Experts from both the compliance and IT industries have expressed their concern after it was revealed that 9% of financial advisory firms in the UK were using a webmail account as their main company email address.

Research by business intelligence agency Matrix Solutions found that 427 of the 4,945 firms surveyed were using an account from a web-based provider such as Googlemail, BT Connect, Yahoo or AOL. These accounts are generally thought to be much less secure than specialist business email accounts.

Even if the main firm email account is not a webmail account, some firms may have individual advisers who are using webmail for business purposes, especially if the advisers operate remotely and/or on a self-employed basis.

Firms are advised to seek assistance from their IT services provider to put in place email systems that are as secure as possible. Staff should be trained in data security issues and warned about ways in which the firm could be targeted by fraudsters and scammers.

Gary Williams, director of data protection and data security consultants Protectmydata.co.uk, commented:

“Webmail is about as bad as it can get in terms of security. It bumps up against some of the fundamental security questions firms should be asking themselves: who can see my data, where is it and how long is it retained for? If Yahoo deletes your account, for instance, can you recover it?”

Matt Timmins, joint managing director of compliance consultancy SimplyBiz, said:

“Using webmail to transmit important data and client details is extremely risky. These accounts do not always have the security and controls in place that are needed to safely send and receive client data. They are prone to hacking, identity fraud, cloning and extracting data through robots.”

As well as the central issue of data security, another concern raised by the experts is that clients could be more likely to be duped by a scam if their adviser uses webmail. Scam emails often come from webmail accounts, yet if their adviser also uses one it could make spotting the fake communications all the more difficult.

Sherief Hammad, director of It consultancy NCC Group, said on this issue:

“If you use a webmail domain and one of your clients is approached by someone using another aol.com address, they would not immediately think that was strange. Their ability to understand when something is amiss is diminished. That in itself increases the risk of a security breach because a lot of the new scam techniques play on psychology and the way people interact.”

Mr Williams also advised firms against sending client details via any form of email system.

Firms should also be wary of requests for client data that appear to come from providers. Before replying, firms need to be satisfied that the communication really has come from the provider. They should also ask themselves – should the provider realistically already have this information, and why do they need to ask me for it?

The data security pages on the Financial Conduct Authority’s website give examples of inappropriate use of customer’s data. The regulator cites the following examples:

• Listing answers to clients’ security questions – the questions they must answer when calling the firm – on their monthly statements
• Stating a client’s national insurance number, age, date of birth, and salary on an annual statement
• Sending out promotions which include application forms partially completed with some of the client’s personal information

All of these practices could lead to a data security breach if the communication is intercepted.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.