Whitepaper: Phishing, Hacking, Data Breaches and Other Nuisances of Modern Life That Need Not Afflict You.

It is an unfortunate reality of modern life that we are all just a click away from our own personal online armageddons. However, by following just a handful of simple tips you can protect yourself from the vast majority of malicious attempts that might otherwise compromise your personal information, and – with a little creativity – avoid driving yourself crazy in the process.

If you can spare a moment, take a quick scroll through your email inbox. It may well include one or more of the following, or others that are very similar.

• PayPal, asking you to add missing information to your account record.
• iTunes, confirming a recent purchase, with a link for you to verify.
• Netflix, expressing sincere regrets that you have canceled your membership, but generously giving you a chance to restart it.

These may look authentic, but they are not. Emails like these are called “phishing” attempts, and they put you just a click away from a malware infection or a theft of your identity. They represent just one of an ever-growing array of fraudulent tactics at play in a never-ending effort to steal your money or personal information.

With all of the wonders offered by our electronic age, IT security has become one of the most important risk management issues facing successful families and businesses. Despite antivirus software and wireless “firewalls,” most personal devices and networks present an open door to criminals around the world. The proliferation of the “Internet of Things” – smart doorbells, thermostats and the like – is further expanding the number of vulnerable targets.

There are as many data security risks as there are malevolent individuals on the fringes of society and in unfriendly governments. In the broadest sense, however, these threats generally fall into three camps: phishing, hacks and data breaches.

Phishing is communication that purports to be from a legitimate source which attempts to draw you into providing personal information that can then be used to hijack your personal information or accounts.

As you would imagine, various combinations of the above abound – like the fake antivirus pop-up that infects your computer and then tries to lure you to a page to provide your credit card number in order to “purchase” special software to remove the virus.

Hacks are intrusions into an individual’s device or network, usually via malicious software code that accesses programs and files. A hack initially requires the individual under attack to do something, like click a link in an email, which downloads the enabling code into the device. Once in, hackers can gather information on you, they can pretend to be you – they can even watch and record what you type as you type it (your PIN or personal emails, for example).

The most common hack is against free email accounts, such as Gmail, with easy-to-guess passwords. If you’ve ever received an email from a friend that simply says “This is cool, check it out” and provides a link, be wary. Especially if this is out of character for your friend. It is very likely that your friend has been hacked and the intruder is after their friends.

Data Breaches are information thefts, and the most worrisome come from organizations that hold private identity or financial information such as credit card numbers, email addresses, social security numbers, physical addresses, etc. Breaches have infiltrated retailers, banks, universities – even the IRS and the Navy. In 2021, more than 1,800 significant institutional data breaches have been reported in the U.S. according to the Identity Theft Resource Center.

TIP: Always apply software updates as soon as you can. Manufacturers are patching security holes as quickly as attackers are discovering them. The most successful hacks are against outdated, insecure software.

How Can I Protect Myself?

Those with the most at risk – the very wealthy, public figures, people with access to sensitive and potentially damaging data – will often engage a private security firm to determine their risk and put a plan together to defend against it.

If you fall into this category, you will find that the process typically starts with a risk assessment to identify where you are vulnerable. The security firm will examine your physical property for weak spots, the security in place for your computers and mobile devices, the information available about you on the internet and social media, the backgrounds of your household staff and even the predictability of your commuting habits.

The firm’s recommendations may encompass data security, travel, property and physical security, remedies for online privacy vulnerabilities, background checks on personal staff and more.

Network Security: For most families, data security considerations are the most critical. It starts with making sure the data network you are using – whether at home or at a coffee shop – is as private as you think it is.

Those using wireless should be wary that at least 25% of wireless networks are entirely unsecured, meaning any device can attach without submitting a password or asking permission. This includes home networks as well as networks in public places. Many more use outdated encryption that can be broken in less than a minute with tools commonly available on the Internet. Once in, fraudsters find it easy work to exploit the networking vulnerabilities in devices on the network, and things can go downhill quickly from there.

TIP: Never use the default password that comes with a device, always change it. These default passwords are well known to attackers.

Those with much to lose may want to consider keeping devices that access financial sites and ecommerce wired, and off of their wireless network.

TIP: Always be sure to use a complex password when setting up your Wi-Fi network to enable the highest level of encryption available.

Email: Provided the network that attaches your computer to the Web is at least reasonably secure, the next area of vulnerability is your email.

Your email inbox is like an unlocked lobby where strangers are free to enter. The good news is a fraudster can’t do any damage unless you click on something within his or her email. He knows this, so his game is to put emails in front of you that appear to be from someone you trust (the famed Nigerian prince notwithstanding).

TIP: Always use a complex password for your email. If your email provider supports 2-step verification, you should consider enabling it.

