Whitepaper: Phishing, Hacking, Data Breaches and Other Nuisances of Modern Life That Need Not Afflict You.
It is an unfortunate reality of modern life that we are all just a click away from our own personal online armageddons. However, by following just a handful of simple tips you can protect yourself from the vast majority of malicious attempts that might otherwise compromise your personal information, and – with a little creativity – avoid driving yourself crazy in the process.
If you can spare a moment, take a quick scroll through your email inbox. It may well include one or more of the following, or others that are very similar.
- PayPal, asking you to add missing information to your account record.
- iTunes, confirming a recent purchase, with a link for you to verify.
- Netflix, expressing sincere regrets that you have canceled your membership, but generously giving you a chance to restart it.
These may look authentic, but they are not. Emails like these are called “phishing” attempts, and they put you just a click away from a malware infection or a theft of your identity. They represent just one of an ever-growing array of fraudulent tactics at play in a never-ending effort to steal your money or personal information.
With all of the wonders offered by our electronic age, IT security has become one of the most important risk management issues facing successful families and businesses. Despite antivirus software and wireless “firewalls,” most personal devices and networks present an open door to criminals around the world. The proliferation of the “Internet of Things” – smart doorbells, thermostats and the like – is further expanding the number of vulnerable targets.
There are as many data security risks as there are malevolent individuals on the fringes of society and in unfriendly governments. In the broadest sense, however, these threats generally fall into three camps: phishing, hacks and data breaches.
Phishing is communication that purports to be from a legitimate source which attempts to draw you into providing personal information that can then be used to hijack your personal information or accounts.
As you would imagine, various combinations of the above abound – like the fake antivirus pop-up that infects your computer and then tries to lure you to a page to provide your credit card number in order to “purchase” special software to remove the virus.
Hacks are intrusions into an individual’s device or network, usually via malicious software code that accesses programs and files. A hack initially requires the individual under attack to do something, like click a link in an email, which downloads the enabling code into the device. Once in, hackers can gather information on you, they can pretend to be you – they can even watch and record what you type as you type it (your PIN or personal emails, for example).
The most common hack is against free email accounts, such as Gmail, with easy-to-guess passwords. If you’ve ever received an email from a friend that simply says “This is cool, check it out” and provides a link, be wary. Especially if this is out of character for your friend. It is very likely that your friend has been hacked and the intruder is after their friends.
Data Breaches are information thefts, and the most worrisome come from organizations that hold private identity or financial information such as credit card numbers, email addresses, social security numbers, physical addresses, etc. Breaches have infiltrated retailers, banks, universities – even the IRS and the Navy. In 2021, more than 1,800 significant institutional data breaches have been reported in the U.S. according to the Identity Theft Resource Center.
TIP: Always apply software updates as soon as you can. Manufacturers are patching security holes as quickly as attackers are discovering them. The most successful hacks are against outdated, insecure software.
How Can I Protect Myself?
Those with the most at risk – the very wealthy, public figures, people with access to sensitive and potentially damaging data – will often engage a private security firm to determine their risk and put a plan together to defend against it.
If you fall into this category, you will find that the process typically starts with a risk assessment to identify where you are vulnerable. The security firm will examine your physical property for weak spots, the security in place for your computers and mobile devices, the information available about you on the internet and social media, the backgrounds of your household staff and even the predictability of your commuting habits.
The firm’s recommendations may encompass data security, travel, property and physical security, remedies for online privacy vulnerabilities, background checks on personal staff and more.
Network Security: For most families, data security considerations are the most critical. It starts with making sure the data network you are using – whether at home or at a coffee shop – is as private as you think it is.
Those using wireless should be wary that at least 25% of wireless networks are entirely unsecured, meaning any device can attach without submitting a password or asking permission. This includes home networks as well as networks in public places. Many more use outdated encryption that can be broken in less than a minute with tools commonly available on the Internet. Once in, fraudsters find it easy work to exploit the networking vulnerabilities in devices on the network, and things can go downhill quickly from there.
TIP: Never use the default password that comes with a device, always change it. These default passwords are well known to attackers.
Those with much to lose may want to consider keeping devices that access financial sites and ecommerce wired, and off of their wireless network.
TIP: Always be sure to use a complex password when setting up your Wi-Fi network to enable the highest level of encryption available.
Email: Provided the network that attaches your computer to the Web is at least reasonably secure, the next area of vulnerability is your email.
Your email inbox is like an unlocked lobby where strangers are free to enter. The good news is a fraudster can’t do any damage unless you click on something within his or her email. He knows this, so his game is to put emails in front of you that appear to be from someone you trust (the famed Nigerian prince notwithstanding).
TIP: Always use a complex password for your email. If your email provider supports 2-step verification, you should consider enabling it.
A closer look at the sending address in suspicious emails can reveal when the senders are not who they say they are. Since institutions like banks often register email “domains” (the part of the email address that comes after the @ sign) that cover the common variants of their name, fraudsters resort to odd variations. These are usually easily spotted if you adopt the habit of looking, but always be wary of names where characters are easily confused, like using a 1 (the digit) instead of a lower case L, for instance. If the full email domain doesn’t display, you can your mouse over the sender’s name or click a “more info” or similar link that will be adjacent to it.
Skipping this step and clicking a link in the body of the email could download malware or take you to a legitimate looking Web page where you may be asked to “update” anything from your debit card number to your social security number. One of the most common schemes is ransomware, where one click will disable your device until you hand over your credit card information and make payment. 2020 saw over 40,000 ransomware attacks per day, with 40% of spam emails carrying illicit links.
You can be confident that no legitimate financial organization will ever – unprompted – send you an email to ask for your user ID, password, social security number or any other sensitive personal information.
