Security Centre for Advisers

LOOKING AFTER YOU AND YOUR CLIENTS MONEY

The service and security we provide are equally important. Looking after our mutual clients’ investments is of paramount importance to us and the business process decisions we make are made with client security in mind.

Here's some of what we do

Firstly, the way we hold client data is secure. We engage in many security forums and also adhere to National Cyber Security Centre protocols.
Our websites are secure, carry the padlock and use https: (Secure Sockets Layer) to indicate that data moving between browsers and our servers cannot be intercepted and read.

We have robust processes in place to ensure that money going off the platform is paid to the right person. To provide added security:

  • We undertake regular security penetration testing.
  • We have a dedicated Financial Crime team and all staff are trained to be on the alert for scams and fraudster activity.
  • All clients have secure access to their own online account.
Here's some of what you can do when managing your clients' online security

Security has never been more important than in today’s digitally connected age. We all send and receive instructions and notifications at great speed – something that fraudsters try to manipulate and benefit from.

It’s therefore important to reflect and follow some best business practice guidelines to keep everyone’s hard-earned investments safe. Be sure to:

  • Verify that instructions are from your client and have been actioned as intended. You know your clients and therefore provide a further level of checking and security in the event that a client’s security is compromised.
  • When checking communications from clients ask yourself “Is this activity uncharacteristic, written badly or simply odd?”
  • Be especially alert to requests for changes to your clients’ portfolios – that could be a change in bank account or, as importantly, a simple change to a mobile phone number or email address.
  • Perform processes on Transact Online where possible logging in using two-step verification. If you wish to send an email, please always log in to Transact Online and send a secure email.
  • Keep yourself informed of the latest scams and threats, for example, by using: https://www.actionfraud.police.uk/news.
  • Keep your email permissions and data up to date – actively manage the access of staff, segregate duties and remove access of leavers.
  • Cancel log in credentials for all leavers by sending a secure email – our Sales Support team will then remove their access.
  • Apply security protocols to prevent data theft when data is being sent from your business and when data is being stored on your systems.

Fraud awareness update

According to the Office of National Statistics and UK Finance, from July 2020 to July 2021, reported losses caused by fraud and cybercrime was £2.7 billion.

Below are some practices and advice which can help reduce the risk of fraud:

  • Proceed with caution when considering a request received from what looks like a client’s email, particularly if it is for a large withdrawal and if it also refers to a change of bank details. Verbally confirming the request with the client is often the most secure method to validate an instruction.
  • Encourage clients to send money electronically and avoid posting cheques if possible. Transact’s bank details can be found via our website or on portfolio opening documents. Using the “expected deposits” functionality will enable us to apply the deposit more quickly.
  • If you are required to send a cheque or other important documents via post send these by recorded delivery to ensure they reach the intended recipient.
  • Do not include Transact’s bank account details in the body of emails to clients (as these can be changed by a fraudster who has unauthorised access to the client’s email account).
  • Take note of warning messages prior to making payments via online banking. The majority of large banks have now implemented the confirmation of payee service which helps to make sure payments aren’t sent to the wrong bank account.

Making deposits
Please advise clients to avoid sending cheques or bankers drafts because they can be intercepted in the post. The safest ways they can make deposits into their Transact portfolio is through Transact-Online, if they have an active direct debit linked to the wrapper, they are making the deposit into or via bank transfer.

To make a deposit via Direct Debit, they will need to log into Transact-Online and go to Transactions->Deposit and select the “Direct Debit” option. Remember, the wrapper you are making the deposit into needs to be selected.

If they wish to send money via bank transfer, our bank details are below:

Account Name: Transact Client Account
Name of Bank: NatWest
Account Number: 36298921
Sort Code: 60-00-01

Their portfolio number will be needed as the payment reference, so we can match the deposit to the portfolio. Please inform us that they have sent a deposit by logging into Transact–Online, going to Transactions->Deposit and following the “Bank Transfer” instructions.


You can find out more about some of the scams you should be aware of in our Fraudulent Contact and Scam Awareness document below. These include:

Scams
Pension scams - pension scammers continuously design new and more sophisticated ways to gain access to pension savings.
Investment scams - fraudsters can be effective in persuading victims to transfer money to them to invest in unusual/high risk investments or to simply steal it outright.
Romance fraud - this involves people being duped into sending money to criminals who go to great lengths to gain their trust and convince them that they are in a genuine relationship.
Social engineering and safe account scams - fraudsters have a variety of methods to convince people in releasing personal information such as date of birth, address, bank account details, one-time passwords.


Video guides

Below is a suite of videos giving you an introduction plus information covering common scams, some top tips and the security Transact Online provides. These videos introduce you to George Quigley. George is a certified security and data privacy professional with extensive experience gained across consulting, advisory and audit roles. He is also the director at Foulkon Ltd, specialists in cyber security, and provides some very useful insights to help you feel safe and secure online.

