Financial and identity hygiene at home

Part 9 of 18. Credit freezes, the paper post, joint advisors, mortgage and bank communications, the family-office channel. The unglamorous half of personal privacy that, when neglected, costs the most.

_Part 9 of 18 in the Digital privacy for board directors series._

This post is unglamorous and it is the one that pays back the most reliably. The financial and identity layer of personal privacy — banks, mortgage, credit, tax, the family office, the joint accountant — is where the actual financial damage from compromise gets done, and where most board directors have spent the least time. The compromise pattern is well-understood, the controls are well-understood, and the controls are mostly free.

I am writing this from the perspective of someone who has seen the post-compromise recovery work for several senior executives. The pattern is consistent. The work to prevent it is, in each case, work the executive could have done in a weekend three years earlier.

What the compromise pattern actually looks like

Three of the most common scenarios I have seen.

Identity reconstruction from public sources. An attacker collects Companies House records, LinkedIn profile, an old electoral roll entry, a press interview, and a Facebook profile (yours or a family member's). From these they have your name, date of birth, addresses (current and historical), mother's maiden name (often inferable), school history, employment history, and approximate net worth. They then use these to apply for credit in your name, open mobile phone contracts to receive your SMS authentication codes, or impersonate you to your existing financial institutions.

Mortgage and conveyancing fraud. A property transaction is in progress. The attacker compromises the email of one party — usually the solicitor's office, sometimes the estate agent — and at the moment when the completion funds are due to move, sends updated bank details from the apparently-legitimate email. The funds go to the attacker. The buyer's home purchase fails. Recovery is partial, slow, and litigious.

Family-office channel impersonation. The director uses a personal assistant or family-office staff member to handle routine financial admin. The attacker compromises the assistant's email or impersonates the director. Through the assistant, the attacker initiates transactions or extracts sensitive information. This pattern is the most common one I see in board-director-specific incidents and the least covered in mainstream privacy guidance.

In each scenario the controls that would have caught it are not technical. They are procedural.

The four-step weekend

If you give yourself a Saturday and a Sunday, you can address most of the financial and identity hygiene gap.

Step one: credit freeze. The UK does not have a true credit freeze the way the US does, but the three Credit Reference Agencies — Experian, Equifax, and TransUnion — all offer protective registration with Cifas, the UK fraud prevention service. The Cifas Protective Registration flag costs £25 for two years and signals to all financial institutions that additional identity checks should be applied to any application in your name. For any board director who has been targeted, has had data exposed in a known breach, or is simply higher-risk than average, this is a one-evening, £25, durable control. There is no good reason for any senior executive in 2023 not to have it.

Step two: review your bank's authentication. Log in to every UK bank account you hold. Confirm that MFA is enabled. Confirm that the registered phone number is current and that you have not left an old number on file (a common pattern: the backup phone number is an old SIM you no longer have, which means a SIM-swap on that number gives an attacker access). Confirm that the bank's call us before processing a large transaction threshold is set sensibly. Most banks now offer a trusted contact option for older account holders; the equivalent for high-profile customers is premier banking or private banking relationship management, where the bank knows you and will call to verify unusual transactions. Use it.

Step three: review the paper post. This sounds anachronistic. It is not. The paper post arriving at your front door includes bank statements, credit-card statements, tax demands, NHS letters, school correspondence, and (for executives at senior level) board papers. A meaningful fraction of identity-fraud cases start with mail interception — either at the address (bins, doorstep, redirected post) or earlier in the postal chain. The defences: a lockable letter-box if you do not have one; a Royal Mail Mail Redirect set up if you move; statements switched to digital where you are confident in the digital channel; and any redundant paper destroyed with a cross-cut shredder, not the household recycling.

Step four: separate financial channels from personal channels. For any high-value transaction — house purchase, business loan, large investment, school fees over a certain threshold — establish in advance the exact channel you will use to confirm bank details. I will call you on this number, which we agreed at the start, to verify any changes. Write the channel down. The May post in the small-business series (Email is the front door, if you can find it once we get there) covers the parallel work for the firm; the personal version is the same control applied to your own affairs.

The family-office and the joint accountant

For directors who use a personal assistant, family-office staff, or a joint accountant who handles personal financial administration, the procedural defences are particularly important.

The standing rule about bank-detail changes. Any change to where money goes — supplier accounts, contractor accounts, household contractor accounts, holiday accommodation, anything — must be verified by a phone call to a number known in advance. No exceptions. The rule is communicated to anyone who handles your finances. It is written down.

The named-channel rule. Sensitive financial discussions happen on a named channel (a specific email address, a specific phone number, a specific messaging app). Anything sensitive that arrives on a different channel is, by default, treated as suspicious until verified.

The annual review of who has access to what. Once a year — pick a date and stick to it — list every person who can see your financial information. Bank relationship managers, accountants, family office staff, lawyers, mortgage advisors, financial planners. For each, list what they can see. Compare to what they need to see. Remove access where the relationship has ended or the access is broader than necessary.

These three procedural controls catch the great majority of family-office impersonation incidents. They are not expensive. They are not technical. They require only the discipline of having written them down.

The school fees and conveyancing dimensions

Two specific high-friction moments worth a paragraph each.

School fees. Independent school fee payment is a regular high-value transfer that follows a predictable schedule. Attackers know this. The standing pattern: an email from the bursar with updated bank details arrives shortly before fees are due. Apply the call the bursar on a known number rule. The school will not be offended; in fact, most schools now explicitly request this.

Conveyancing. House purchases and remortgages are the highest single-transaction risk in most households. The solicitor's office will, if it has any sense, send you a written warning about this exact fraud at the start of the transaction. Believe them. The new bank details email at the moment of completion is the canonical fraud, and the only defence is the call to verify rule. If you are about to move house, agree the verification channel with your solicitor at the first meeting, not at the moment of transfer.

What you should not be doing

Three things that are sometimes suggested and which I think are usually wasted effort.

Removing your name from Companies House. You cannot, beyond the limited mechanisms for individuals at credible risk (which most directors do not meet). Effort is better spent elsewhere.

Removing your historical electoral roll entries. Largely impossible. Your historical address record is, for practical purposes, permanent. The defences are forward-looking.

**Paying for dark web monitoring services.** Most are theatre. Cifas Protective Registration provides more practical protection at a lower cost. Have I Been Pwned (free) covers most of what the paid services claim to do.

What this month looks like

The four steps above, over one weekend. The Cifas registration takes ten minutes online. The bank-MFA and trusted-contact review takes an hour per account, so a few hours in total. The paper-post audit takes an evening. The procedural rules with assistants and accountants take a separate conversation each.

In five weeks: the work side — the public exposure your board role creates, and what to do about it.