Email fraud prevention: what every financial advisor needs to know about cybersecurity

Email fraud rarely announces itself with flashing warnings or obvious signs. Instead, it can slip quietly into your inbox disguised as a routine client request from a familiar address. In 2024, Canadians lost more than CAD$84 million to email cybercrime.

Advisors are trained to recognize risk in markets and portfolios, but your inbox deserves equal vigilance. Even standard requests can be fraudulent, and your judgment and process can be all that stands between your clients and a serious financial loss.

Recognizing risk in routine messages

It’s easy to trust messages that look and sound like those from your clients. Over time, the rhythm of regular communication builds a kind of muscle memory where anything that follows a familiar pattern can feel safe.

But criminals are adept at mimicking tone, style, and timing. They may send requests from real accounts that read exactly as a client would write. Before you act on any client’s instruction, consider whether it truly aligns with your understanding of them or only seems to. Be aware of small irregularities that can indicate a much larger problem.

Written client instructions are insufficient

A written email, no matter how authentic on the surface, isn’t enough. Scams often bypass technical barriers and exploit trust. Messages may urge quick action or warn of consequences for delay—classic pressure tactics. Regulations and best practices now recognize that written instructions alone are insufficient for sensitive transactions.

Treat urgency, secrecy, or sudden changes as reasons to pause and verify. Your role isn’t just to execute orders but to protect your clients' broader financial interests.

Verbal confirmation is required

Transfers, withdrawals, and changes to account details should never proceed without a voice on the other end. Verbal confirmation—using the phone number you already have, not one provided in the message—is required under know-your-client and anti-money laundering regulations.

This simple step clarifies instructions in real time and demonstrates your commitment to security. If you can’t reach the client, stop. No exceptions. A short conversation can prevent a long trail of trouble, and a minor delay is a small price to pay compared to the aftermath of fraud.

Detecting phishing emails: spotting the signs

Convincing emails can nevertheless contain anomalies that signal potential fraud. Keep an eye out for:

• Slight shifts in tone or urgency
• New banking details that haven’t been previously discussed
• Messages sent at odd hours and/or with vague instructions
• Anything that feels out of character for the client

Fraud often hides in the details and minor inconsistencies may be your only clue. Always verify client instructions by phone or in person before acting.

Your judgment is the first line of defence

Technology filters some threats, but informed human judgment stops the rest. Advisors are often the first line of defence, and early action can tip the balance. The more ordinary a message seems, the more crucial it is to look twice.

Turning these checks into habit helps build safeguards into your process and lasting trust with clients. For more information, visit the Manulife fraud prevention centre.

FAQs

What makes email fraud more challenging to detect today?
Criminals often use real client accounts to send messages that look and sound legitimate. These emails rely on familiarity, not obvious warning signs.

What are the most common signs of phishing in client emails?
Look for subtle shifts in tone, urgency, or timing. New banking details, vague instructions, or anything outside the client’s usual communication style should prompt a second look.

What should I do if I suspect a phishing attempt?
Pause the transaction and escalate the issue to your branch manager. Acting early can prevent larger problems.

Why is phone verification required for certain requests?
It’s required under know-your-client and anti-money laundering regulations and helps confirm intent. A live conversation ensures the request is valid and protects both the advisor and the client.

Can fraud happen even if the email address is correct?
Yes. Criminals use compromised accounts to send convincing messages. The address may be familiar, but the content could be deceptive.

How can I follow client email security best practices?
Stay alert, verify requests by phone, and report anything suspicious. Encourage clients to use secure email practices and avoid sending sensitive information without encryption.