by Scott Malbasa, J.D., CFP®
“The drama’s done. Why then here does any one step forth? — Because one did survive the wreck.” –The narrator, Ishmael, in Herman Mellville’s Moby Dick.
If you weren’t concerned about cyber security at the beginning of 2017, my guess is that changed in the time before the New Year. Tracking events like the Equifax hack, understanding their effect, and acting in their wake took attention and effort. If you’ve ever gotten to the last page of Moby Dick you might remember reading the above sentences. You may have found yourself, as I did, relating in a peculiar way to the narrator. Because after coming to the end of an 800+ page book, you may have thought: Reading that was a lot of work and required a lot of my time and headspace. I survived, but what do I do now?… Not to mention, that whale is still out there.
As ’17 comes to an end, I have the same feelings about cyber security as I did when I read the end of Moby Dick. I have read what feels like hundreds of pages of articles describing hacks, possible consequences, and ways in which I could protect myself and our clients. I took steps such as setting up 2-factor identifications and freezing my credit, and we recommended clients do the same. And yet, the whale remains at large! I don’t feel secure from the Equifax hike, much less all cyber threats.
I still find myself asking, what now? What can I do to protect myself?
The fact of the matter is that cybercrime and fraud are on-going, evolving threats and constant vigilance is key. The answer to the “What can I do to protect myself?” question is an ongoing and evolving process. With that in mind, I want to take this opportunity to review 8 ways to protect yourself with the current best practices.
1. Keep the cyber-criminals endgame in mind
At the highest level it’s important to keep in mind what we are protecting against. Cyber criminals exploit our increasing relithance on technology. Methods used to compromise a victim’s identity or login credentials – such as malware and phishing – are increasingly sophisticated and difficult to spot. The end-goal of the fraud is to obtain information to access your account and assets or sell your information for this purpose. Remembering what criminals are after will make your vulnerabilities more apparent.
2. Be cautious in your communications with us and your account custodians
Fortunately, because criminals often take the path of least resistance, following some best practices and applying caution when sharing information or executing transactions makes a big difference and prevents or catches most fraud.
- Be aware of suspicious phone calls, emails, and texts asking you to send money or disclose personal information. If a service rep calls you, hang up and call back using a known phone number.
- Never share sensitive account information via email, as accounts are often compromised by searching hacked email accounts. We recommend uploading documents containing account information to a secure file when necessary.
- Beware of phishing and malicious links. Urgent-sounding, legitimate-looking emails are intended to tempt you to accidentally disclose personal information or install malware.
- Don’t open links or attachments from unknown sources. Enter the web address in your browser.
- Check your email and account statements regularly for suspicious activity.
- Never enter confidential information in public areas. Assume someone is always watching.
3. Familiarize yourself and use the security measures your account custodian has put in place
Since most of our clients have accounts custodied at Charles Schwab, we’ve included information from Schwab below, however, all custodians should have similar provisions in place:
- Expect Schwab to Confirm your identity using Schwab’s voice ID service when calling the Schwab Alliance team for support.
- Use two-factor authentication, which requires you to enter a unique code each time you access your Schwab accounts.
- Review the Schwab Security Guarantee, which covers 100% of any losses in any of your Schwab accounts due to unauthorized activity.
4. Exercise caution when moving money
- Review and verbally confirm all disbursement request details thoroughly before providing your approval, especially when sending funds to another country. Never trust wire instructions received via email.
- Expect that Cordant will call you to confirm an email request to move money to an account not previously authorized.
5. Adhere to strong password principles
- Don’t use personal information as part of your login ID or password and don’t share login credentials
- Create a unique, complex password for each website, Change it every six months. Consider using a password manager to simplify this process.
6. Maintain updated technology
- Keep your web browser, operating system, antivirus, and anti-spyware updated, and activate the firewall.
- Do not use free/found USB devices. They may be infected with malware.
- Check security settings on your applications and web browser. Make sure they’re strong.
- Turn off Bluetooth when it’s not needed.
- Dispose of old hardware safely by performing a factory reset or removing and destroying all storage data devices.
7. Use caution on websites and social media
- Do not visit websites you don’t know, (e.g., advertised on pop-up ads and banners).
- Log out completely to terminate access when exiting all websites.
- Don’t use public computers or free Wi-Fi. Use a personal Wi-Fi hotspot or a Virtual Private Network (VPN).
- Hover over questionable links to reveal the URL before clicking. Secure websites start with “https,” not “http.”
- Be cautious when accepting “friend” requests on social media, liking posts, or following links.
- Limit sharing information on social media sites. Assume fraudsters can see everything, even if you have safeguards.
Consider what you’re disclosing before sharing or posting your résumé.
8. If you suspect a breach…
- Call us and your account custodians (Schwab, Fidelity, etc.) so that they can watch for suspicious activity and collaborate with you on other steps to take
Complete cyber-security may not be obtainable, but we don’t have to drive ourselves mad in its pursuit as Ahab did chasing the whale. While true that actions like 2-step verification and consistently changing passwords can be a bit burdensome, however the pain is worth the benefit. Following these best practices will better position you to prevent a fraud or at least quickly identify it so that the damage is contained.