Overview
Taking care of how you store your credentials and who is granted access to your data plays a significant role in protecting both your own, your firm and your clients’ information.
Rather than attempting to defeat multiple layers of technical security, attackers often use social engineering – tactics designed to trick, pressure, or manipulate individuals into granting access.
These techniques rely on urgency, trust, familiarity, or simple fatigue to bypass security controls that would otherwise be effective.
'You'll never need to work again:' A real-world insider threat.
A recent BBC report highlights just how far these tactics have evolved. In this case, a journalist was contacted and offered a cash payment in exchange for login credentials and security codes that would grant access to the BBC’s internal network. The attackers planned to use that access to extort the organisation for a ransom paid in bitcoin. Read the full story on the BBC site.
Why passwords and credentials matter so much
Your passwords, security codes, and login approvals are the keys to your digital identity. To a cybercriminal, they are just as valuable as breaking through firewalls or exploiting technical vulnerabilities. With a single set of stolen credentials, an attacker may be able to:
- Access client or firm data
- Move across internal systems undetected
- Authorise fraudulent transactions
- Disrupt business operations or demand ransom
This is why cybercriminals increasingly focus their efforts on people, not just technology. No matter how strong an organisation’s security controls are, access still depends on human decisions – and that makes credentials a high‑value prize and you a target!
How can your credentials be compromised?
Helpdesk imitation scams
Scammers may call you and pretend to be part of your firm’s IT helpdesk or support team. They often claim there is an urgent issue with your device, account or access rights and offer to resolve it quickly. Their goal is to trick you into sharing passwords or one-time codes, provide remote access into your device or disable security features.
Impersonation of trusted organisations
Cybercriminals frequently pose as well‑known technology providers or service partners. These messages may look convincing and request action such as approving a sign‑in attempt or verifying your identity. Once approved, attackers can gain immediate access to accounts, often without triggering suspicion.
Phishing attempts
Phishing remains one of the most effective attack methods used by attackers. You may receive an email or text message that appears to come from a legitimate or familiar organisation. It often asks you to click a link to verify your account, but the link leads to a fake website designed to steal the personal information you enter.
MFA bombing
MFA (multi-factor authentication) is an important security control, but it can be abused. MFA bombing occurs when scammers repeatedly send login approval requests to a person’s email, phone, or registered device. The aim is to overwhelm the victim and pressure them into approving a request, which then allows the attacker to access the victim’s account or device.
Your vigilance makes a difference
Technology alone cannot prevent every attack. Human vigilance and your actions play a big part in protecting your organisation, your clients' and your own identity. Recognising unusual requests, slowing down under pressure, and questioning unexpected activity are all simple steps you can take to stay one step ahead of the criminals. Before responding to anything involving access, credentials, or authentication, take a moment to pause and think about whether the request actually makes sense, and then double-check that it’s coming from a trusted source by verifying it through a reliable channel.
Fidelity is committed to protecting you and your clients. We keep your data and clients safe with continuous strategic investments in cybersecurity and fraud prevention.
How we protect you and your clients
The 12 security-related questions firms should be asking their platform partner
The Do’s and Don’ts for protecting access:
Do |
Don't |
|---|---|
| Use a long, strong, and unique password for each account. For more on this, check our guide Do your passwords pass the password test? | Input your credentials into unverified platforms - always check the tool or website is legitimate. |
| Enable Mult-Factor Authentication to add an extra layer of security to your accounts. | Share authentication codes unless you are the one who triggered the request. |
| Report any suspicious activity to your IT support. | Share details over the phone unless you have verified the caller’s identity - don’t be afraid to challenge a caller and check that they are who they say they are. |
| Use a recognised secure password manager to store your passwords safely. | Click on links in emails without checking where they lead - hover your cursor over the link to identify the true destination. |
Curious to know if your account details have been involved in a breach?
You can check the website haveibeenpwned to see if your credentials have been compromised and get notified if they are ever used fraudulently in the future.
Latest articles
Much has evolved over the last 20 years, and so have smoothed funds
Technology, investment, and financial planning have all moved on over the las…
Andy Brown
Head of Fund Solutions at Standard Life
05 May 2026
Rewriting the rules: pensions and inheritance tax
The conventional wisdom for clients with significant assets has traditionally…
Paul Squirrell
Head of Retirement and Savings Development
29 April 2026
Smoothed funds evolved – time to challenge the myths
What springs to mind when you think of smoothed funds? If it’s any of our com…
Sam Pardoe
Senior Investment Development Manager
08 April 2026