A guide to email security for financial services firms

The most vulnerable part of your firm’s IT infrastructure is not the servers and databases but your email platform. It can be used to gain access to the resources that ransomware attacks and other cybercrimes seek, and most financial services firms leave their email accounts surprisingly poorly defended.

Share this post

Before you harden your email system against malicious actors, you need to understand the nature of the threats posed to you, and your options for addressing your system’s weaknesses. This overview will help you anticipate the most common types of cybercrime, understand the specific ways that malicious hackers attack your email system, and take practical action to shore up your firm’s defences.

Three ways that cybercriminals can harm your firm

Once they gain access to your network, criminals look for ways to make their work pay off. Here are the three most common ways they monetise their work.

Ransom
When criminals know that they have gained control over crucial data or functionality within a system, they can demand ransom fees capable of bankrupting a business or ruining its reputation. Ransom attacks first encrypt data and applications, rendering them unusable. They then charge ransom to decrypt the data, often threatening to release it publicly if their demands are not met. Ransomware attacks are on the rise, and for good reason: in 2021, the average ransom paid for such attacks was more than £625,000.

Diversion of payments
Taking a more direct approach, some criminals simply divert payments to their own accounts. Whether your firm or a client falls prey to this sort of misdirection, you will bear substantial responsibility for the error, and your bank may not provide you the same recourse you would expect in the aftermath of other payment irregularities. Your relationship with the client in question will certainly be damaged, as will your broader reputation.

Spam attacks
Some computer viruses seek to steal money or data; others are designed to broaden or deepen a wider cyberattack. Spam attacks send contaminated emails to everyone in a user’s contact list, seeking to lure them into phishing schemes or to send more spam in turn, setting the stage for the next phase of an orchestrated cyberattack. Either way, spam sent from an email address in your network can seriously damage your relationship with clients.

How criminals attack the email platform of financial services firms

With preparation none of these attacks will succeed in compromising your system’s security. But these four styles of cyberattack are so common that your firm will almost certainly be exposed to each. Here is what you can expect:

Phishing
Phishing refers to online fraud based on impersonation. It is the most effective form of cyberattack: in our tests, one in five employees were duped by simulated phishing attacks. A typical phishing attack starts with a phony login page or request for email credentials mimicking a legitimate vendor, supplier, or other business partner—or even the victim’s own company. Attackers then send emails or text messages to large groups of people in the hope that just a few will provide their credentials by attempting to log in to the phony site.

Hijacking
Phishing can give criminals the credentials they need to log into your account. Weak passwords can do the same. Once attackers have access to your email account, they can gain valuable information from your email history and impersonate you in highly authentic phishing campaigns.

Spoofing
Spoofing is a less sophisticated take on email hijacking. Where hijacking gives criminals full control over your email account, spoofing uses an external email account to send messages purportedly from you. A careless recipient might reveal authentication information or other valuable information that attackers can use later on.

Phony attachments
Files attached to email messages can contain malicious code that gathers information from the victim’s computer and accounts, typically as part of a wider effort to gain increasingly deeper access to the network. The emails to which they are attached typically urge recipients into quick action (“Missed your message” or “Overdue invoice” are common subject lines).

Ten ways for finance firms to guard against email-based cyberattacks

The threat of cybercrime is real, but you can take some practical and relatively easy steps to guard against it. Here are ten proven ways to increase your firm’s resilience to cybersecurity threats.

  • Invest in an enterprise-level email platform. Free email platforms are fine for personal use, but they do little to guard against the sorts of attacks faced by businesses. It may be time to invest in a more secure email provider.
  • Train your staff regularly. Human error is behind most security breaches endured by financial services firms. Be sure that your staff are up to date on the latest threats and what they can do to resist them.
  • Insist on good digital hygiene. When employees use their business email addresses for personal purposes, they expose the entire firm to risk. Public websites like Amazon and eBay are far less secure than your firm’s network, and we tend not to be as security-conscious when we use the web on our own time. These factors make it easy for criminals to steal email addresses, passwords, and other critical information.
  • Limit email access points. It may be convenient for some of your employees to access their work email accounts from home or on their personal phones, but these points of access should be authorised only as needed. By default, you should limit access to email to your firm’s own equipment, over which your IT staff has greater control.
  • Use strong passwords and multi-factor authentication. A password that can be easily memorised is likely not strong enough. Force employees to use strong, complex passwords and insist that they not reuse passwords assigned to any of their other accounts. Multi-factor authentication, which confirms each login with a separate method such as a code sent to an employee’s phone, is an essential feature as well, especially for remote employees.
  • Configure strong email filters. Your email provider’s default settings are not enough to deliver the protection your firm needs. A security expert can configure your email filters to better ensure that harmful messages never reach your employees’ inboxes.
  • Integrate your antivirus, email, and browser products. Too many firms invest in antivirus solutions without considering how they interact with the browsers and email clients their employees use. These products can form a strong backstop for any problems your employees allow through, but only if you take the time to configure them to work together.
  • Stop spoofing at the domain level. By default, most systems do not confirm that messages sent from a given domain represent authorised accounts. Adding SPF, DMARC, or another email verification protocol to your configuration can shut the door on spoofing attacks.
  • Stop payment diversion by storing up payee details. Some information on your network is made to be changed frequently. Payee details are not. Any changes to information describing your payees should be subject to a multi-layered verification process.
  • Tighten up your security and alerting systems. A well-configured security system blocks permissions and authorisations by default, opening things up as needed. It also provides detailed alerts to your firm’s IT personnel when suspicious activity occurs.

This guide is just a starting point: your firm’s staffing levels, IT investments, and other business-specific factors also affect its vulnerability to cybercrime. Invest a bit of time in the steps described here, though, and you will give your firm its best chance of avoiding disaster.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.

Share this post