When most people think about cyber-attacks they will think of attacks on huge companies, like the breach of Facebook or Ransomware attempt on Apple. For obvious reason these are the ones that grab headlines, however, they are not the only type of companies under attack.
Asset and Wealth Management (AWM) companies have recently found themselves in the crosshairs from cybercriminals, but what makes them such appealing targets? We can summarise everything they hold into a few categories – Data, Wealth, or Intellectual property (IP). Banking institutions hold very similar data and normally on a much larger scale. So, what makes AWM companies unique? It’s widely viewed that they don’t traditionally have resilient cyber security when compared to the banking institutions, therefore are deemed easier targets for hacking.
What types of attacks should we be on the lookout for?
In short all of them, but I have listed a couple of the most popular attacks which have been seen in AWM companies in 2020:
- Payroll Scams – These can happen in any size company. However, they are most successful in small to medium size companies where out of the box HR system are more common. It involves an email being sent to the HR/Payroll department (or person) asking to change what account is used for the employees’ wages.
Normally done using a spoofed email address – spoof being the process of making an email address appear as a different name. There have also been cases where the email has been sent directly from the employee’s mailbox account, harvesting employee usernames and passwords to use to send these payroll requests.
- Spearphishing attacks – is a lot like a ‘phishing’ attack – phishing being the process of faking the source of an email in attempt to have the use interact with links and attachments. Spearphising is just more targeted and can look a lot more convincing if done correctly.
This is normally an email that looks to be sent from an Executive of the company requesting a transfer of money or some sort of payment to be made. Cybercriminals will research who the Executives are within the company, then target those most likely to make a payment on behalf of the Executive. Most of the time this can be done without any access to internal system and can be sourced from public available information on Linked In, Companies House and other platforms.
Simplify as a rapidly growing AWM Consultancy recently had a minor attack of this nature – an email was sent appearing to be from one of our Directors requesting a payment is made by an employee. The cybercriminal managed to research the most likely person who would receive this type of request from our Director in our team. Thankfully, the employee who received this email had been diligently trained on spotting suspicious emails and immediately reported the email. This quickly revealed it as a Spearphishing attempt. The email was quarantined, and the sender blocked from sending any further emails to our business. So, it just shows it can happen to any business of any size!
What else can you do?
The importance of Cybersecurity will only ever grow – for as fast as we as businesses put measure in place to stop attacks, there are cybercriminals working to find ways around our safeguards. Though it is not all doom and gloom! There are basic steps that AWM companies can take to help reduce the risk of successful attacks.
The single thing believed to have the biggest impact is to introduce two factor authentication. Two factor authentication is a sign in process that requires two different authorisation methods when a new sign in is attempted. Most commonly, it is a normal password followed by a onetime only unique code that is sent to the user at the time of sign on. Microsoft estimates this one fix would stop 99.9% of all direct attacks on accounts, so it really is worth looking into it properly for your business.
My advice here is simple – if you offer an online platform to clients or to your adviser network, have and enforce two factor authentication. It can save you from reputational damage and the cost associated to compensating customers too, particularly if it is a wider more publicised scam!