When email becomes a Trojan Horse for financial advisors

Email-based phishing attacks have skyrocketed since the global pandemic was declared.

Dominic Villeneuve, security and infrastructures director at UV Insurance, says he has seen a 677% increase in phishing campaigns worldwide since early 2020. “Phishing emails at UV Insurance skyrocketed by 300% during the same period. A huge increase in such a short time.”

Teleworking can lead to lax behaviours that hackers are quick to take advantage of. “The home is a more comfortable environment. People sometimes become less careful with the emails they receive,” Villeneuve says. Phishing emails are deliberately designed to deceive the recipients, he adds.

Hackers attempt to imitate the corporate emails they intercept, and use them to transmit malware to employees or customers via a link, he explains. Customers who click on the link unknowingly download a virus, and employees inadvertently let the hacker access the company’s IT system. Fraudsters can also insert links in PDF documents attached to an email, he explains.

Open air office

Diversico Finances humaines follows a decentralized business model. It switched to remote work five years ago. The company’s CEO, Daniel Guillemette, mistrusts emails.

“Once it’s sent out on the Internet, an email becomes accessible to the whole planet,” Guillemette says. “Its path is strewn with unsecured stations.” Before reaching its destination, it passes through more than one server and can be intercepted by a hacker, he says.

A password is not necessarily enough to limit access to an email or the PDF document it contains. Alan Hoffman, CEO of the online training platform CE-Credits.ca, recommends that advisors make sure that every password is robust.

Echoing tips from IT specialists, Hoffman shuns weak passwords. He points out that a hacker can decode an eight-character password in three seconds, and a 12-character password in one hour. “In contrast, it would take a hacker years to crack a 16-character password that includes uppercase letters, lowercase letters and special characters,” he explained in a recent webinar.

People nervous about having to remember a plethora of passwords can use password manager programs such as Last Pass. McAfee, among other antivirus software, also offers these solutions.

Securing transit

With or without a password, an email is safe only if it passes from a sender to a recipient whose workstations are secure. Also, each of the parties must use the services of a supplier that provides email encryption, Dominic Villeneuve says. “When I send an email there are four actors involved in the transmission: my workstation, my email server, your email server and your workstation,” he explains.

Most of the large suppliers, such as Microsoft and Google, offer acceptable security systems. “Small suppliers do not all offer secure email,” he adds.

All the same, encryption is the best way to prevent clients’ confidential data from falling into the wrong hands. Transmission of an email to the Microsoft email server and its transfer to Google, for example, are encrypted by a secure Internet exchange protocol called transport layer security or TLS, Villeneuve explains. If the email sender and recipient both use the most recent version of Microsoft Outlook 365, the two workstations are secure, and so is the exchange, he adds.

Customer relationship management (CRM) software like Equisoft/connect offers a messaging module that lets advisors send secure email, rather than letting the message float around in cyberspace, says François Levasseur, Senior Vice-President Canada at Equisoft. Levasseur is one of the founders of CRM Kronos Finance, which became Equisoft/connect after Equisoft acquired Kronos in 2018. “Advisors can insert a password and the email is encrypted,” Levasseur says. “Advisors who don’t have CRM can use other products like Dropbox or Google Drive, where clients can deposit documents. But it’s all a bit uneven in the sales process. It’s not smooth.”

Diversico has a secure exchange strategy. “Internally, we do not authorize our clients to send us confidential documents by email. We use the system of our subsidiary iGeny to send them a link. They receive an email with preprogrammed text, and click on the link that takes them to a webpage of a secure vault,” Diversico CEO Daniel Guillemette explains.

The large Internet suppliers that Dominic Villeneuve mentions exchange encrypted email on hard to access networks. “Hacking is not impossible, but it is difficult: hackers would need to obtain security certificates to get in.”

Villeneuve adds that you can find out the degree of security of an email server that a company uses. “When you deal with a business, you can check whether it uses secure email servers by accessing the site CheckTLS.com.”

UV Insurance uses this process to review the security level of the servers of its 400 group insurance clients. “We advised those that were less secure to switch to TLS mode. This validation is easier to do in group insurance than in individual insurance because exchanges happen business to business,” the cybersecurity director explains.

Dominic Villeneuve adds that individual life insurance advisors can make exchanges with clients more secure by using a transfer platform for documents. He endorses MFT (managed file transfer) solutions, particularly those of GlobalSCAPE and GoAnywhere. On its site, GoAnywhere explains that its secure solution GoAnywhere MFT provides a safe, audited method for automatically transferring information within and outside of your company. 

“For example, I can send a client an email to tell him to retrieve a document on my secure platform, and the client can submit a document or retrieve one that I uploaded there. Never put the link in the email,” Villeneuve explains. A hacker could intercept the email, imitate it and insert a phishing link that resembles an authentic link.

Secure vault

To avoid the perils of errant emails, Diversico insists that all its exchanges with partners be secure. It sets common parameters with each entity with which it wishes to secure exchanges. The channel is thus scrambled, he explains. “I send you a link to a document that I’m sharing with you from my Google account, for example.”

Generally, emails are not secure; anyone can intercept an email by clicking on the link, Guillemette admits. However, fraudsters would only get as far as your secure vault, which can only be opened by someone with a key. iGeny sends the client a key in a text message. The company then asks clients to authenticate their identity via a credit card or driver’s license. The clients show these pieces of identification during a videoconference integrated in iGeny. This part of the teleconference is recorded as proof in the advisors’ files.

A password on a PDF document does not make an exchange more secure either, Guillemette adds. “It takes four minutes for a hacker to find it,” he says. He worries that this seeming secure practice might jeopardize the reputation of all independent advisors should identity theft occur.

He gave another example of when email is not a secure exchange mode: When it is not protected by a secure VPN (virtual private network) type channel, often used between a remote workstation and office servers.

Reservations about VPN

Dominic Villeneuve is dubious about some secure email systems. “Email secured by the portal of a business or a system like Secure Mail may seem secure but the link in the email is problematic,” he says, because it can be a phishing ploy. A hacker can intercept an email sent by a CRM system, imitate it and create a false link.

VPN can also be vulnerable despite the secure channel it creates between two remote workstations, Villeneuve adds. In this case, the vulnerability lies in the remote worker’s wireless network.

“If my neighbour is a hacker who manages to penetrate my wireless network, he can enter my computer and escalate to the company. Also, some people stay connected to the VPN all day, and perform personal tasks like shopping for online groceries or other things.”

To minimize these risks, he recommends that remote workers use their personal browser for non-work tasks. He also frowns on connecting a workstation to a personal station. “Someone who shares information on a VPN from their workstation and who uses Microsoft tools is secure. In the hundreds of companies that I validated thus far, I didn’t see any that used dubious email servers,” Villeneuve says.