Keeping your business safe

When you receive a call from a client, you should always check they are who they say they are (even if you think you recognise their voice). In addition to asking them to confirm personal information such as their full address and date of birth, it’s also a good idea to ask the client a question that only they will know the answer to.

Fraudsters are known to impersonate clients through email. This may be by gaining control of the client’s email account through hacking. Fake emails can instruct firms to sell client holdings and pay the proceeds into bogus bank accounts. We strongly recommend that firms do not act solely upon an instruction received by email, even if the email address is familiar. Always call the customer using a registered contact number and verify their identity before confirming the instruction.

Paying close attention to all the content within a client email or letter is a very good way to spot fraud (such as reviewing the whole email chain). Criminals often make mistakes, have limited understanding of an account or make requests which are uncharacteristic of the client. Please consider:

• Whether the instruction is in keeping with your client’s usual behaviour. For example, a withdrawal may be out of line with their long-term goals and objectives
• Poor spelling and grammar, language and the tone of any email or letter
• Consider whether the email or letter is your client’s usual method of communication
• Any inaccuracies, mistakes or inconsistencies
• Overly persistent requests or the setting of unrealistic timescales.

You should only use original documents to check a client’s bank account details. You should never, for instance, rely upon documentation supplied electronically (e.g. an online bank statement sent by email).

Particular vigilance is required if a client notifies you of a change to their bank account details through an email. Fraudsters may control a client’s email account and often provide fake documentation to back up such a request – like a bank statement or a paying in slip. It’s always wise to double check the details with the client personally (and not by responding to the email).

You should also confirm any changes of personal information with the client, such as addresses, phone numbers and email accounts using established contact details (for example, a change in phone number should be confirmed in writing to the client’s registered address).

We strongly advise against sending pre-populated withdrawal forms and other documentation by email. You should aim to strike the right balance between providing good customer service and protecting your clients from fraud.

Cyber-attacks and hacking are commonly directed at advice firms. Typically, they will target personal computers and laptops containing customer data. Their goal is to commit fraud and exploit vulnerabilities where anti-virus and firewall software has not been kept up to date. Data should also be regularly backed up to a secure location.

Your firm’s computer systems and PCs will typically include client and other important data which is very valuable to fraudsters and other criminals. Passwords are a standard way of protecting this information but unfortunately hackers use a number of common techniques to break these safeguards. Many use easily available software, for example, to crack security passwords.

Maintaining strong passwords is therefore vital if criminals are to be thwarted. They may sound obvious, but adhering to the following rules can help enormously:

• Use at least ten characters of mixed lower case and upper case letters, numbers and special characters for your passwords. You should mix the numbers up with the other characters, avoiding stringing them all out together at the beginning or end of a password
• Use different passwords for each different online account
• Never tell anyone your own personal passwords or leave them written on a post-it note or slip of paper
• Never leave your device unattended and logged-in
• Never enter a password when using an unsecured public Wi-Fi connection or into a public or shared computer (like those in internet cafés or at the library)
• Change passwords regularly and don’t ever reuse a password or base a new password closely on an old one.

If you suspect fraudulent activity is taking place on an account, you should alert all associated parties as soon as possible to protect the client’s investments. If you believe a FundsNetwork account has been compromised or may be at risk, please call us as soon as possible on 0800 358 7717.

You should also report suspicious activity to Action Fraud, the UK’s national fraud and cybercrime reporting centre: actionfraud.police.uk ^†

Criminals are coming up with new ways to target you and your clients all the time. Forewarned is forearmed and so it’s important to regularly check the latest information published by a range of anti-fraud organisations (the details of some helpful websites are shown in the guide below).

In a busy office environment, security can often be overlooked or appear to be the responsibility of someone else. This can be particularly so if you work in a relatively small firm or if fraud has not impacted your company before. Appointing someone to be responsible for fraud prevention within your firm can be a great way to ensure your processes and procedures are fit for purpose. They can also ensure that all staff are aware of their responsibilities for protecting clients from fraud and are familiar with common threats and risks.

New bank details may be provided with a request to send funds to this account. In many cases, the new bank is nowhere near where the client lives – it may be in Manchester, for instance, while the client lives in Kent. You should always confirm the details of a bank account change with the client personally (and not by responding to an email).

A withdrawal request may be out of line with the client’s long-term goals and objectives or exceeds the value of funds within the client’s account.

The choice of wrapper for a withdrawal seems odd: fraudsters often seem to favour a partial withdrawal from only one wrapper, typically selecting the largest by value.

Funds are requested in a hurry or within an unrealistic timeframe. The demand may be persistent.

A request is made for a form to be emailed out pre-populated with sensitive data (for example, a withdrawal form containing the client’s bank details).

There is a reluctance to communicate other than by email, and there will always be some reason why the client cannot be contacted by phone.

The communication from the client may be unusually short or blunt even when there is a longstanding relationship.

The email or letter may contain terms not usually used by the client

Spelling may be poor, there may be a mix of lowercase letters where uppercase should be used, or there may be other grammatical errors within the body of the email or letter.

The client ignores questions sent with a view to clarifying or verifying a request.

The stated time of the email may be different to GMT, suggesting the sender is not in the UK. These settings can be altered and so should not be relied upon, but apparent time differences are certainly a red flag to look out for.

Supporting documentation contains suspicious entries or just doesn’t look right. For example, transactions on a bank statement are not in keeping with your knowledge of the client. Statements may also be presented where the colours or type face are incorrect.