Beyond this, be highly suspicious of links in unsolicited or unusual emails from people you know. Your friend’s email may have been hacked, along with all of her contacts are likely getting the same “This is cute, click here!” message. It’s not cute. Don’t click. Instead, delete anything suspicious without opening it, and then delete it from your deleted items folder.
Mobile Network: Today’s cell phones are less like phones and more like pocket-sized computers that contain phones. There is risk in the apps on these little computers.
The biggest security holes may lie with the most popular free apps, particularly on Android devices. Android’s “open source” approach to application development has long left it more vulnerable than Apple’s more restrictive philosophy.
Since it’s a little computer, you should think of protecting your cell phone in the same way you think of protecting your PC or Mac. Never download an app you don’t really need – especially if it’s free – and if you download or update any app, make sure you read about the functions the app will access. The app that sends you the score of the Rangers game doesn’t need to know where you are all day.
Happily, there are powerful data security products available to protect your mobile devices. At least one tool can peer through a mobile app and tell you where it wants to send your data, whether it’s Chicago or Chechnya. Another encrypts mobile voice and messaging, letting you choose when to delete messages on both ends.
While we can’t, of course, recommend specific security products by name, a bit of Web work and consultation with a data security professional will bring you some excellent ideas.
Ending Password Insanity
We live in an arms race of ever-increasing log-in complexity. Hackers are using machines to attempt new password combinations constantly, with time and computing power on their side. So, sadly, the days of the simple, permanent four-digit password are as over as the days of leaving your keys in your car overnight. However, with a long enough password, you can turn time and computing power into your ally.
TIP: Consider that a nine-character password would take about five days to guess using modern computers. A twelve-character password would require almost 200 years.
With a bit of forethought, however, you can devise a password convention that will serve you and the most demanding sites you use for many years, without driving you crazy.
Consider this example. Think of the characters in a site’s web address or brand name as a toolbox from which you can pull letters and create a combination by adding capitalization, numbers and symbols. If your pattern is consistent but secret, every site you visit can have its own password, yet your password will be all but impossible to forget. Even for infrequently visited sites, you won’t have to remember the password, only your secret convention, which you will, by definition, use constantly.
TIP: Don’t make the mistake of using the site name in your password while keeping the rest of it the same as on other sites. Hackers are on to this trick and are actively exploiting it.
The next step is to add a convention for changing these passwords when required (some sites age-out passwords and require periodic updates) or simply to stay on the safe side. Your update convention, again, can be one that is easily remembered and deployed similarly for all sites you visit. Avoid simply adding higher digits to the end of your previous password. Your updates could more safely involve names of U.S. presidents in some order, or your grade school teachers or old bosses.
One final tip for maintaining your sanity. Though many sites have evolved to “multi-factor” authentication, like sending you a text code to verify it is you who is attempting a login, some sites still use the old challenge question approach.
A challenge question would be, “What was the name of your first pet?” or “In what city were you born?”
Beyond being discoverable by hackers (birth records are public, for example), four years after registering on a site who would remember whether they said their birth city was “New York,” “new york city,” or “NYC”?
The answer? Don’t answer. Well, not literally. Create coded answers, again using a convention you follow each time.
The hackers may be ruthless, clever, and able to harness massive computing power to crack your code, but they are no match for your creativity, individuality and simple good sense.
IMPORTANT LEGAL INFORMATION
This material is for informational purposes only and is not intended to be an offer or solicitation to purchase or sell any security or to employ a specific investment strategy. It is intended solely for the information of those to whom it is distributed by Fieldpoint Private. No part of this material may be reproduced or retransmitted in any manner without prior written permission of Fieldpoint Private. Fieldpoint Private does not represent, warrant or guarantee that this material is accurate, complete or suitable for any purpose and it should not be used as the sole basis for investment decisions. The information used in preparing these materials may have been obtained from public sources. Fieldpoint Private assumes no responsibility for independent verification of such information and has relied on such information being complete and accurate in all material respects. Fieldpoint Private assumes no obligation to update or otherwise revise these materials. This material does not contain all of the information that a prospective investor may wish to consider and is not to be relied upon or used in substitution for the exercise of independent judgment. To the extent such information includes estimates and forecasts of future financial performance it may have been obtained from public or third-party sources. We have assumed that such estimates and forecasts have been reasonably prepared on bases reflecting the best currently available estimates and judgments of such sources or represent reasonable estimates. Any pricing or valuation of securities or other assets contained in this material is as of the date provided, as prices fluctuate on a daily basis. Past performance is not a guarantee of future results. Fieldpoint Private does not provide legal or tax advice. Nothing contained herein should be construed as tax, accounting or legal advice. Prior to investing you should consult your accounting, tax, and legal advisors to understand the implications of such an investment.
Fieldpoint Private Securities, LLC is a wholly-owned subsidiary of Fieldpoint Private Bank & Trust (the “Bank”). Wealth management, securities brokerage and investment advisory services offered by Fieldpoint Private Securities, LLC and/or any non-deposit investment products that ultimately may be acquired as a result of the Bank’s investment advisory services:
Such services are not deposits or other obligations of the Bank:
− Are not insured or guaranteed by the FDIC, any agency of the US or the Bank
− Are not a condition to the provision or term of any banking service or activity
− May be purchased from any agent or company and the member’s choice will not affect current or future credit decisions, and
− Involve investment risk, including possible loss of principal or loss of value.
© 2022 Fieldpoint Private
Banking Services: Fieldpoint Private Bank & Trust. Member FDIC.
Registered Investment Advisor: Fieldpoint Private Securities, LLC is an SEC Registered Investment Advisor and Broker Dealer. Member FINRA, MSRB and SIPC.