Chapter 10 - Cyber Security
What you are up against every day?
The key attack vectors criminals use to steal money or data from advice businesses.
After completing this module you will be able to:
List six high-frequency cyber threats that target financial-advice firms.
Match each threat to its typical warning signs.
Map IIP policy controls that break an attacker’s kill-chain.
Apply “stop-and-think” questions before you click, download or approve a payment.
The Threat Landscape for Advisers
| # | Threat | How it works | Red flags to watch |
|---|---|---|---|
| 1 | Phishing & BEC | Fake emails/SMS trick you into revealing credentials or approving fund transfers. | Unsolicited links, odd domain spelling, “urgent” tone. |
| 2 | Malware & Ransomware | Malicious files (e.g. Word macros/ZIPs) encrypt data or capture keystrokes. | “Watch this video” messages, unexpected invoices or ZIP attachments. |
| 3 | Password Attacks | Bots reuse leaked passwords or brute-force weak ones. | Same password on many accounts, no 2FA enabled. |
| 4 | Data-Leak & Unsecured Transfer | Sensitive files sent over public Wi-Fi or to unauthorised emails. | Requests to Gmail; using café Wi-Fi without a VPN. |
| 5 | Remote-Access Exploits | Attackers target home routers, remote desktops or contractor devices. | Default router settings, no disk encryption, unknown USB drives. |
| 6 | Insider & Social-Engineering Risk | Staff tricked into installing rogue software or uploading data to fake clouds. | Unapproved software requests; “colleague” asks for login details. |
How the IIP Cyber Security Policy Breaks the Chain
Email hygiene — “Avoid opening attachments and clicking on links when the content is not adequately explained”.
Strong, unique passwords + 2FA — minimum eight characters with symbols and mandatory 2FA where offered.
Secure data transfer — share files only via approved company systems; never over public Wi-Fi.
Remote-work safeguards — remote staff must follow the same encryption and network-security standards as office staff.
Immediate incident reporting through the Compliance Hub or direct email to the Compliance Manager.
Real-world scenario
The “Updated Bank Details” Phish
An admin staff member receives an email that appears to come from a long-standing client.
The message asks to “update the linked cash account before tomorrow’s trade” and contains a PDF with instructions. The sender’s address ends in @consultant-com.au instead of @consultant.com.au. Opening the PDF triggers malware that harvests XPlan credentials and reroutes $92,000 to a mule account.
Spot the tells: slight domain misspelling, time pressure, new banking request. Apply the policy’s “Keeping emails safe” checklist before acting.
Adviser self-defence checklist
Hover over every link before you click — does the URL make sense?
Confirm payment changes voice-to-voice using a known phone number.
Use a password manager and switch on 2FA for XPlan, banking portals and iC2.
Patch browsers and operating systems monthly or sooner for critical updates.
When travelling, tether to your phone instead of hotel Wi-Fi for client work.
Report suspicious activity within 30 minutes so the compliance team can act fast.
Key takeaways
Phishing remains the #1 entry point — slow down and verify.
A single reused password can undermine every layered control.
Data usually leaves the building through people, not firewalls.
Rapid reporting caps financial, legal and reputational fallout.
Quick Knowledge Check
1. Which threat accounts for most initial compromises in financial-advice firms?
2. Which red flag is most closely linked to a malware / ransomware attempt?
3. Working on café Wi-Fi without a VPN primarily exposes you to:
4. Which immediate control best mitigates password attacks?
5. An example of insider & social-engineering risk is: