Financial advisers and IFAs handle client instructions, transfers and sensitive suitability data by email, under an FCA regime that expects operational resilience. If your domain can be impersonated, a criminal can pose as your firm to clients, providers and platforms.

How Financial Advisers get targeted

Adviser impersonation and transfer fraud

A client receives updated payment or transfer instructions that look like they came from you. Pension and investment sums are large and often one-off, exactly what fraudsters want.

Provider and platform spoofing

Fake emails in your name reach providers and platforms, or fake provider emails reach you, to redirect funds or harvest login details.

FCA operational resilience

The FCA expects firms to manage the risk of disruption and fraud. A spoofable domain is a known, avoidable weakness that is hard to justify after an incident.

SM&CR accountability

Under the Senior Managers regime, responsibility for these controls sits with named individuals. "We assumed IT had it" is not a comfortable position to defend.

What this looks like in practice

A client emailed their adviser to move a lump sum into a new pension. A day later they received a reply, from what looked exactly like the adviser, with "corrected" bank details. It was a spoof: the firm domain had no DMARC enforcement. The client sent the money to a criminal and held the firm responsible.

Your quick checklist

  • DMARC set to reject on your firm domain
  • SPF covering your email, back-office and platform integrations
  • MFA on all mailboxes
  • A written rule that payment and transfer instructions are confirmed by phone
  • Awareness training for advisers and administrators
  • Each trading domain checked separately

Questions we get asked

Our platform and back-office are secure. Is that enough?

Those secure their own logins. Email authentication is set on your firm domain and is a separate control that is often missing. The free check shows your domain status whatever platform you use.

Does the FCA require SPF, DKIM and DMARC by name?

Not by name, but it expects appropriate measures against fraud and disruption. Email authentication is a recognised, low-cost control. If client money were lost to a spoof and your domain had no protection, that gap would be difficult to defend.

We are a small firm with an outsourced IT provider. Whose job is this?

Under SM&CR the accountability stays with your senior managers even when the work is outsourced. Run the free check, then give the result to your IT provider and confirm they have closed any gaps.

Run the free check above to see whether your firm domain can be impersonated, and get a plain-English list your IT team can action.