Personal Security Planning
A question we get frequently is how best to go about protecting identity and other personal information. We’ve blogged about it in the past on multiple occasions, but these things can be moving targets as new technologies and schemes create opportunities for those out to steal your information and those seeking to help you protect it.
I recently participated in a Fidelity Investments webinar on building what they called a Personal Security Strategy. Below is just some of what was covered around the most prevalent risks and some of the more practical prevention steps we can take.
Understand the Risks
Most cyber security risk comes down to attempts at gaining as much data as possible to ultimately access and/or takeover physical financial accounts. Historically, this has been done by hackers casting as wide a net as possible. Picture spam e-mails sent en masse from foreign nationals or Nigerian princes requesting help in transferring vast sums of money for a healthy fee.
Today, the trend has shifted towards more individualized attacks, especially on wealthy victims. Criminals spend time on social media and other accounts gaining a better understanding of the prospective target, building a toolbox to go after specific information, usernames, passwords, etc. Below are some of the tools and scams being used in these customized attacks.
Malware: A software program that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. These can include viruses, worms or Trojan horse style programs.
Spyware: Similar to malware, spyware enables the hacker to obtain private information about another, such as usernames and passwords, by secretly transmitting data from their computer.
Ransomware: A type of malware that restricts access to a computer system until the victim pays a ransom to the cybercriminal.
Phishing: An attempt to obtain financial or other personal information, typically by sending an e-mail that appears to be from a legitimate source but contains malware.
- Smishing: A form of phishing using text messaging instead of e-mail.
- Spear Phishing: A targeted form of phishing where e-mails and/or texts appear to be from a trusted source (friend, family member, advisor, accountant or charity) with an attachment or link to a site that downloads malware.
Pharming: An attack that installs malware on a computer that directs the user to fake websites that look very much like the intended destination that then transmits login or other information to the hacker.
Reducing the Risk
Growing up, we had Honeywell Security stickers on all the exterior doors to our home. When I was old enough to be curious about such things, I asked my Dad where our alarm was located. His response was somewhat surprising. It turns out we didn’t have an alarm. He had simply asked the security company at his office for a few extra stickers. The way he saw it, an intruder was more likely to pass up our home in favor of one with no apparent threat of a security system.
While that may not be quite the path you’d want to follow today, the lesson that the more difficult you make it for criminals to come after you, the more likely they are to seek another target holds true. Below are the most consistent recommendations that came up during the webinar and in other reading we’ve done on the subject:
Usernames and Passwords
- Whether financial, e-mail, mobile or other accounts, we routinely hear that using strong, unique usernames and passwords
- Two-Factor Authentication is security that requires two distinct forms of identification, typically in the form of a code sent to a user via text message or e-mail.
- Despite the hassle, using two-factor authentication, especially when accessing financial accounts, is highly recommended.
- Bank/Credit Cards
- Most financial accounts have settings that allow the user to be notified when various transactions occur.
- Fidelity recommends fairly stringent alert settings in order to ensure timely notification of any unusual or fraudulent activity.
- Some financial institutions, including Fidelity and Schwab, the companies we use to custody client assets, allow for clients to set up voice authentication tools to verify identity. See links below:
- Think before you share. A Facebook post of you and your spouse toasting with champagne flutes in the Delta SkyClub with an “off to Paris for our anniversary” message may be a lovely way to let friends know how you’re celebrating. But this type of post could also invite a cyber-criminal to attempt to prey on family members and friends to gain information.
- You don’t have to stay off social media completely, just share once you’ve returned home, use first names instead of full names, etc.
How this Works
As mentioned earlier, these attacks are getting increasingly targeted and sophisticated. Hackers aren’t just looking for credit card and social security numbers anymore. As an example of how these criminals operate, let’s go back to that social media post about a trip abroad.
Let’s suppose this cyber-criminal has been stalking you for some time. They’ve learned the names of a few family members through Facebook, determined where you spent your career through LinkedIn and have your home address and how long you’ve lived there through a quick search of public records. Through a phishing scam, they’ve been able to access your computer enough to know where you bank and maybe which major credit card you use most frequently.
The cyber-criminal sees your post about you leaving the country as their opportunity to strike. They use all the information they’ve gathered and contact a family member, a neighbor, or your bank to try and gain access to your money through some type of fraud.
Customize Your Plan
As I mentioned, these were just some of the areas covered. I felt that diving into greater detail or additional areas of personal security could be cumbersome and counter-productive to providing some practical solutions we can all act on today.
If you have any questions or want to dive deeper into these or other areas to find the right approach for you, feel free to reach out to your advisor to discuss some of these areas in more detail. As with so many things, it’s all about striking a balance between the convenience of technology and the vigilance required to keep us safe.