A closer look at the sending address in suspicious emails can reveal when the senders are not who they say they are. Since institutions like banks often register email “domains” (the part of the email address that comes after the @ sign) that cover the common variants of their name, fraudsters resort to odd variations. These are usually easily spotted if you adopt the habit of looking, but always be wary of names where characters are easily confused, like using a 1 (the digit) instead of a lower case L, for instance. If the full email domain doesn’t display, you can your mouse over the sender’s name or click a “more info” or similar link that will be adjacent to it.

Skipping this step and clicking a link in the body of the email could download malware or take you to a legitimate looking Web page where you may be asked to “update” anything from your debit card number to your social security number. One of the most common schemes is ransomware, where one click will disable your device until you hand over your credit card information and make payment. 2020 saw over 40,000 ransomware attacks per day, with 40% of spam emails carrying illicit links.

You can be confident that no legitimate financial organization will ever – unprompted – send you an email to ask for your user ID, password, social security number or any other sensitive personal information.

Beyond this, be highly suspicious of links in unsolicited or unusual emails from people you know. Your friend’s email may have been hacked, along with all of her contacts are likely getting the same “This is cute, click here!” message. It’s not cute. Don’t click. Instead, delete anything suspicious without opening it, and then delete it from your deleted items folder.

Mobile Network: Today’s cell phones are less like phones and more like pocket-sized computers that contain phones. There is risk in the apps on these little computers.

The biggest security holes may lie with the most popular free apps, particularly on Android devices. Android’s “open source” approach to application development has long left it more vulnerable than Apple’s more restrictive philosophy.

Since it’s a little computer, you should think of protecting your cell phone in the same way you think of protecting your PC or Mac. Never download an app you don’t really need – especially if it’s free – and if you download or update any app, make sure you read about the functions the app will access. The app that sends you the score of the Rangers game doesn’t need to know where you are all day.

Happily, there are powerful data security products available to protect your mobile devices. At least one tool can peer through a mobile app and tell you where it wants to send your data, whether it’s Chicago or Chechnya. Another encrypts mobile voice and messaging, letting you choose when to delete messages on both ends.

While we can’t, of course, recommend specific security products by name, a bit of Web work and consultation with a data security professional will bring you some excellent ideas.

Ending Password Insanity

We live in an arms race of ever-increasing log-in complexity. Hackers are using machines to attempt new password combinations constantly, with time and computing power on their side. So, sadly, the days of the simple, permanent four-digit password are as over as the days of leaving your keys in your car overnight. However, with a long enough password, you can turn time and computing power into your ally.

TIP: Consider that a nine-character password would take about five days to guess using modern computers. A twelve-character password would require almost 200 years.

With a bit of forethought, however, you can devise a password convention that will serve you and the most demanding sites you use for many years, without driving you crazy.

Consider this example. Think of the characters in a site’s web address or brand name as a toolbox from which you can pull letters and create a combination by adding capitalization, numbers and symbols. If your pattern is consistent but secret, every site you visit can have its own password, yet your password will be all but impossible to forget. Even for infrequently visited sites, you won’t have to remember the password, only your secret convention, which you will, by definition, use constantly.

TIP: Don’t make the mistake of using the site name in your password while keeping the rest of it the same as on other sites. Hackers are on to this trick and are actively exploiting it.

The next step is to add a convention for changing these passwords when required (some sites age-out passwords and require periodic updates) or simply to stay on the safe side. Your update convention, again, can be one that is easily remembered and deployed similarly for all sites you visit. Avoid simply adding higher digits to the end of your previous password. Your updates could more safely involve names of U.S. presidents in some order, or your grade school teachers or old bosses.

One final tip for maintaining your sanity. Though many sites have evolved to “multi-factor” authentication, like sending you a text code to verify it is you who is attempting a login, some sites still use the old challenge question approach.

A challenge question would be, “What was the name of your first pet?” or “In what city were you born?”

Beyond being discoverable by hackers (birth records are public, for example), four years after registering on a site who would remember whether they said their birth city was “New York,” “new york city,” or “NYC”?

The answer? Don’t answer. Well, not literally. Create coded answers, again using a convention you follow each time.

The hackers may be ruthless, clever, and able to harness massive computing power to crack your code, but they are no match for your creativity, individuality and simple good sense.

 

About Fieldpoint Private

Fieldpoint Private is a boutique private banking firm established at the onset of the financial crisis by 31 individuals including former Chairmen and CEOs of some of the most well-known and successful financial and consumer firms in America. Their intent was not to craft a firm that would emulate the large, established institutions, but to serve as an alternative. Dedicated to meeting the comprehensive financial needs of highly successful individuals, families, businesses and institutions, Fieldpoint Private offers a powerful combination of private personal and commercial banking services directly and in partnership with our clients’ most trusted advisors. In 2021, Fieldpoint Private founded Fieldpoint Private Trust, increasing the breadth of capabilities available to serve our clients in both sole trustee and co-trustee capacity.

© 2024 Fieldpoint Private. Banking services by Fieldpoint Private Bank & Trust. Member FDIC.
Trust services offered through Fieldpoint Private Trust, LLC, a public trust company chartered in South Dakota by the South Dakota Division of Banking.