Reducing the Risks of Phishing, Hacking, Data Breaches and Other Nuisances of Modern Life
If you can spare a moment, take a quick scroll through your email inbox. It may well include one or more of the following, or others that are very similar.
PayPal, asking you to add missing information to your account record.
iTunes, confirming a recent purchase, with a link for you to verify.
Netflix, expressing sincere regrets that you have canceled your membership, but generously giving you a chance to restart it.
These may look authentic, but they are not. Emails like these are called “phishing”attempts, and they put you just a click away from a malware infection or a theft of your identity. They represent just one of an ever-growing array of fraudulent tactics at play in a never-ending effort to steal your money or personal information.
With all of the wonders offered by our electronic age, IT security has become one of the most important risk management issues facing successful families and businesses. Despite antivirus software and wireless “firewalls,” most personal devices and networks present an open door to criminals around the world. The proliferation of the “Internet of Things” – smart doorbells, thermostats and the like – is further expanding the number of vulnerable targets.
There are as many data security risks as there are malevolent individuals on the fringes of society and in unfriendly governments. In the broadest sense, however, these threats generally fall into three camps: phishing, hacks and data breaches.
Phishing is communication that purports to be from a legitimate source which attempts to draw you into providing personal information that can then be used to hijack your personal information or accounts.
As you would imagine, various combinations of the above abound – like the fake antivirus pop-up that infects your computer and then tries to lure you to a page to provide your credit card number in order to “purchase” special software to remove the virus.
Hacks are intrusions into an individual’s device or network, usually via malicious software code that accesses programs and files. A hack initially requires the individual under attack to do something, like click a link in an email, which downloads the enabling code into the device. Once in, hackers can gather information on you, they can pretend to be you – they can even watch and record what you type as you type it (your PIN or personal emails, for example).
The most common hack is against free email accounts, such as Gmail, with easy-to-guess passwords. If you’ve ever received an email from a friend that simply says “This is cool, check it out” and provides a link, be wary. Especially if this is out of character for your friend. It is very likely that your friend has been hacked and the intruder is after their friends.
Data Breaches are information thefts, and the most worrisome come from organizations that hold private identity or financial information such as credit card numbers, email addresses, social security numbers, physical addresses, etc. Breaches have infiltrated retailers, banks, universities – even the IRS and the Navy. In 2021, more than 1,800 significant institutional data breaches have been reported in the U.S. according to the Identity Theft Resource Center.
TIP: Always apply software updates as soon as you can. Manufacturers are patching security holes as quickly as attackers are discovering them. The most successful hacks are against outdated, insecure software.
How Can I Protect Myself?
Those with the most at risk – the very wealthy, public figures, people with access to sensitive and potentially damaging data – will often engage a private security firm to determine their risk and put a plan together to defend against it.
If you fall into this category, you will find that the process typically starts with a risk assessment to identify where you are vulnerable. The security firm will examine your physical property for weak spots, the security in place for your computers and mobile devices, the information available about you on the internet and social media, the backgrounds of your household staff and even the predictability of your commuting habits.
The firm’s recommendations may encompass data security, travel, property and physical security, remedies for online privacy vulnerabilities, background checks on personal staff and more.
Network Security: For most families, data security considerations are the most critical. It starts with making sure the data network you are using – whether at home or at a coffee shop – is as private as you think it is.
Those using wireless should be wary that at least 25% of wireless networks are entirely unsecured, meaning any device can attach without submitting a password or asking permission. This includes home networks as well as networks in public places. Many more use outdated encryption that can be broken in less than a minute with tools commonly available on the Internet. Once in, fraudsters find it easy work to exploit the networking vulnerabilities in devices on the network, and things can go downhill quickly from there.
TIP: Never use the default password that comes with a device, always change it. These default passwords are well known to attackers.
Those with much to lose may want to consider keeping devices that access financial sites and ecommerce wired, and off of their wireless network.
TIP: Always be sure to use a complex password when setting up your Wi-Fi network to enable the highest level of encryption available.
Email: Provided the network that attaches your computer to the Web is at least reasonably secure, the next area of vulnerability is your email.
Your email inbox is like an unlocked lobby where strangers are free to enter. The good news is a fraudster can’t do any damage unless you click on something within his or her email. He knows this, so his game is to put emails in front of you that appear to be from someone you trust (the famed Nigerian prince notwithstanding).
TIP: Always use a complex password for your email. If your email provider supports 2-step verification, you should consider enabling it.
A closer look at the sending address in suspicious emails can reveal when the senders are not who they say they are. Since institutions like banks often register email “domains” (the part of the email address that comes after the @ sign) that cover the common variants of their name, fraudsters resort to odd variations. These are usually easily spotted if you adopt the habit of looking, but always be wary of names where characters are easily confused, like using a 1 (the digit) instead of a lower case L, for instance. If the full email domain doesn’t display, you can your mouse over the sender’s name or click a “more info” or similar link that will be adjacent to it.
Skipping this step and clicking a link in the body of the email could download malware or take you to a legitimate looking Web page where you may be asked to “update” anything from your debit card number to your social security number. One of the most common schemes is ransomware, where one click will disable your device until you hand over your credit card information and make payment. 2020 saw over 40,000 ransomware attacks per day, with 40% of spam emails carrying illicit links.
You can be confident that no legitimate financial organization will ever – unprompted – send you an email to ask for your user ID, password, social security number or any other sensitive personal information.
