About to press send: email security risks to the financial services sector

5 min read

Financial services companies rely on email to keep their clients informed and share highly confidential information every day. However, silly mistakes that reveal personal information or poor email encryption can spell disaster for businesses in the finance sector, whether they are banks, investors, insurers, asset managers, accounting firms or otherwise.

Imagine an employee in financial services is about to email a colleague with the latest accounting info for a major corporation. They’ve CC’d a few colleagues, perhaps attached a document or two for good measure. Their finger is hovering on the cursor and they are about to press send. What could happen next?

Their email is directed to the wrong recipient

What is a mis-directed email?

A mis-directed email, also taking the form of a misaddressed email or even a mis-delivered email, is an email that is sent either by accident or on purpose to an unintended recipient.

Email is an incredibly transparent and flexible tool – but the flipside of this is that it's easy to make mistakes. All it takes is one mis-directed or mis-delivered email and at best, that employee is looking at an embarrassing exchange, at worst, a data leak can occur, putting financial services organisations, their employees and their customers at risk. Leading to hefty GDPR fines, client losses, damage to their reputation and a big decrease in revenue.

A mis-delivered email tells your employees, employer and/or clients know that you aren’t properly managing and protecting their information. And when you consider how easy it can be to rely on an email platform's autofill feature to suggest an email recipient without really checking, the reality of a mis-directed email is a lot greater than you might think. In fact, over the course of Q2 20/21, 46 finance, insurance and credit businesses in the UK reported personal data breaches to the ICO as a result of an email(s) sent to an incorrect recipient.

Mis-directed emails are an inevitable occurrence for any business, but the issue is far worse for businesses in financial services, for whom a data leak can cause irreparable damage to their reputation and finances. An IBM report shows that financial industries consistently have higher average data breach costs than less regulated industries such as hospitality, media and research.

They’ve CC’d instead of BCC’d

There’s all manner of reasons why financial services employees should be using BCC – blind carbon copy. Perhaps they’re updating clients of a change of contact details, or maybe they’re sending company-wide communications with customers, prospects, service providers, government bodies and various other stakeholders. Accidentally include these addresses in the carbon copy field (CC), and they will have likely breached GDPR regulations – the highest fines for which can be up to 4% of a company’s global annual turnover.

For a sector like financial services, which has seen its cybersecurity practices change more than any other sector as a result of GDPR, it’s more important than ever that they ensure every aspect of their communications are accounted for – and email needs to be at the top of the list.

They’ve revealed personal information with no email encryption

Depending on the context of your email, this one could have dire consequences for a financial services provider. For businesses in this sector the exchange of highly confidential information is a day-to-day occurrence. If, for example, a bank employee has included someone’s personal details in an email that hasn’t been encrypted (i.e. disguised to hackers), they could be playing right into cybercriminals hands.

If emails aren’t encrypted, they’re open to being intercepted by someone who isn’t the intended recipient. Organisations globally spend £2.9 million on average recovering from a security breach, and so it’s a fool’s game for financial services to use email systems without solid, robust encryption.

They’ve clicked ‘Reply all’

Many workplaces rely on distribution lists for communication chains, with one email address acting as an alias for a number of others: you just don’t know. And in the act of clicking ‘reply all’ your employee may have just forwarded an email chain to an unintended/unauthorised recipient.

They’re replying to a scam/phishing email

Is the employee certain that the person on the other end of the email is a colleague? Or could they be behind one of thousands of phishing attacks sent every single month in the UK?

The recent pandemic and a move to hybrid working have made phishing even more of a risk to financial services companies, which are the target of around 41% of all phishing attacks, according to the Anti-Phishing Working Group.

Overall, the UK’s HMRC recorded a whopping 73% rise in email phishing attacks in the six months after the Covid-19 pandemic hit the country. It’s good to keep staff abreast of the latest phishing trends – but with phishers and cyber attackers growing more convincing and using more devious strategies every day, this won’t always be enough.

Giving financial services organisations a birds-eye view of email security

All of these outcomes are possible, just from one employee sending one email. But financial services companies aren’t just one person. They can be 100, 250 or even 1000 employees, sending emails every single moment of every day.

Financial service security professionals don’t have the time to check that every email going out complies with data protection guidelines. They need a solution that gives them a birds-eye view of their email security and extends a safety net across their entire operation.

Zivver’s highly encrypted secure email solution catches many of the mistakes above before financial services employees hit send, ensuring they comply with data protection policies. Even when a mistake is made, our smart technology allows employees to recall email messages after they are sent. All user activity is logged to give security leaders better insights and allow them to easily report data leaks and minimise their spread should they occur.

Our solution offers asymmetric zero-knowledge encryption, ensuring that only authorised recipients can access emails. Even better, it can integrate seamlessly with Outlook and Gmail, plus CRM systems like Salesforce, allowing teams to stay on track with an added layer of security. Best of all, it offers security leaders a birds-eye view of their email security, allowing them to mitigate risk, minimise human error and stop data leaks in their tracks.

Our solution gives employees the confidence they need to hit send on their emails, ensuring financial service companies run smoothly while keeping confidential information safe. To find out more, download Zivver’s guide to email security in the financial services industry, contact Zivver’s UK office on +44 20 3285 6300, or email contact@zivver.com.


Written by

Kate O'Neill

Originally published on May 10, 2021

Last update on May 10, 2021