Advancements in technology can be wonderful, often making our lives easier in many ways. These days, thanks to smart phones, it’s difficult to remember when meeting a friend for dinner required major coordination and navigation, or when banking wasn’t done almost entirely online. Unfortunately, one significant disadvantage of these advancements is the endless string of sophisticated and quickly evolving scams that can turn even the most tech savvy among us into victims of online criminal activity.
I’ve written about cybersecurity and hacking before (see my post Thwarting Financial Fraud from January 2021), but the most recent wave of new criminal methods to access online data calls for an update. Our goal, always, is to keep you and your assets safe, and knowledge is one of the best things we can offer to help achieve that goal together. Toward that end, here’s an overview of some of the most common scams being used today:
Scam #1: Accessing your data using your own passwords
If you’ve ever received an alert that your password for a site has been compromised, this is no joke. Hackers have access to massive databases of usernames and passwords that have been stolen in data breaches from popular online services such as LinkedIn, eBay, and more. They then use software (or ‘bots’) to quickly test every username and password combination in the database to try to log on to other websites, especially banks and credit card websites. It’s a ‘brute force’ approach to password cracking—much like someone spinning the wheels on a combination to break open a bike lock but at faster-than-lightning speeds!—and it’s an easy way for hackers to break into your accounts, especially if you use the same password for multiple websites or don’t change your passwords regularly. Once a hacker has your username (often your email address) and a compromised password at their fingertips, serious trouble may follow.
The fix: Do not reuse passwords and change your passwords often. To keep this task in top of mind, we recommend setting a reminder in your calendar or on your phone to update your financial passwords at least every three months. If you receive an alert that your password has been compromised, change it immediately by visiting the official website and choosing a new password. Always use complex passwords with a minimum of 12 characters, including a combination of unassociated letters (avoid any reference to your own name, the name of the website, or other common identifiers), numbers (do NOT use your street address, birthday, or phone number, all of which are commonly available online), and symbols (^, &, !, etc.).
DO NOT click a link contained in an email as the email itself could be malicious—even if it looks legitimate. Thieves have gotten extremely good at duplicating logos and other identifiers in email and other communication. Many websites offer multi-factor authentication that requires the service to call or text you with a temporary access code. This is highly recommended for every financial website you use.
Scam #2: Accessing your accounts via your email
It may seem that ‘cracking’ your email would be much more difficult than cracking your passwords, but compromised email fraud is now the number one source of financial and identity theft. Email hacking is usually achieved by tricking a recipient (that means you) into clicking a malicious link that uses phishing techniques or that injects malware to access an email account. This is often achieved by sending an official-looking email from a bank or other entity that asks you to click a link for more information. This link takes you to a fake website (which, again, can look shockingly legitimate) where you are asked to verify your username and password. If you fall for the hoax, the thief now has your login information at their fingertips. Once your email has been compromised, clever fraudsters access your ‘sent’ folder and reply to existing, legitimate conversations—an easy way to bypass any natural suspicions to trick you and your contacts into supplying personal information, money, and more.
The fix: Consider all links in emails to be potential threats, and only click links if you are certain you can trust the person or organization sending the link. Never click a link in an email from your bank that asks you to enter your login information to access their website. Instead, open a fresh internet browser, and go directly to the bank’s website to access your information. When in doubt, pick up the phone and call your bank’s customer service number (not the number provided in the questionable email!) to verify the request.
Scam #3: Hacking your outdated computer system
Even if you don’t fall victim to the clever tactics above, it may still be possible for cybercriminals to hack directly into your computer to access your stored data—sometimes including your list of stored passwords for a multitude of websites. The good news: most successful attacks take place via computers using software that is more than three months old. Software companies take cybersecurity very seriously, and many software updates include patches that close ‘back doors’ that give hackers a path straight to your valuable data.
The fix: When you receive an alert that an updated version of your licensed software is available, always install the update! If the update is not installed, the known vulnerability remains intact, leaving that ‘back door’ wide open for hackers.
Cybercriminals have a growing toolkit of strategies to steal your information and your identity. Though nothing is 100% foolproof, each of these fixes can help keep you and your assets safe. Even so, if you see something unusual, don’t hesitate to contact us. Additionally, Charles Schwab has responded to the increase in cybersecurity with some targeted efforts: an identity theft hotline number (US: 877-862-6352, International: 81-602-355-7300), and a website which provides additional cybersecurity resources (www.schwab.com/schwabsafe). While we are not technology specialists, we are happy to take a quick look at the situation and do what we can to help stop or resolve cyberattacks before they become even larger threats.