top of page
Writer's pictureAdempi

Tackling an Invisible Threat: Cyber Security and Social Engineering in the UK Financial Services Sector

Updated: Nov 18

Happy woman holding tablet with her face displayed on a screen isolated on binary code background

The financial services landscape is ever more interconnected, and UK firms face a growing threat from cyber criminals. With social engineering attacks on the rise, senior managers and compliance teams are increasingly turning their attention to a vulnerability that can’t simply be patched with software updates: human error.


Understanding the nature of social engineering, and implementing robust, targeted training for staff, is now essential in safeguarding a firm’s assets and reputation.


A quick note about us: Awarded 'Best Training Provider' at the 2023 Compliance Register Awards, Adempi Associates delivers cyber security and social engineering eLearning plus 40+ compliance courses. Book a demo today for practical, impactful training that works.


Understanding the Social Engineering Threat


Social engineering, simply put, is the art of manipulating people into giving up confidential information.


Unlike technical hacks, social engineering attacks exploit human psychology. Attackers bypass technological barriers by influencing individuals to reveal sensitive data or perform actions that compromise security.


Phishing, spear phishing, and pretexting are some of the most common social engineering techniques, where attackers impersonate trusted contacts or institutions.


The 2023 CBEST thematic report from the FCA and Bank of England highlights that incidents of business email compromise (BEC), a sophisticated form of phishing, have become alarmingly common, with fraudsters deceiving employees into transferring funds or disclosing critical information.


The report underscores that financial firms, with their valuable data, are prime targets.

A well-placed social engineering attack can bypass even the most robust technical defences, making this an issue that compliance leaders cannot afford to overlook.


The True Cost of Social Engineering in Financial Services


The cost of social engineering attacks extends beyond immediate financial losses. A successful attack can damage a firm’s reputation, erode client trust, and attract regulatory scrutiny. In their Good cyber security ‒ the foundations infographic, the FCA cautions that disruptions from cyber incidents can significantly impact not just the affected firm but the stability of the wider financial sector. “We expect you to be able to protect the sensitive information you hold,” the FCA notes, a clear reminder of the regulatory pressure on financial firms to ensure adequate security.


This threat is not only about financial loss but about preserving credibility and trust. Compliance teams, especially heads of compliance, should consider the long-term damage that these attacks can inflict, knowing that customers and clients increasingly seek assurances that their data is safe.


Combatting Social Engineering with Effective Staff Training


To counteract these threats, compliance and security strategies must focus on equipping the workforce with the knowledge and skills needed to identify and avoid social engineering attacks.


The FCA guidance encourages regular, comprehensive training programs as a frontline defence against these sophisticated threats. Here are several key elements of an effective staff training program:


1.    Awareness and Vigilance

Training programs should begin with a clear understanding of common social engineering tactics. Employees need to recognise when an email or phone call may be suspicious, particularly if it asks for sensitive information or immediate action. Firms can raise awareness by regularly updating staff on recent fraud trends and providing real-world examples to bring the training to life.


Closeup view of an internet browser with

2.    Identifying Red Flags

Encouraging staff to pause and scrutinise requests that seem unusual, such as urgent transfers or confidential information requests, is critical. Attackers often create a false sense of urgency to prompt quick, unchecked responses. Firms should empower their teams to spot red flags and feel confident in double-checking unusual requests.


3.    Incident Response

Every firm should have a robust incident response plan, and staff must know the steps to take if they suspect they are being targeted. This includes knowing who to report to and understanding the importance of quick action to limit potential damage.


4.    Ongoing Training and Refresher Courses

Training on social engineering should be an ongoing commitment, not a one-time event. Social engineering tactics evolve, and so should training. Regular refresher courses ensure that employees stay informed and vigilant.


The CBEST framework advises continuous testing and improvement of cyber resilience measures to help firms stay one step ahead of attackers.


Cyber security is about more than just technology—it’s about empowering people to make safe choices. Firms must equip their people with the knowledge and confidence to identify and respond to social engineering threats.Gillian Roche-Saunders, Partner at Adempi Associates

Once staff are trained and understand the basics of social engineering awareness, additional bespoke training can be provided on verification protocols so as to add an essential additional layer of defence. This further training should incorporate “trust but verify” practices, encouraging employees to independently confirm the legitimacy of requests—particularly those involving financial transactions or sensitive information.


This step reinforces vigilance, ensuring that even if an attack gets past initial defences, an added check can prevent unauthorised actions and bolster the firm’s overall security.


The Role of Compliance Leaders in Cyber Security


Heads of Compliance and senior managers within firms play a pivotal role in implementing and overseeing these training initiatives.


It is their responsibility to champion a culture, from the top down, where vigilance against cyber threats is second nature. By doing so, they protect not only their firm’s assets but also its reputation and client trust. “People are an integral part of the cyber security chain,” the FCA states in their Good cyber security – the foundations document, underscoring the need for every individual in the firm to be equipped to prevent and respond to threats.


Why Training is a Wise Investment


Investing in training programs might feel like a significant expense, but the cost of not doing so can be far greater.


With cyber-attacks rising by as much as 1,700% since 2014, according to FCA data in their Good cyber security – the foundations document, even one incident can have catastrophic financial and reputational consequences. The cost of regulatory fines, potential legal action, and lost business is a steep price to pay for neglecting staff training. By prioritising ongoing training and awareness, UK financial services firms can build a strong defence against social engineering threats.


When compliance leaders invest in building a workforce equipped to recognise and counter these threats, they position their firms to not only meet regulatory expectations but to foster a culture of security that clients and customers can trust.


Cyber security training with Adempi Associates


Compliance training doesn’t have to be a dull tick-box exercise.


At Adempi Associates, we believe it can be something far more engaging and effective. With options for in-person sessions, eLearning, and hybrid models, we ensure that every minute your team spends in training delivers real value and insight.


Image of training talking to a room of trainng attendees

Our commitment to quality has earned us the title of 'Best Training Provider' at the 2023 Compliance Register Awards—and we're proud of the impact our clients say it’s making. Designed specifically for FCA-regulated firms, our courses are crafted to meet the unique needs of your firm’s size, sector, and activities.



Enhance Your Training with Custom Options:


  • AI-powered knowledge assessments to ensure training impact lasts

  • A blend of eLearning, in-person courses, and workshops

  • Customised training paths, including courses specific to your firm, such as new joiner sessions


For those who want to take the next step, our training platform offers an in-depth course on cyber security, with a dedicated content on social engineering.


Outside of cyber security, you can choose from over 40 other courses from us, with regular updates and bespoke options upon request.


Ready for training that works for you? Contact us or book a demo today to make compliance training engaging, practical, and impactful.

Comments


bottom of page