Fall is continuing education season for financial advisors, when we have an opportunity to hear from experts on a variety of financial topics and use that information to help our clients. One of the best presentations I heard recently at the National Association of Personal Financial Advisors conference was on the topic of cybercrime.
We all know we shouldn’t open emails from individuals or email addresses we don’t recognize, and that helping out a Nigerian Prince is a bad idea. But cyber criminals are becoming more sophisticated at using social media to learn about who we are and what we do, and then using that information to do a better job of deceiving us. Here are some of the current tactics criminals are using to separate us from our financial information and our money, and what precautions you can take.
Kids Are a Primary Target
One of the most in-demand stolen Social Security numbers are those associated with minors and young adults, because their Social Security numbers have been used for very little, making them ideal to sell on the dark web or use to establish a new credit history.
One of the tactics used by scammers to get kids to provide their Social Security number is to offer free merchandise and on-line games in exchange for entering their Social Security number on a website. If your kids start receiving free credit offers, their number is probably being used by someone else.
To see if there may be a problem, you can use Experian’s free child ID scan to see if a credit report exists for them. If they’re under 18 years of age there should be none unless you have added them as an authorized user of one of your credit cards. Once you’re sure no one has misused their identity, the best way to prevent their number from being misused in the future is to freeze their credit. Now that the process is free, and you can remove a credit freeze easily when you need to, there is little reason to skip this step.
It’s also a good idea to lock up both your own and your children’s Social Security cards, to prevent them from being lost or misused. If you’re asked to provide your Social Security number on an application that isn’t a loan or credit offer, don’t put it on the form, as these situations have been found to create more opportunities for theft. In New Jersey, a Little League volunteer used T-ball league applications to gather Social Security numbers from kids and sold them for several years before he was discovered.
Social engineering, in the context of information security, is the psychological manipulation of people to convince them to perform actions or divulge confidential information – and cyber criminals are getting good at it.
One of the best ways to get someone to do something is make them believe they are providing information or money to help someone they care about. The best way to get them to do it quickly – before they have time to think and consider the possibility that the request is unreasonable or uncharacteristic of the person they know – is to play on their emotions and sense of urgency. The two other emotional levers are fear and greed, and those are effective as well.
My own parents were taken in by a phone call they received that sounded like one of their 20-something grandsons in distress. Because the caller knew his parents were in Florida at a wedding (Facebook) and who my parents were and where they lived (easily available on-line) the scammer was able to put together a convincing and urgent story of an automobile accident caused by texting that was going to jeopardize their grandson’s first job out of college, unless they helped by paying his ‘legal fees.’ Other people have been targeted by email with similar stories.
The best way to prevent something like this from happening to you or someone else in your life is to slow down before reacting and reach out to a variety of family members to confirm facts before taking any action. Had my parents called their grandson back on his real cell phone number, versus the one they were told he had to use because he was in jail, they could have put an end to the situation quickly. Our emotions can be easily used to manipulate us if we allow them.
The IRS Is Calling
I’ve received several of these scam phone calls myself. The caller leaves a message that I owe money and the government is going to seize my bank account unless I respond back immediately. Unfortunately, this scam is very successful, which is why it continues. Other scammers claim to be the Social Security Administration, calling or emailing with news that your Social Security account is about to be suspended due to suspicious activity.
The IRS or Social Security Administration will never call or email you, and they certainly won’t demand that you send them money or provide information about your Social Security number, address, date of birth and other information they say they need. All IRS or SSA requests and correspondence will come to you in writing.
A more serious threat is the filing of a false federal tax return using your stolen Social Security number. Many people don’t realize their identity has been stolen until they file their return and request a refund for overpayment. Their request is denied because someone has already filed under their identity and received one. The best protections against this possibility are to file your return early, and use an Identity Protection PIN when you file.
Phishing Scams are More Sophisticated
The most common way people are hacked is through email phishing. In most cases, the email is made to look like it came from your bank or email provider and asks you to click on a link in order to correct an error or provide information. Once clicked, the scammer is into your computer. In the past these attempts contained misspellings or other clues that made it easy to determine the request wasn’t real, but their methods have improved.
There are more email scams than we can list here, but very common ones today include the “Your account is about to be suspended” notice from PayPal; the Chase bank (or any other bank) warning that your account is going to be closed, and urgent action is needed; and the very sophisticated Gmail scam that crooks have used to bait Gmail users into sharing their 2 factor identification code. These scams work because there are no viruses attached to their requests, so they aren’t captured in spam filters like Norton Antivirus, which gives them more credibility.
Never call a number or click on a link that’s been provided to you in an email. Instead, go directly to the website of your bank, email provider, etc. and enter in your credentials, then look to see if you have any messages or alerts. Call the number on the legitimate website for any help or to answer any questions you have.
A Few More Cautions
- Yahoo accounts have been sold and used frequently on the dark web. If you still have a Yahoo email account change your password or consider using a different email provider.
- To determine whether your email account has been exposed, you can use the website Have I Been Pwned? If it has, you should change your password immediately, and consider changing it from time-to-time in the future.
- Use strong (complex) passwords on all your on-line accounts and email services to lower the chances they’ll be cracked. You can check the strength of your password by going to this website, where you can learn how long it will likely take a computer to figure it out.
- Don’t use the same password on all your devices and accounts. Because it’s difficult to remember multiple complex passcodes, use a password management application to track them, and allow the software to generate random passwords for you as well. Recommended password management systems include LastPass (which will allow you to will your password to your family) dashlane, StickyPassword, and RoboForm.
- Use two-factor identification along with your password on all sites when it’s available.
- Based on everything I’ve seen and read, freezing your credit is the best way to be sure no one can use your credit information to open new credit cards or loans. I highly recommend you take the time to do it.
And There’s Still Stealing the Old-Fashioned Way
While our computers and phones are becoming a major resource for criminals, our mailboxes continue to be one of the tried and true ways to steal from us. Police caution that outgoing mail that contains bill remittances with checks are an important source of bank information and can be used to create look-alike checks drawn on our accounts. If you pay your bills by remitting paper checks, be sure to mail them from a US Postal Service box or other secure source, and not from a location that can be accessed by anyone before it is picked up by the postal carrier.
Your best defense against cyber crime is a good offense. Get out there and make a few changes to protect yourself and sleep better at night.