Protecting client data from identity fraud and cyber crime

Jason Brown, Head of Platforms Distribution, BT

Here are five key themes that can help small and large practices protect important information.

1. Train advice teams to be vigilant about risks, especially fraudulent activity

Advice practices should conduct a regular review of their risks and controls, and keep up to date with cyber trends. The Australian Cyber Security Centre's Exercise in a Box is a handy reference and includes tutorials and simulation exercises.

Fraudulent activities online come in varying levels of complexity, and can include phishing emails and texts, as well as hacking of websites and the publication of fake websites that replicate banking and payment sites.

Training advice staff on IT security and fraud awareness is strongly recommended by BT. Simulations on phishing can help advice teams become familiar with what to look out for, such as whether an email that appears to be from a client is in fact from a slightly different email address, fredflintstone@gmail.com vs fredflintstone1@gmail.com

2. Have robust processes in place for checking identification documents

The Commonwealth Attorney-General's Department estimates that identity crime costs Australia upwards of $1.6 billion per year, with the majority lost by individuals through credit card fraud, identity theft and scams.

In the superannuation sector, identity fraud is the most common type of fraud, according to AUSTRAC.

Even if only a small amount of personal information is obtained, for example, from stolen mail such as a superannuation fund statement, perpetrators often use 'open source' information to piece together other information such as date of birth and contact details. Social media is often targeted by criminals for this additional data, so they can impersonate their victim and access accounts.

When verifying clients' identification, advisers should ensure they are capturing accurate customer details - for example, their name should match the ID document exactly, including middle names.

Red flags include multiple changes to a client's profile within a short period. Advisers should watch out for irregularities in ID documents such as different fonts and font sizes, spelling errors, and borders or lines where there should be none.

Photos should also be checked diligently; for example, ensure that the photo in the ID document lines up correctly and does not look out of place.

3. Use biometrics to log into apps on your mobile and other devices

BT's cyber experts encourage the use of biometrics across all devices, where available, especially mobile phones. On the BT Panorama mobile app, advisers and clients can log in by using face ID or fingerprint verification or a passcode.

Two-factor authentication (2FA) is another measure implemented by businesses to increase security. 2FA requires users to provide two factors, such as biometrics plus a password.

BT Panorama requires 2FA for important steps such as to register to use the platform, use the forgotten password process view, update personal details, add billers, link bank accounts and pay anyone.

In addition, adviser notifications, behavioural pattern analysis and robust bank-grade security measures help to protect advisers and their clients, and BT continues to focus and invest in this space.

Advisers may also wish to consider talking to customers about cyber security and keeping their systems or devices protected. It may help to explain that biometrics and/or 2FA can keep their account and identity more secure, compared to using a password alone.

4. Do not postpone system security updates

Advisers are encouraged to keep security programs up-to-date. Every time new malware or a trojan is discovered, security firms put out a patch that users need to download and install. It's incumbent upon users to update their programs.

5. Avoid connecting to public Wi-Fi, but if you must use a VPN

BT's experts warn that using public Wi-Fi is a cyber security breach waiting to happen. Using a Virtual Private Network (VPN) while on a public Wi-Fi connection allows you to access the internet through a private network, so that your browsing is protected and that nobody can see what you're doing.

6. A password manager is not a panacea

Password managers are targets for hackers, and a few have suffered from data breaches in recent years. It's best to remember your passwords - one way to do this is by writing down clues. In regard to the password itself, don't share it, don't write it down, and don't capture it anywhere in your system.