In the financial services industry, email has become an essential means for communicating. A lot of sensitive information is shared through email when clients are onboarded, documents are shared, and accounts are updated. While email as a tool is convenient, it has also introduced a major vulnerability; one that is often overlooked.

An example of this vulnerability exists in the  data breach which occurred at Cetera Financial Group. This breach exemplifies the risk associated with the use of just one compromised email account. Financial and personal data are shared between multiple entities (advisors, clients, institutions) constantly, and therefore email is a prime target for attackers.

The method used in most cases of email access breaches is quite subtly. Attackers generally gain access to emails through phishing, weak passwords, credential leaks, etc. Once attackers have access to emails, they can monitor conversations, download attachments and collect data over an extended period of time without raising any red flags immediately.

A primary factor to email security is dependent upon the behaviors of users. Employee awareness/training is as important as the actual technical safeguards offered by the financial institution. Even if a user has security measures in place, a user merely clicking on a malicious link or providing credentials to a fraudulent login can potentially expose the financial institution to unauthorized access.

The type of information that financial institutions use makes them especially vulnerable to risk.

While financial institutions routinely use email to communicate with each other and their customers, emails also often contain SSNs, account data, identity verification documents, and confidential or sensitive information – all of which, if viewed by an unauthorized person or group of people, can be used for identity theft, fraud or other targeted scams.

As a result, many organizations have strengthened their security measures to mitigate these risks. Multi-factor authentication (MFA), email encryption and advanced threat detection solutions are among the most widely used security best practices today. However, in addition to the use of technology, regular training sessions will help to ensure that employees know how to identify phishing scams and have a good understanding of proper email etiquette.

Individually, customers also need to be aware of the kinds of information they share via email. There are several key factors that can help to reduce risks, including verifying the authenticity of any request, refraining from clicking on links that seem suspicious, and minimizing the distribution of sensitive information through unsecured email.

Another important area to consider are the types of communication that occur within an organization. If a financial advisor or financial institution requests urgent or unexpected information through email, the customer might want to follow up or check with the advisor or institution using another method to verify the request before responding.

As cyber security threats keep evolving, email continues to be the most frequently exploited method for being hacked. With the growing number of attacks and attempts, it’s apparent that we need to be much more cautious and informed with how we communicate digitally.

Improving the overall security of emails is everyone’s responsibility, both as individuals and as an organization. Strengthening your organization’s security rules and policies is essential, but individuals need to be aware of and act responsibly to help prevent attacks from happening. Taking simple precautions can help reduce the number of serious security incidents.