In March, MCS stopped cyber-thieves’ attempts to steal money from two of our clients’ accounts. Using our clients’ own email accounts, the thieves sent us instructions to transfer money from our clients’ accounts to third party accounts. While our internal procedures thwarted those efforts, the frequency and sophistication of these cyber-attacks is alarming. In an unrelated instance, identity thieves used a third client’s personal information to open bank and credit card accounts.
How did these thieves know to contact MCS? How did they get enough of our clients’ personal information to attempt these crimes? While it is a threat when big companies have their customer data stolen, it turns out that we can be our own worst enemies in the security chain.
In the first two instances, thieves hacked our clients’ Gmail and AOL accounts. Once the hackers had control of our clients’ email accounts, they scanned saved messages for terms like “money transfer”, “account” or “investment.” That led the thieves to us (and any other financial firms that our clients deal with), and it taught them how our clients communicate with MCS. The scammers then emailed us distribution requests, posing as our clients and using our clients’ email accounts. The hackers cleverly covered their tracks so our clients had no idea that someone was using their email accounts. When we responded to the emails, the hackers had set up a rule in each clients’ email account that automatically forwarded incoming MCS email to another address. Until we contacted them by phone to warn them of the hack, our clients had no idea someone had control of their email accounts.
My third story of financial fraud is from a client who was a victim of identity theft – someone had used his personal information to open bank and credit card accounts, then withdrew money from the bank and made charges to the credit cards in our client’s name. This form of theft is less common but much more difficult to unwind, because the onus is now on our client to prove that he did not open the accounts or make the charges. It is a long and tedious process to isolate the fraudulent accounts and make sure his legitimate accounts are secure.
These scams are not limited to individuals, either. In fact, if you own or are an executive of a company, you should be aware that one of the newest and most successful scams involves private and public companies with internal control flaws. According to this Reuters article1, companies across 79 countries have been duped into wiring out over $2 billion to cyber-thieves. These highly coordinated and sophisticated operations use phishing attacks to install a virus in a business’s network and gather information about who the executives, vendors and customers are and how they communicate. They may use social media or internal email to track the executives and find an optimal time to stage the attack (for example, when the executive is traveling or at a conference). Using fake email accounts for the company’s executive(s), people posing as lawyers and accountants contact corporate treasurers and finance officers and order large transfers to the accounts controlled by the thieves.
Other scary cyber-threats are ransomware (programs that encrypt your computer files and will delete everything from your hard drive unless you pay a ransom for the code that unlocks your computer) and other malware that can give a criminal access to and control of your computer.
What are Cyber-Theft and Identity-Theft
Cyber-theft is defined as using a computer to take personal information and then using that information illegally. Cyber-criminals can access your email account by guessing your password (especially simple passwords), by ‘snooping’ on your Internet connection if you use a public or unsecured connection (a home Wi-Fi connection that does not have a password, or a public Wi-Fi connection at an airport or other public space). Another way cyber-criminals attack is by ‘phishing’, or tricking you into downloading a virus or other malware that they can use to take over your computer or record your keystrokes, learn your online passwords, and access a treasure trove of personal information stored on your computer.
Identity theft is using your personal information to steal from you, and it is similar to cyber-theft but it does not necessarily rely on a computer. Identity theft predates cyber-theft, and common ways thieves can access your personal information are by intercepting your mail, stealing your wallet or by going through your trash.
How to Protect Yourself
Here are three ways you can protect yourself from cyber- and identity-theft:
- Limit access to your computer
- Limit access to your personal information
- Protect your credit
Protect Your Computer
- Require a password to access your computer– this is ‘step one’. If someone walks away with an unprotected computer, they probably have all of your most secure personal information.
- Install robust anti-virus software on your computer/laptop/tablet/phone and set it to apply updates automatically.
Click here to read a recent PCMag review of some of the top anti-virus programs for computers2.
Click here to read PCMag’s review of android mobile phone security apps3.
iPhones or iPads are considered safer than other mobile devices, but they are not invulnerable to attack.
Search the iTunes app store for security apps such as Norton, McAfee and Lookout.
- Keep your operating system up-to-date (Microsoft and Apple send out security patches regularly). Set your computer to automatically download and apply important updates.
- Do a security check/ scan on your computer and get rid of any suspicious files or programs.
- Secure your home internet with a firewall and your Wi-Fi connection with a password. An open Wi-Fi connection can be used by a neighbor or someone driving down your street to access your computers or snoop on your Internet traffic.
- Hire someone to perform these tasks for you.
- Get a reputable IT person to come to your house (like Best Buy’s Geek Squad), or you can stop by a Staples or Office Max and drop off your computer to perform the tasks above.
- Hire an IT professional to come to your house and secure your Internet connection and Wi-Fi.
Limit Access to Your Personal Information
- Create and use strong passwords for your computer and online accounts ‐ at least 8 characters with a mix of upper and lower case letters, numbers and symbols (though each online secure login may have different requirements).
A recommended method is to have a unique easy-to-remember password sentence. For example: “The quick brown Fox jumped over 2 Dogs!” gives you the password “TqbFjo2D!” This example uses the first letter of each word and capitalizes the nouns and is very hard to crack.
There are also apps and programs that will generate random and complex passwords to use for your online accounts. Some people swear by them, and others don’t like them. Click here4 to read a good C|Net article on password management.
- Thieves may be able to collect information you send to websites if your Internet connection is not secure, so protect yourself when using public Wi-Fi (at the airport, a coffee shop, or other public place). Read more in this article5 on the Federal Trade Commission (FTC) website.
