More and more adviser email accounts are being compromised and being used to send phishing emails - because these messages come from genuine adviser accounts that have been taken over, the attacks aren’t always easy to spot.
How are advisers' emails getting hacked?
The root causes are pretty much always the same, passwords being reused across personal and professional systems is still widespread - making ‘credential stuffing’ attacks highly effective when login information from external breaches is reused.
On top of that, a lack of multi-factor authentication (MFA) and increased sophistication of phishing emails with the help of AI - often appearing as legitimate Microsoft 365 or document-sharing prompts - continue to be the most reliable entry points for attackers.
Once they’re inside a financial adviser’s email account, attackers set up inbox rules that hide replies, automatic forwarding to external addresses, and selective monitoring of conversations involving clients or payments. Their goal is simple, to stay invisible while leveraging trust in the adviser’s (or account holders) identity.
For financial services, the stakes are high.
A compromised email account can rapidly damage client trust, especially when phishing emails are being sent from a legitimate account and they’ve been tricked as a result. Once attackers gain access, they inherit the credibility built through years of client relationships - and can weaponise it within minutes.
And the fallout doesn’t stop there, firms also face serious regulatory scrutiny and reporting obligations, particularly when client data has been exposed.
Signs your email account has been compromised
- Notifications of login activity from unfamiliar devices or locations.
- Unexpected changes to account settings, passwords, or recovery details.
- Contacts reporting suspicious messages appearing to come from you.
- Sent, missing or altered emails in sent or deleted folders.
What to do if you've been hacked
If your account is compromised or you suspect it, moving fast is key. The following steps should be taken immediately and in this order:
1. Treat your account as untrusted
Notify key internal contacts using an alternative channel (phone, MS Teams, or another verified email) that:
-
- Your email account may be compromised.
- No one should trust emails from your address until further notice.
- Any sensitive requests (payments, client changes, data requests) must be verified through a separate channel.
This is not overreaction; it prevents secondary phishing and fraud escalation.
2. Regain control
-
- Reset your password to a unique, complex password that is not reused anywhere else – password managers (such as NordPass and Dashlane) come in handy here.
- If possible, force sign-out from all active sessions and devices.
- Ensure MFA is enabled (preferably via an authenticator app rather than SMS).
If you can’t access your account, escalate immediately to IT/security for account lockout and recovery.
3. Check for malicious changes
Attackers often put measures in place to maintain access and keep coming back. Make sure you check:
-
- Inbox rules (especially “move to archive”, “delete”, or “mark as read”).
- Hidden or suspicious forwarding rules to external addresses.
- Any newly granted mailbox delegation or permissions.
Remove anything you do not recognise immediately.
4. Review recent sign-in activity
Check for:
-
- Logins from unfamiliar locations or devices.
- Sign-ins at unusual times.
- Repeated failed login attempts followed by success (credential stuffing indicators).
5. Scan sent items and deleted items
Look for:
-
- Emails you didn’t send (especially password resets, invoice changes, or “urgent” requests).
- Messages sent to internal IT/Finance teams.
- Any outbound phishing emails This step is key to assessing whether your account has been used to attack others with phishing emails.
6. Secure and strengthen your account
Once access is restored:
-
- Ensure MFA is enabled.
- Remove outdated or insecure login methods.
- Confirm recovery details (email and phone number) are correct.
- Review connected apps or third-party integrations with mailbox access and revoke anything unnecessary.
7. Notify and monitor
-
- Inform key contacts (internal and external) that the account has now been secured.
- Monitor for any suspicious activity such as bounced emails you didn’t send, new login attempts, unexpected password reset emails or MFA prompts or contacts reporting suspicious emails “from you”.
8. Assess and report
If client data, financial information, or sensitive communications have been exposed, the incident may constitute a reportable event under internal policies or regulatory requirements.
Build stronger defences against hackers
Most of these compromises are preventable with these four high-impact controls in place:
- Mandatory MFA across all adviser accounts.
- Elimination of password reuse through password managers.
- Regular phishing awareness training highlighting recent trends / techniques.
- Rapid reporting culture for suspicious emails (“better to over report than under report”).
A compromised adviser mailbox is more than an IT issue – it’s a direct attack on client trust. The organisations that respond best are the ones that move quickly: contain the breach, communicate clearly, and strengthen defences before attackers can exploit that trust further.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.