  • Online Security – Introduction
  • Online Security – Common scams
  • Online Security – Top tips
  • Online Security – Transact Online

“It’s great to see the progress in these areas and to work with a provider who treats data security as highly as we do.” – Anonymous Transact User

What you can do to improve online security

The COVID-19 pandemic has seen criminals swiftly adapt and evolve their methods to take advantage of the increase in remote working with people spending more time online and communicating more by email. Fraudsters continue to target individual’s email accounts either to obtain personal information for further social engineering or to impersonate that individual.

Impersonation scams saw the biggest increase of any scam type, almost doubling in 2020 compared to 2019. Typically, such deception and impersonation scams involve the criminal posing as a genuine individual or organisation and contacting the victim.

Follow the simple steps below to make your personal data and investments more secure. Visit: ncsc.gov.uk/cyberaware/home for more guidance on improving your personal cyber security.

Security tips
  • Never share your full password or your access details with anyone.
  • Ensure you use unique, strong passwords for all your online accounts such as emails and banking. Use a combination of uppercase and lowercase letters, numbers and special symbols.
  • Add two-step verification to your Transact Online account.
  • Add two-step verification to your personal email accounts such as Gmail or Hotmail.
  • Check the email address of the sender before you reply – it may be very close but not correct.
  • Only open email attachments that you are expecting and never click on links that look suspicious – if you hover your cursor over the link you will see the URL of the website it will take you to so you can check if the details are correct.
  • Do not provide personal details unless you have checked-out whoever is asking.
  • Beware of phishing scams trying to gain snippets of your personal data in order to build a “bigger picture” of you.
  • Keep your anti-virus software up to date.
  • Check the content of your email account regularly – fraudsters may create hidden folders to hide fraudulent activity. Check and clear your spam folder regularly.
  • Be wary of your environment when accessing your account. Make sure no one can see your screen and limit use in public places, or anywhere that Wi-Fi is not secure.
  • Log out and close down sessions securely.

Scams originating from emails

We have seen an increase in the number of fraudulent attempts that originate from clients’ personal email accounts and computers being compromised. Over the last year we have identified that there has been an increase in the following types of fraud:

  • A client’s email is compromised. The fraudsters impersonates the client by contacting the client’s adviser about withdrawals and attempt to divert the money to their own bank account.
  • An adviser’s email is compromised. The fraudster impersonates the adviser, by sending the client their own bank account details but presenting them as the Transact bank account details.

Since Omicron, a new variant of the COVID-19 virus, became prevalent there have been cybercriminals creating Omicron-themed phishing scams.

In one phishing email, cybercriminals impersonate the United Kingdom’s National Health Service (NHS). The email appears to be an offer for a new COVID-19 Omicron PCR test. If you click the link within the email, you’re sent to an NHS look-alike website where you are asked to provide your personal details and payment information. Any information you enter on this fake webpage is delivered straight to the cybercriminals.

Follow these tips to avoid similar phishing attacks:

  • Although the scam is to impersonate the NHS, you may also see hackers from other countries using a similar scam. Watch out for suspicious emails from both local and global health organisations.
  • Never click on a link within an email that you weren’t expecting, even if the email appears to come from an organization you recognise.
  • Stay informed about the Omicron variant by following local news and other trusted sources.

More tips to help clients avoid email scams

Please ensure that you:

  • Proceed with caution when considering a request received from what looks like a client’s email, particularly if it is for a large withdrawal and if it also refers to a change of bank details. Verbally confirming the request with the client is often the most secure method to validate an instruction.
  • When checking communications from clients ask yourself “Is this activity uncharacteristic, written badly or simply odd?”
  • Check email trails. Fraudsters tend to use old emails and change the subject in order to obtain information.
  • Always check the email address, fraudsters will often setup fake accounts with very similar email addresses.
  • Be cautious of any links or documents sent via email.
  • Ensure that you have seen original copies of documents before using the document upload function via TOL.
  • Always check signatures on signed instructions, “Is this consistent with previous instructions?”
  • Report any fake or suspicious websites to the FCA.
  • Redirect clients to Transact Online if they want to instruct us directly.
  • Do not send Transact’s client bank account details or other similar information in the body of emails (as these can be redirected and modified if the fraudster has hacked into the client’s email account).

We share only a small level of detail of the security measures we have in place. That way, you can be confident that your clients’ investments are safe, and fraudsters can’t use what we share to their advantage. However, if you would like to know more or have any specific questions, please do call and we will address your queries.

If at any time you have any suspicions or concerns about any transactions or activity on your clients’ portfolios, act immediately and get in touch.

Additional resources