Not too long ago we received an email that sent red flags flying. Addressed from a client, this email asked us to send money from their account to the bank account of a third party.
No can do.
Not without a verifying phone call to the client (our standard practice). And an explanation that we can only transfer money to the client’s account on file (versus a third party), unless we have additional authorization and verification.
In this age of rampant cybercrime, we have become very guarded, suspicious even. We have to. And so do you.
According to Schwab, 17.6 million people experienced identity theft in 2014 alone (imagine how much more today!) In the past six years, fraudsters have stolen $112 billion. And more than half (63%) of confirmed data breaches involved weak, default or stolen passwords.
Here’s the disturbing truth. If you haven’t had your identity stolen yet, just wait a bit. Most likely you’ll eventually be hit by one (or more!) of seven schemes cybercriminals typically use to fraudulently inflate their bank account while deflating yours.
7 most common cyber threats – and how to fight back
1. Taking over your email account
Turns out our red-flag email was a legitimate request from our client. A simple phone call confirmed this. But it just as easily could have been a fraudster attempting to transfer funds to a fraudulent account, because that’s how they operate.
Hacking into email accounts is a classic ruse of cybercriminals. Once they’ve found a weakness in your computer system and gained access to your email account, they poke around to learn about you and your habits. Then it’s easy for them to pretend they’re you and send emails from your email account requesting a transfer of funds to their account.
DO THIS — follow ID procedures
The best thing you can do is to adopt some safeguards. Follow proper identification procedures. Use strong secret passwords, phone call verifications and even video chats to confirm and protect your identity. Also, it is critical that you back-up your important data files on a regular basis, either to another secure, off-site device, or in the cloud using a secure service.
2. Infecting your computer with malware
It’s scary how easily your computer can become infected with malware (malicious software designed by criminals to damage or gain access to your computer). You need only click once on an infected link or download an infected file and your computer is toast. These nefarious malware creators are experts at tricking people into opening their tainted files. Most likely you’ve had plenty of these sneaky emails (We get them all the time from “Amazon”), notifying you about your refund, receipt or invoice. Enticing you to “click” on a link or file. But, you’ll pay dearly if you do, perhaps giving up control of your computer with access to your passwords and financial information and inviting all manner of viruses, worms, Trojan horses, ransomware or spyware.
DO THIS — install up-to-date antivirus and anti-spyware software
Install the most up-to-date antivirus and anti-spyware software you can find on all of your devices that connect to the Internet. Run regular scans to update this protective software. Also, make sure your networking equipment and computers are still supported by the manufacturer. Finally, don’t click on any suspicious links or files unless you’re 100% sure they’re legitimate. And back up your files!
3. Phishing (for your personal data)
Phishing is a close cousin to malware. Both usually masquerade as a legitimate email, pretending to be trustworthy, and attempt to lure you to click on their link. “Validate your account.” “Confirm your identity.” “Access your tax refund.” If this is a phishing scam, clicking on the link will take you to a fake website that looks legit and directs you to enter your personal information.
DO THIS — hover over links
With your curser, simply hover over questionable links and the true email address will appear — a clear way to identify if this is a legitimate email from a known source. We do this all the time. It is a simple and invaluable safeguard. Or better yet, use a search engine to find the website yourself (rather than trusting a link) so you know you’re at a real website. Here’s another tip. Remember that secure websites start with https — not http.
4. Stealing your log-in credentials
People are creatures of habit. We have a tendency to re-use passwords and usernames, making us an easy target for those intent on stealing identities. Cybercriminals buy stolen login credentials off the dark web all the time. Armed with these login credentials, they test them against the websites of financial institutions, trying to find a match. Once they do, they request fraudulent fund transfers.
DO THIS — beef up your passwords
Use a different password for each account. (This will make it more difficult to attack all of your accounts in one sweep.) Make each password different, long and strong, with 8–12 or more characters, upper and lower case letters and symbols. Some experts now suggest using a longer phrase as a password, while adding in alphanumeric characters as well.
5. Social engineering — falsely gaining your trust
Social engineering is basically using psychology to manipulate people into giving up confidential information (especially passwords and financial data). Cybercriminals prey upon people (often through social media) they deem to have qualities that can be exploited — naiveté, compassion, vanity, irresponsibility, a tendency to overshare. Once they’ve gained trust, they make their move to gain information to commit fraud or to access systems.
DO THIS — limit what you share online
Be careful about how much — and with whom — you share personal information on social media. Do keep your personal information private (at the very least your address, phone number, birthdate). Do not post personal information about family and friends. Increase your privacy and security settings online. And finally, make sure your online accounts have two-factor authentication.
6. Call forwarding — compromising your cell phone
Of course cybercriminals are going to go for your cell phone, whether it’s a smart phone or a dinosaur flip phone. (Just ask Amazon CEO, Jeff Bezos, whose cell phone was recently hacked.) Cybercriminals will do whatever they can to impersonate you, and what better way than by taking over your cell number, whether by spyware or other means. If fraudsters are able to scam the phone company into forwarding your cell number to their cell phone (and this happens), they can pose as you when your bank calls you back to verify that you really do want to transfer your money to another account.
DO THIS — check your phone bill
Always check your monthly phone bill as soon as it is available. If anything looks suspicious (phone numbers you don’t recognize, calls placed at odd times), immediately contact your carrier and financial institutions. And follow proper identification procedures (using secret passwords with your contacts).
7. Spoofing — fake email headers
You probably see emails with fake headers every time you check your in-box (or junk mail). It would be funny, except it’s not. These deceptive emails attempt to impersonate legitimate sources (friends, places you do business, even you) and trick the recipient into opening and responding to the email (which has an address nearly identical to your own, but is off by a character). Worst case, they can send and confirm a fraudulent wire transfer request to your bank or advisor and steal your money.
DO THIS — check incoming email addresses for accuracy
Be sure to carefully examine the email address of any incoming mail before opening it. Is the email address accurate? Is the sender’s name spelled correctly? These errors are fairly easy to spot. If you have any doubt that the email is legitimate, don’t click. Contact the sender directly using the email address or phone number you have on file.
Don’t forget two-factor authentication!
Always remember to use two-factor authentication whenever you attempt to access an online account. Basically, two-factor authentication provides additional security by requiring not just one means of verifying your identity — like a password — but two. This second factor could be a finger print, facial scan, voice recognition, smart phone, etc…
It’s a sad day that we must adopt such a suspicious mindset. That we must go to extreme lengths to protect our personal identities. But with such complete permeation of the internet into our society, the gift of trust, once easily bestowed, belongs to a bygone era.
Cybercriminals are having a heyday and we must mount a secure defense against them. Or suffer the consequences.
Advisory services are offered by Joslin Capital Advisors, LLC, an SEC Registered Investment Advisor.