How to Reduce Your Cybersecurity Risk in 2018

By Dannell Stuart, CFP®
Director of Business Development

I recently attended a very informative seminar on personal cybersecurity. The knowledgeable speaker, who has a background both with the FBI and with a large financial institution, addressed several types of threats and talked about how we can help our clients mitigate the risk of a hacker accessing their investment accounts.

While most people recognize that online fraud, or cybercrime, is a potential threat, few know how or why they may be at risk. Not understanding who the adversary might be or how they commit their crimes can put individuals at risk.

Many of these thieves are highly skilled and sophisticated, and use technology to steal.  They are often individuals from other countries that are operating for their own profits. They are looking for your user name and password so they can access your financial accounts. To get this they install malware.

It used to be that they would cast a wide net for potential victims, hoping that the sheer quantity would yield sufficient economic benefits. Now, however, criminals spend a great deal of time and effort identifying a worthwhile target. They develop a victim profile based on public and private information with the goal of stealing from financial accounts. The weak link is usually the home user. They will target high-net-worth individuals and use publicly available information on these individuals (that is often posted by their family members) to gain information on them. They will piece together information from Facebook, LinkedIn, obituaries, and charities that list their donors on their websites.

Although the criminal act can take several forms, the basic steps are often similar:

1. Send phishing email – An individual opens an email that appears to be from a trusted source and then clicks on a link or opens an attachment that installs malware on the computer. Typically the email comes from an organization that the individual is already involved with. It can be very difficult to tell that the email is not legitimate; no longer are there rampant spelling and grammatical errors. On the surface it looks quite safe. For example, it may come from the private school your children attend, or from your alma mater.
2. Gain access – The malware allows a criminal to obtain login information and thereby gain access to an individual’s financial accounts. You open the email, the malware drops a piece of code, and when you log in to a financial website it will capture your keystrokes for your login info. In this case it doesn’t matter how complex your password is!  The individual has no idea the malware is being installed; there are no warning signs while this is happening.
3. Manipulate accounts – The bad guy can then log in to and manipulate accounts to steal money. They will first go in and change your email address on the account to their own bogus email address. They will then change the statement delivery to online only. Once this has been set up, they open another account in your name, and then transfer the money from your original account to the new bogus account. From there, they send the money out of the country

Here are some things you can do to make yourself a difficult target. The key is to limit your exposure by treating your computing devices as you would your front door. That is, you don’t just leave your front door unlocked, wide open and/or let anybody come in!

Accessing Accounts

1. The best defense is to use two-factor authentication whenever possible. You may need to go into the security settings of your financial provider’s website to do so. This type of authentication means that when logging in you will receive a code via text or email that you need in addition to your usual user ID and password in order to log in to your accounts. If you have two-factor authentication, the hackers will most likely move on to the next person.
2. Your passwords should be long and complex. Also, do not use the same password for multiple financial relationships
3. Change passwords frequently – even strong passwords!
4. Always access accounts via secure Wi-Fi. The convenience of public Wi-Fi is more than offset by the exposure of your login credentials to potential thieves that “hijack” the network’s traffic, capturing sensitive documents and passwords

Emails

1. Use a dedicated email account for financial transactions.
2. Be wary of unsolicited emails – especially if there is a link to a website or a request for personal information – even if they appear to come from a recognized entity!
3. Ask yourself if the email attachment seems necessary and makes sense. For example, does your favorite charity typically email you?

Additional Steps for Good Cyber “Hygiene”

1. Consider using a dedicated device for financial transactions. Do not use this device for email or for surfing the web so it does not run the risk of getting infected. Do not use this device on public Wi-Fi.
2. Install industry standard systems and software, keep them up to date, and perform regular backups.
3. Install and use antivirus software.
4. Regularly back up sensitive data to an external drive and the cloud to protect yourself from ransomware. That way, if you get infected by ransomware, you can shut down your machine, wipe it clean, and then turn it back on. Ransomware, by the way, is when a virus is downloaded on your device, freezing everything until you pay money to have it unfrozen.
5. If you do get hacked, consider adding a “security freeze” at the credit bureaus to avoid additional accounts being opened in your name.

At Mission Wealth, our security policy ensures our clients are protected.  Here are a few of the precautions we take to reduce cybercrime:

• All wire or distribution requests have to be verified with a phone call.
• Any distribution requests to addresses or non-linked accounts (such as indicated above) can’t be done without you signing new paperwork authorizing such a distribution (per Schwab and Fidelity rules, they will not act on instructions from our office without your signature).
• If someone (including you) tries to change your address, you are notified of such a change, and your account is put on distribution restrictions for a period of time.

Additionally, our client portal uses the following 4 levels of security on transmission / viewing:

• SSL 128bit encryption
• X509 certificate
• Time stamping with time limited allowed variation
• SSL HTTPS encryption using a private key

Access is only granted with a valid user name, unique password including numbers and a private “phrase.” Site access is also nsProtect™ monitored.

Source: Gary Rossi, Fidelity Investments, “Get educated on personal security and risk"

Additional resources: fidelity.com/security/overview

970988 8/17