Subscribe to read:

Barclays tightens email security after Jes Staley hoax

Upgrade your account to read:

Barclays tightens email security after Jes Staley hoax

Digital or Premium Digital

You can also subscribe to the FT Digital or Premium Digital with Google

Banks

Barclays tightens email security after Jes Staley hoax

Prankster pretending to be UK bank’s chairman exposed weaknesses in email system

Barclays’ chief executive Jes Staley © Reuters

Barclays has tightened its email security to avoid a repeat of the embarrassment caused earlier this month when the bank’s chief executive responded to a message from a prankster posing as his chairman.

The British bank had left itself exposed to hoax and malicious messages because of the way it configured its system, according to several senior bankers. It is now fixing this weakness by strengthening the security of its email controls.

After a bruising annual meeting this month, Barclays’ chief executive Jes Staley replied to an email purporting to be from John McFarlane, which was in fact from a disaffected Barclays customer using the Gmail account john.mcfarlane.barclays@gmail.com.

To prevent a recurrence of the security lapse, Barclays has decided to activate a warning message whenever an employee sends a message to an external email address on a mobile device, which previously only happened on desktop computers. Barclays declined to comment on the move.

If you try to be too clever or it’s too spurious or forced it will more than likely get rumbled. Keep it short to begin with and ideally reference something that will ring true

Prankster

Executives at US and Swiss banks said they already received such alerts on both mobile and desktop devices. The alerts can help to catch malicious or hoax messages by showing the recipient’s full email address, which may otherwise be hidden.

Cyber security experts and rival bankers said the lapse at Barclays exposed the fact that many senior executives and chairmen continue to use personal email accounts and lack the training needed to avoid the pitfalls of the online world.

“Now other criminal organisations will be aware that these big banks are susceptible to a hack like this,” said Luke Vile, director of 2-sec, a cyber security consultancy. “What the banks may have been slow in doing is training senior executives and board members, which can be a bit awkward: how do you tell your boss they are wrong.”

In Mr Staley’s email exchange with the prankster, first reported by the Financial Times’s Alphaville blog, he responded to an initial message of support by showering praise on the person he assumed was his chairman.

Mr McFarlane spent much of his time at the annual meeting defending his decision not to fire the CEO, who was heavily criticised by shareholders for his recent attempt to unmask a whistleblower.

Mr Staley replied to the prankster: “You are a unique man, Mr McFarlane. You came to my defense today with a courage not seen in many people. How do I thank you?

“You have a sense of what is right, and you have a sense of theatre,” he added. “You mix humor with grit. Thank you John. Never underestimate my recognition of your support. And my respect for your guile.”

After more hoax messages he concluded: “Thanks for sharing the foxhole.”

The prankster told the FT that he counted on the fact that most email software does not show the full email address unless a user clicks on the sender’s name. He added that he usually wrote “sent from iPhone” at the bottom of a hoax message to avoid needing to mimic the legal disclosures that accompany most corporate emails.

“If you try to be too clever or it’s too spurious or forced it will more than likely get rumbled,” said the prankster, who asked not to be named. “Keep it short to begin with and ideally reference something that will ring true. People accept a bit of bizarre once they feel they’re in the saddle of the communication.”

Copyright The Financial Times Limited . All rights reserved. Please don't copy articles from FT.com and redistribute by email or post to the web.