention Scheme, which requested business owners to hand over bank account details.
The Investment Association has also warned that investment management firms have seen"a noted increase in this criminal activity", including in particular an increase in phishing emails and smishing texts.
Equally worrying is recent research carried out by AJ Bell, which revealed that one-in-eight (16%) people under 55 with a pension would consider an offer to access their fund early to help get them through the Covid-19 crisis and almost one-in-10 (8%) people would still consider accepting a call from someone they don't know about their retirement pot, despite the Government implementing a ban on pensions cold-calling.
Clearly, as an industry we have an issue. While we cannot control the actions of individual clients, we can and do take every precaution to keep their data safe within our walls.
It is the passing of information, which can be personal and confidential in nature, between client and their financial adviser, platform or provider, i.e. where the information moves outside of a company's security systems that can be the weak point that cybercriminals can exploit.
Quite often sensitive information – bank details, medical records, authorisations, etc. – is emailed within the body of an email or in an attachment.
Email is the most ubiquitous and most comfortable messaging system that we all use as businesses and individuals, yet sending an email is like sending a postcard through the post - it can be easily read and altered. We hear too many stories about emails being intercepted and data stolen to be then used to commit cybercrime.
Personal data accessed in this way can be used to scam payments and commit identity fraud, send false invoices, request passwords and carry out malware attacks, as a few examples.
We recognise that companies and importantly, their staff, are becoming more aware of their regulatory and compliance obligations, particularly under GDPR and MiFID II. In this regulatory environment, an area that needs greater attention is email security, which in any organisation is vital to reduce business risk and build trust with clients.
With firms able to be fined heavily for data breaches, and as cybercriminals become ever more sophisticated in their methods, we believe protecting client data will be an even greater focus for financial services companies in the years ahead, in particular as an issue spotlighted by the current crisis, with businesses of all sizes looking to greater protect themselves and their communications.
Anthony Rafferty is managing director at Origo