Extreme caution must always be exercised when dealing with incoming client or third-party requests. In a recent incident Blair Williams of Beaufort Financial St Helens found herself the target of a fraudulent attempt to acquire £150,000 from a client’s pension funds – however, her vigilance and quick thinking ensured that both the client and the business were protected from any losses.

Following a bona fide withdrawal from the client a few months previously, Blair received an email from his verified email address requesting a change of bank account details for his platform provider and a further withdrawal. The email had an attached letter giving a signed declaration for the platform to change the bank details, which on initial inspection appeared genuine. Blair followed procedure and emailed the client back asking for a wet ink signature to be sent by post confirming the changes. After several email exchanges with the client becoming increasingly demanding, Blair’s suspicions were raised, and a phone call was made to the client’s contact number on file in order to further authenticate the request. At this stage the genuine client was able to inform Beaufort Financial St Helens that he had made no such requests during the dates in question, and that whilst the emails were from his email account, they were not from him. Further investigation uncovered the fact that the client’s home computer had been compromised.

Blair immediately alerted the authorities via the Police Action Fraud website and sought further guidance from Compliance. An ICO personal data breach self-assessment form was completed, with the ICO confirming that the business was not at fault for the incident, as the breach of the client’s details had originated from his own computer equipment. All relevant product providers connected to the client and the Operations Team were also notified of the incident so that increased security could be applied to the client’s accounts.

Without Blair’s cautious approach the outcome of this event could have been very different for all parties involved, with the client and business being unwitting victims of cybercrime, as well as financial losses and reputational damage to the Company.