- Set up “two-step” or “two-factor” verification for online accounts that offer it. This enhanced security option will generate a text message to your phone (or it will require you to enter a randomly generated number from an app on your phone or tablet) whenever you log in to your account from an unfamiliar device.
That way, if someone does hack into your email, when they try to log in you will get a text message letting you know about the login attempt, and the person trying to hack your account will not be able to do so without the code that was texted to your phone. Below are links on how to set up two-step authentication for the major email services:
- Microsoft Outlook/Hotmail7
- AOL9 Click on the second question, “How do I set up 2-Factor Authentication?”
- Beware of phishing scams that entice you to share personal information voluntarily, open a dangerous email attachment, or click on a malicious website prompt. Emails with personal warnings about your financial information, fake package delivery notices or invoices, social networking invitations, fake voice mail and fax attachments – all of these are common phishing tactics that will trick you into opening an attached and malicious file. A successful phishing attack will make you feel an urgency to take care of something without really thinking about it. Security alerts that pop up while you are browsing on the
Internet are also common and successful phishing traps. Webroot.com has a terrifically detailed article on phishing and how to avoid it10.
- Do not include personal information in emails, such as your full account numbers, social security numbers, dates of birth or passwords
- Be careful about how you use social media. First, make sure to set your privacy settings so that your updates are not public. Second, be careful about how much personal information you share online. Children (or grandchildren) are often helpful in setting privacy restrictions on social media accounts.
- Permanently delete all emails from your trusted advisors once they are no longer needed. Your deleted items folder should be cleaned out periodically.
- If you want to keep a record, print a paper copy and save.
- MCS is required to save your emails so we can retrieve them if needed.
- >Use a secure file-sharing service to send financial or sensitive personal information to your tax, legal, or financial advisers (MCS uses the service FileShare), or make sure the files you send are password protected.
- Opt out of unsolicited credit card or insurance offers by visiting www.optoutprescreen.com11, or calling 888-5OPT-OUT.
- Shred your paper records rather than putting them in the trash. Like MCS does for our clients, your CPA, bank or attorney may allow you to drop off your sensitive documents to be disposed of securely. If you have many cardboard boxes of documents to shred, you can call a document disposal company like Iron Mountain that will dispatch a truck to your house and shred your documents on-site.
Protect your credit
There are a lot of services out there that will monitor your credit for between $100 and $300 per year, but the value they offer is limited, and much of what they do you can do for yourself for free. There is value in the basic alert services and in their helping you to clear up an instance of identity theft, but I do not recommend paying for a premium service. From the reviews I have read, Identity Guard’s basic service12 gets the best ratings. You can also put a credit alert on your account for free, but you have to renew it every ninety days (and few of us have the time for that).
Another, simpler, solution is to freeze your credit, which will prevent any one (even you!) from opening new accounts. When you freeze your credit, the credit agencies provide you with a PIN that can be used to remove the freeze, so it is important to keep the PIN where you won’t lose or forget about it.
Brian Krebs of krebsonsecurity.com wrote a blog post13 that thoroughly explores the reasoning behind my recommendations above. If you are having trouble connecting to that article (it seems to work in come browsers but not others), there is another article from Consumer Reports14 that has much of the same information.
Also, the FTC has a good FAQ15 about how to freeze your credit. Whatever method you choose, we recommend that our clients employ some type of credit protection.
According to the Insurance Information Institute, there was a new identity fraud victim every two seconds in 2014. They report that a Javelin Strategy & Research found that $16 billion was stolen from 12.7 million US consumers that year. Although protecting yourself from this risk may seem daunting, implementing some basic security enhancements is manageable. Through a combination of one-time measures on your computer(s) and Internet connection(s) and some behavioral changes, you can make it much more difficult for cyber- and identity-thieves to make you their next victim.
To help you protect yourself, MCS Family Wealth Advisors has prepared a checklist you can use to make sure you’ve covered the recommendations in this article, click here16. If you are a current MCS client with questions about cyber- and identity-theft deterrent strategies, please feel free to contact me directly.
Jeff Yamada, CFP®
1 Reuters (Jim Finkle), Cyber fraudsters reap $2.3 billion through email wire transfer scams, http://reut.rs/26y0dNd
2 PC Mag, The Best Antivirus Utilities for 2016, http://bit.ly/1NUo5iB
3 PC Mag, Android Antivirus Apps Set Perfect Scores, http://bit.ly/1N0sIwC
4 C|Net, How to master the art of passwords, http://cnet.co/243VzYz
5 Federal Trade Commission, Tips for Using Public Wi-Fi Networks, http://1.usa.gov/1XWnu5x
6 Google 2-Step Verification, Stronger Security for your Google Account: Why you need it, http://bit.ly/1qV0g4R
7 Microsoft, About two-step verification, http://bit.ly/1VT6f7Z
8 Yahoo!, Two-step verification for extra account security, http://yhoo.it/1UhOfSU
9 Aol., 2-Factor Authentication: Stronger than your password alone, http://aol.it/1SQwV8p
10 Webroot, What is social engineering?, http://bit.ly/1TezMSV
11 Opt Out Prescreen, http://bit.ly/1pGucRb
12 Identity Guard, http://bit.ly/1riLBkA
13 Krebs Security, Are credit monitoring services worth it, http://bit.ly/1WtpaV7
14 Consumer Reports, Don’t get taken guarding your ID, http://bit.ly/24n3KMh
15 Federal Trade Commission, Credit Freeze FAQs, http://1.usa.gov/1St7ebS
16 MCS Family Wealth Advisors, Security Checklist, https://mcsfa.com/blog/security-checklist/