Talk to us

When did email become the weakest link in advice?

By
Amy North

There’s a moment most advisers have had.

You send something important to a client, maybe a recommendation, maybe documents, maybe something time-sensitive.

And then, just for a second, you hesitate.

Did that go to the right person? What if they forward it? What if it gets intercepted?

We don’t always say it out loud, but there’s a quiet discomfort with how much of the advice process still runs through email.

And the reality is, that discomfort is justified.

 

Email isn’t just outdated, it’s exposed

We’ve got used to email because it’s easy. It’s familiar. Everyone has it.

But from a risk perspective, it’s doing a lot of heavy lifting it was never designed for.

The latest Cyber Security Breaches Survey 2025 makes that pretty clear. Phishing alone now affects 85% of businesses, making it the most common and disruptive type of cyber attack

If you want to dig into the findings, the UK Government summary is worth a read:

Cyber security breaches survey 2025

And this isn’t just the obvious scams anymore.

Attacks are:

  • Targeted
  • Personalised
  • Often indistinguishable from legitimate communication

Some even use AI to mimic tone, writing style, and context.

Which means the weak point isn’t always your systems.

It’s your communication layer.

 

Why this matters more for advice firms

In most industries, a dodgy email is annoying.

In financial advice, it’s something else entirely.

You’re dealing with:

  • Sensitive personal data
  • Investment instructions
  • Life savings, pensions, inheritances

If something goes wrong, it’s not just an IT issue. It’s:

  • A client trust issue
  • A regulatory issue

The FCA has been increasingly clear on operational resilience and protecting client data as part of good outcomes under Consumer Duty: https://www.fca.org.uk/firms/consumer-duty

And once that trust is shaken, it’s incredibly hard to rebuild.

 

The uncomfortable truth

Most firms haven’t consciously chosen email as their primary communication tool.

It’s just… what’s always been there.

But when you step back, it creates a few problems:

  • No real control once it’s sent
  • No guaranteed identity verification
  • No consistent audit trail across conversations
  • Heavy reliance on clients spotting red flags themselves

That last one is the bit that should make everyone pause.

Because we’re effectively asking clients to be part of our security framework.

 

What better looks like (in practice)

This isn’t about throwing everything out and starting again.

It’s about being more deliberate with how client communication is handled.

We’re seeing a shift towards more secure, controlled environments.

 

1. Moving sensitive communication off email

Not everything needs to leave your ecosystem.

Client portals and secure messaging platforms create:

  • Controlled access
  • Verified identities
  • A consistent communication history

For example, this piece on Plannr’s mobile app shows how platforms are evolving to centralise and secure client interaction: https://professionalparaplanner.co.uk/plannr-technologies-launches-mobile-app/

 

2. Rebuilding trust through clarity, not just security

Security isn’t just technical.

It’s also about how things feel to the client.

If a client receives:

  • A branded notification
  • From a platform they recognise
  • In a consistent format

They’re far more likely to trust it, and less likely to fall for something that sits outside that pattern.

There’s also a broader industry push towards improving digital communication standards, something covered well here: https://www.ftadviser.com/your-industry/2024/02/06/how-advisers-can-improve-client-communication/

 

3. Treating communication as part of your advice process

This is the big one.

Communication isn’t just admin. It’s part of suitability.

If a client misunderstands something because:

  • It was buried in an email chain
  • Sent as an attachment they didn’t open
  • Or mixed in with five other threads

That’s not just inconvenient.

It can affect outcomes.

 

A quick sense-check for your firm

If you’re not sure where you stand, these are worth asking:

  • Would we be comfortable if every client email we send was intercepted?
  • Could we prove exactly what a client has seen and acknowledged?
  • Are we relying on clients to identify suspicious messages themselves?
  • Do our communication tools reflect the value and sensitivity of the advice we give?

If any of those feel a bit uneasy, you’re not alone.

 

This isn’t about fear, it’s about maturity

Cyber risk isn’t new.

What’s changed is the level of sophistication and the expectation around how firms respond to it.

We’re also seeing a shift in how businesses think about it internally.

The survey highlights increasing adoption of things like:

  • Cyber risk assessments
  • Formal security policies
  • Business continuity planning

But interestingly, only a relatively small proportion of firms consider cyber risk deeply when choosing new software

Which probably explains why communication is still lagging behind.

 

Final thought

Most advice firms spend a lot of time refining:

  • Investment strategies
  • Suitability reports
  • Client journeys

But the way those things are actually delivered to clients often hasn’t kept up.

And that gap is where risk creep in.

 

ISO/IEC 27001:2022 certified
UKAS-accredited information security management system
You can verify the validity of our ISO certificate via the UKAS register.

ISO/IEC 27001:2022 certified

Affiliate of

Consumer Duty Alliance

Proud to work with

Paradigm ValidPath

Contact

Old Brewery Business Centre
Castle Eden
Co. Durham
TS27 4SU

Tel: +44 (0)1472 728 030
Email: hello@wecomplement.co.uk

© 2026 We Complement | Privacy Policy
We Complement Limited registered in England & Wales under company number 13689379, ICO number ZB427271. Registered address: Old Brewery Business Centre, Castle Eden, Co. Durham, TS27 4SU.