Another scam that can arrive by email or traditional letter is the “change in payment process” request. Some scammers will open fraudulent accounts at different financial institutions in the names of real individuals and businesses. The scammers will then request that payees redirect periodic payments – typically to a landlord or other ongoing obligation – to the scam accounts vs. the legitimate accounts. Never agree to a change in payment process without independently verifying the request with landlord or other business. When verifying, make sure to use the original point of contact information rather than instructions provided by the scammer!
Beyond this, be highly suspicious of links in unsolicited or unusual emails from people you know. Your friend’s email may have been hacked, along with all of her contacts are likely getting the same “This is cute, click here!” message. It’s not cute. Don’t click. Instead, delete anything suspicious without opening it, and then delete it from your deleted items folder.
Mobile Network: Today’s cell phones are less like phones and more like pocket-sized computers that contain phones. There is risk in the apps on these little computers.
The biggest security holes may lie with the most popular free apps, particularly on Android devices. Android’s “open source” approach to application development has long left it more vulnerable than Apple’s more restrictive philosophy.
Since it’s a little computer, you should think of protecting your cell phone in the same way you think of protecting your PC or Mac. Never download an app you don’t really need – especially if it’s free – and if you download or update any app, make sure you read about the functions the app will access. The app that sends you the score of the Rangers game doesn’t need to know where you are all day.
Happily, there are powerful data security products available to protect your mobile devices. At least one tool can peer through a mobile app and tell you where it wants to send your data, whether it’s Chicago or Chechnya. Another encrypts mobile voice and messaging, letting you choose when to delete messages on both ends.
While we can’t, of course, recommend specific security products by name, a bit of Web work and consultation with a data security professional will bring you some excellent ideas.
Check Washing: Although electronic payments using the ACH (Automated Clearing House) system, banking products like Zelle and FinTech offerings like Venmo have become increasingly popular, sometimes there is no way of avoiding writing a traditional physical check. Just because old school checks use paper instead of pixels – at least until the checks are processed – bad actors still target physical checks as well through a process known as “check washing.” As the name suggests, fraudsters remove or “wash” the legitimate payee and replace the “Pay to the order of” line with a fraudulent recipient and/or the increase the amount of the check to secure illegitimate funds. When writing physical checks it always pays to verify the amounts actually debited listed on periodic statements with the amounts and recipients written on the original checks.
Ending Password Insanity
We live in an arms race of ever-increasing log-in complexity. Hackers are using machines to attempt new password combinations constantly, with time and computing power on their side. So, sadly, the days of the simple, permanent four-digit password are as over as the days of leaving your keys in your car overnight. However, with a long enough password, you can turn time and computing power into your ally.
TIP: Consider that a nine-character password would take about five days to guess using modern computers. A twelve-character password would require almost 200 years.
With a bit of forethought, however, you can devise a password convention that will serve you and the most demanding sites you use for many years, without driving you crazy.
Consider this example. Think of the characters in a site’s web address or brand name as a toolbox from which you can pull letters and create a combination by adding capitalization, numbers and symbols. If your pattern is consistent but secret, every site you visit can have its own password, yet your password will be all but impossible to forget. Even for infrequently visited sites, you won’t have to remember the password, only your secret convention, which you will, by definition, use constantly.
TIP: Don’t make the mistake of using the site name in your password while keeping the rest of it the same as on other sites. Hackers are on to this trick and are actively exploiting it.
The next step is to add a convention for changing these passwords when required (some sites age-out passwords and require periodic updates) or simply to stay on the safe side. Your update convention, again, can be one that is easily remembered and deployed similarly for all sites you visit. Avoid simply adding higher digits to the end of your previous password. Your updates could more safely involve names of U.S. presidents in some order, or your grade school teachers or old bosses.
One final tip for maintaining your sanity. Though many sites have evolved to “multi-factor” authentication, like sending you a text code to verify it is you who is attempting a login, some sites still use the old challenge question approach.
A challenge question would be, “What was the name of your first pet?” or “In what city were you born?”
Beyond being discoverable by hackers (birth records are public, for example), four years after registering on a site who would remember whether they said their birth city was “New York,” “new york city,” or “NYC”?
The answer? Don’t answer. Well, not literally. Create coded answers, again using a convention you follow each time.
The hackers may be ruthless, clever, and able to harness massive computing power to crack your code, but they are no match for your creativity, individuality and simple good sense.
About Fieldpoint Private
Headquartered in Greenwich, Connecticut, Fieldpoint Private (www.fieldpointprivate.com) has more than $1.4 billion in bank assets and provides personalized, custom private banking and wealth transfer services. Catering to successful individuals, families, entrepreneurs, businesses and institutions, Fieldpoint Private develops a comprehensive understanding of our clients individual financial circumstances and furnishes comprehensive advice and personal service to free up the one resource that regardless of means no one can ever have enough of: time.
Banking Services: Fieldpoint Private Bank & Trust. Member FDIC.
Registered Investment Advisors: Fieldpoint Private Securities, LLC, is a SEC Registered Investment Advisor and Broker Dealer. Member FINRA, MSRB, SIPC. Accounts managed by FPS are not FDIC insured.
Trust services offered through Fieldpoint Private Trust, LLC, a public trust company chartered in South Dakota by the South Dakota Division of Banking.