How a Hacked Financial Adviser in a Data Breach Could Get You Scammed Too!

Last year, IFA Magazine reported that over 42million people in the UK had their financial data compromised in a data breach in 2021 alone, and financial services and insurance firms accounted for over a quarter (28%) of all cyber-attacks in the UK in the last 12 months.

Two significant financial services data breaches reported in 2022 include:

• Mainspring – The custodian and fund administrator firm suffered a ransomware attack in July 2022 which allegedly targeted adviser and client personal information. The firm, with over £8m in assets under its management, could not clarify how much personal information was accessed by hackers.
• Sarasin & Partners – Clients of the fund management firm, Sarasin & Partners, were contacted in June 2022 and informed of a data breach relating to personal details (but not financial information). The firm did not release details of how the breach occurred.

In both breaches it was reported by the targeted firms that client financial information was not compromised, however, personal information was – this included email addresses, phone numbers and other identifying data. Coupled with adviser or firm details, this is the type of information shrewd scammers might be able to use to target individual clients by impersonating firm advisers.

Impersonation scams are a type of fraud where the scammer poses as a trusted adviser or individual with authority, such as a financial adviser, in order to convince a victim to hand over money or personal details.

Whether your financial services firm has been targeted by cyber-criminals or not, it is important to stay vigilant and be aware of the red flags when it comes to conversations about your finances.

Some things to consider to protect yourself from impersonation scams include:

• Fraudsters can make a phone number or email address appear genuine using number spoofing or adding extra letters to email addresses – always double-check the details of the person you are speaking to with the real firm or person in question.
• Never feel pressured into sending money from your bank account, if your ‘adviser’ calls out of the blue, ensure that you have done your due diligence before transferring any money.
• Never give anyone remote access to your computer, especially if they have called you unexpectedly.
• Reputable firms would never send a courier to collect money, bank cards, login details or valuable items in person.
•  ‘Safe accounts’ are never used by banks, and you should never be asked to transfer your money into one.

If a caller asks you to transfer money to another account, this is likely a case of Authorised Push Payment (APP) fraud in which victims are tricked into sending instantaneous money to scammers directly from their own bank account.

In the UK, banks have a duty to protect customers from APP fraud by monitoring accounts and identifying, blocking, or delaying unusual transactions as they happen. If your bank has not carried out its responsibilities with regard to APP fraud, resulting in you losing money, you may be able to escalate your complaint with an independent investigation.

Sarah Spruce, Head of TLW Solicitors’ specialist fraud claims team, said:

“Unfortunately, when IFAs or financial services firms are hacked, it is not just their information that becomes vulnerable, but that of every client they hold the details of. These hackers are getting hold of significant amounts of data that can be used to potentially scam unsuspecting individuals out of their life savings and retirement pots.

We would advise these clients to regularly update passwords and security features and ensure that they stay vigilant if ever their advisers appear to be contacting them out of the blue. However, if you do fall victim to an impersonation scam as a result of a data breach, and your bank is refusing to reimburse, we may be able to help you claim a refund.”