Mark Hopcroft examines the rise of identity fraud and outlines some measures advisory firms can take to keep their businesses and clients safe
For most of us, receiving yet another spam email warning us our bank account is about to be shut down or that we urgently need to verify our email password has become an irksome, if now unremarkable, fact of online life. But what you or I may receive unsolicited in our inboxes is the tip of the iceberg in a global crime wave.
Identity fraud, where criminals assume someone else's identity or concoct a fake one to open accounts or make unauthorised transactions and purchases, now accounts for two-fifths (41%) of all fraud in the UK.
As UK fraud prevention body Cifas points out, ID crimes are rarely committed by individuals working in isolation but rather by cyber-criminals operating on an industrial scale to set up spoof websites, conduct phishing attacks, resell data on criminal forums and intercept mail to obtain goods or bank cards. Even so, one person working alone can still wreak damage.
People aged between 40 and 60 may remain the most commonly targeted group for identity fraud, according to Cifas, but the group that has seen the most consistent year-on-year rise is young adults aged 21 to 30 - a fact that reflects their high online usage.
Conducting finances on mobile devices is making consumers particularly vulnerable to attack. According to Equifax research from 2012, one-third of people fail to log out of online banking on their mobile phone and 42% fail to clear their browser history, making personal information easy to access if a device is stolen.
Incredibly, one in five people store passwords, pin numbers, credit card and bank account details on their phone, and 45% of people fail to password-protect their phone, making phones the perfect target for capturing personal information. Wi-fi hotspots have equally become notorious as a means to harvest log-in information.
Developments in biometric security, including not only facial recognition but voice prints and finger vein patterns - which are harder to fake than finger prints, apparently - should make life harder for fraudsters in the future. Cifas reports that cases of hacking into bank accounts have fallen in recent years, thanks to banks stepping up their security procedures.
That said, this also means scammers are swiftly turning their attention to other means of securing personal information in order to impersonate and gain access to individuals' financial arrangements.
Phishing involves attempting to extract personal details and/or providing a malicious link that will install malware on the victim's computer. In the year to November 2015, 95,556 phishing scams were reported to Action Fraud, the UK's national fraud and cyber-crime reporting centre - a 21% rise over the same period in 2014.
According to Action Fraud, the 10 most popular ways to disguise attacks are:
* BT account update
* iTunes invoice
* HMRC tax refund offer
* Tesco vouchers and Apple ID
* Document attachment
* False invoice
* Itinerary attachment
* Suspended credit card account alert
* Suspended bank account alert
* Sky services upgrade
Concern for advisory firms
While identity fraud may be largely associated with banks and other loan and credit card providers, it is an increasing concern for wealth management and advisory firms. Given that the balances held in pensions and investment portfolios may be substantially higher than in the average bank account, pension and investment account data is highly saleable. The pension freedoms introduced last year have also triggered a sharp rise in criminals encouraging investors to hand over their pension funds.
So how can advisory firms keep themselves and their clients safe? First up, you need to be prepared to invest in the right resources. Fraudsters are interested in picking off the low-hanging fruit first. By taking the time to make your processes and procedures that bit more robust than your peers, you can deter scammers from focusing on your firm first.
So regularly update firewall, anti-spyware, anti-virus and browser security - doing this can remove up to 80% of cyber threats right away, according to Cifas - and seek advice on the best verification procedures for clients. Hold data security training for employees. Make your tough security procedures a selling point to your clients. Other important measures include:
* Encourage good password hygiene: The most common form of attack comes from extracting a client's log-in details. Urge clients and employees to use unique passwords that combine letters, numbers and symbols, aiming for a minimum of 10 characters. Update passwords regularly. Make it clear to clients you will never ask for their full password by email or phone. Introducing two-step online verification procedures will immediately make your website less appealing to scammers than sites that use a single password.
* Encourage clients to verify who you are: Regularly remind clients never to provide confidential information over the phone to your firm unless they are certain who the caller is. Where possible, provide them with named contacts at your firm and a means by which they can verify the caller's identity. If a client calls the firm, have a system to confirm their identity. Be particularly mindful of who is answering client calls in the summer months, as scammers know that temporary staff may be covering holiday leave. Make clear to clients you will never ask for personal information by text.
* Don't use a webmail domain for firm email: Webmail such as gmail.com and btconnect.com are more vulnerable as clients may not notice when someone with the same domain claims to be from your firm. The ease of email interceptions has led many experts to advise against sending any information that could be used for identity fraud, including client fact-finds and portfolio reports.
* Have a document disposal protocol: Shred all old documents that contain personal client details or hire a reputable document disposal firm to do it for you.
* Conduct regular malware searches: Breaches rarely come to light immediately. Hackers may use software that sits inside a system for months or even years to capture data that can then be used or sold on. Where systems are linked to other companies, hackers may use these third parties to find a route into yours, so regularly sweep IT systems for anything suspicious.
Rules on reporting data breaches are to be tightened up in 2017 under the European Union's new Data Protection Regulation. But currently it is suspected that hacking within wealth management and asset management is heavily under-reported - not simply because of firms seeking to protect their reputation but also because breaches, and their impact, can sometimes be so hard to detect if a genuine log-in has been used.
The big challenge of identity fraud is how persistent and adaptable scammers can be - for example, as consumers have got used to receiving phishing emails, so cyber-criminals have turned to social media links and app provider messages to be more plausible to their victims.
This is one reason why fighting identity fraud has to be seen as an ongoing business procedure not a one-off task. So long as there are rich pickings, this is a battle that is not going to go away anytime soon. But with a robust process, and by keeping both your employees and clients alert to potential pitfalls, you can sharply reduce your firm's chances of being a victim.
Mark Hopcroft is head of institutional distribution and business partnerships at Cofunds
The chairman worries about finance getting in touch with its feelings
Cost of acquisition: £31m
Greg Camm temporary replacement
Plan ahead … do not rush
Adviser use of social media on the up