Rather than provide market and economic commentary, with only a few weeks having transpired since the last update and too little change to warrant another deep dive, we thought it appropriate to cover a topic nobody enjoys but everyone must consider, especially with the holidays and attendant shopping sprees right around the corner. We hope you find the following informative and useful.
PIM takes cybersecurity very seriously. Defensive operational protocols permeate our technology infrastructure and our day-to-day business operations. Along the way, we have learned a few things. Given our regulatory, and personal responsibility to engage with you, our valued clients, with the utmost duty of care and loyalty, we feel a responsibility to share what we know about cybersecurity. Therefore, we present the following as a first step. We intend to periodically deliver additional cybersecurity commentary from time to time going forward.
Perhaps the most significant threat facing businesses and individuals today is cybercrime. Cyber criminals, and the frauds they perpetrate, are so sophisticated these days that victims are often not immediately aware that they have been victimized. But sophisticated does not necessarily mean complex. Some of the most effective frauds are relatively simple to detect and to defend against.
In this inaugural edition of our cybersecurity commentary, we discuss four topics: 1) Email Account Takeover, 2) Credential Replay Attack, 3) Bank Account Fraud, 4) Tech Support Scams.
Email Account Takeover
Have you ever received word from a friend, family member, from PIM, that they received an email from you that you know you didn’t send? If yes, then one of two things has occurred. First, and less troubling, is that the recipient didn’t look closely at the email that supposedly came from you. The email may have your name associated with it, but it didn’t come from your actual email address. This is called “Spoofing”, attempting to pose as you without being you.
The more serious possibility is that your email account has been taken over by a third party, who has stolen, guessed, deciphered your email password. This means that they are actually in your email account, reading every message therein, sending email to anyone, reviewing email that you receive.
Think of all the information there is about you in email correspondence: where you bank, that new house you’re buying, the vacation you just took, who your best friend is, the names of your spouse, children, siblings. Fraudsters can get an incredible amount of information just from reading your emails. That information can be used to infiltrate any number of personal accounts, such as bank and brokerage, or relationships, such as with an attorney or tax professional. The fraudster may also simply use your email to reset your passwords on other accounts.
Email compromise is not easy to detect. But there are some red flags that you should take seriously: 1) a call from a friend alerting you to a strange email that you know you didn’t send, 2) password reset emails that you know you didn’t request, 3) you suddenly stop receiving emails, 4) have strange emails in your sent emails folder, 5) cannot log into your email account at all, 6) receive an alert that a new device or IP address has logged into your email. Any of these are signs that your email account has probably been compromised.
There are two primary, effective, things that you can do to decrease your chances of an email account takeover. 1) Enable multi-factor authentication on your email account. Multi-factor authentication sends an alert to your personal cell phone that you must approve to log into your own account. Without your personal cell phone in hand, it would be much more difficult to get into your email account. 2) Change your password, using something sufficiently lengthy and complex, discussed in detail the next section.
Before moving on, a quick, true, story. On the morning of Monday, November 13th, Jen LaDuca and Chris Reedy received the same email from a person we know who works at a local business, someone from whom we have received emails in the past. This email told us that the sender had prepared an encrypted message and provided a link. Given the nature of the information that may pass between PIM and this party, encrypting has been used in the past, but something about this felt strange. The sender email address was correct. It belonged to the person we know. But when we hovered over the link, which reveals where we’d go if we clicked on it, we found that the destination was not correct. This was a fraudulent email. We contacted the business and were advised that yes, a computer/ email address had been compromised. This is exactly the type of email account takeover we’re discussing here. And if you’re on the receiving end of a fraudulent email such as this, always pause and verify if something seems suspicious.
Brute Force and Credential Replay Attack
Passwords are the keys to our kingdom and sometimes the bane of our existence. There are two, related methods that cybercriminals use to infiltrate our password protected lives. A credential replay attack is when a cybercriminal has discovered, or purchased from the dark web, the password that you use for one site and then tries it across tens, hundreds, or even thousands of other, likely financial, sites to see if they can get in. A brute force attack is when bad actors use high powered machines to decipher a password using a trial-and-error approach. The good news is that there are very simple ways to decrease your chances of falling victim to a breech via one of these methods. 1) Use long, complex passwords, 2) Use different passwords for each site you visit, 3) Enable multi-factor authentication on every site that offers this feature, and most now do.
Defending against a brute force attack involves the use of longer, more complex passwords. The current recommendation is generally at least 14-16 mixed characters. We say “current” because technology is becoming exponentially more advanced, including that used by bad actors. The chart below, containing recent research from Specops, a password management and solutions company, shows how long it takes to crack passwords at varying lengths and complexities.
Look at the top row of the chart. A Brute Force Attack can crack an 8-character password, comprised of numbers only, instantly. Same for an 8-character password comprised of only lower-case letters. Combine upper-case and lower-case letters, it takes 2 minutes. Upper-case and lower-case letters, and numbers, 5 minutes. Upper-case and lower-case letters, numbers and symbols, 3 hours.
Most people probably feel quite secure with an 8-character password that combines letters, numbers, and characters. Indeed, this might seem quite complex to most of us. It is not. Looking at the rest of the table, at what point does one achieve a decently sophisticated password? We suggest at least low-mid double digits, which includes upper-case and lower-case letters, numbers, and symbols.
Please use different passwords for each website and make them sufficiently unique; don’t simply change the number at the end or some other minor differentiation from a password you use elsewhere. It is extremely important to use a unique password for every website you log into, especially sites that contain your bank and financial accounts. Using a password manager that stores your passwords in an encrypted format can make using unique and complex passwords much more manageable.
Multi-factor or two-factor authentication should be used whenever it is available. Some websites require it, but for many websites it is optional. Be sure to opt in! In addition to making it more difficult for the thief to log into your account, it also makes it more apparent to you when someone has discovered your password. If you receive a two-factor code or message and you were not trying to log into your account, go in and change your password immediately. And, if you happen to be using the same or similar password on other sites, change those too.
Bank Account Fraud
A while back, my husband and I (Jen) were the victims of bank account fraud. My husband was on a road trip and his credit card was declined at a gas station. He decided to use his debit card at the pump instead, for convenience. As common as using debit cards is, and with no idea of what was to come, this turned out to be a bad move. Somone had installed a malicious device, called a “skimmer” on the gas pump that extracts credit/ debit card information. A few weeks later, a man pretending to be my husband walked into a bank in another state with a fake card, claimed to have forgotten his pin, was able to reset it and begin withdrawing thousands of dollars. While the bank did eventually reimburse the amount stolen from us, the process took several weeks and was quite complicated. You can imagine the stress and inconvenience that this situation caused. While we had always been careful, this experience heightened our sensitivity to such risks.
How can one defend against a situation like this? First, use a credit card, rather than a debit card, for payments, especially at gas stations, retails stores, and for online purchases. Credit card companies typically provide zero liability coverage for unauthorized purchases. If someone steals your credit card number and uses it, which you can detect by carefully reviewing your credit card statement, you do not have to pay the bill. Your card will be disabled, a new card issued, and the matter investigated. This is, obviously, very different from having real money stolen from you and having to wait weeks for its return.
If you must use a debit card, consider setting up a separate bank account, possibly at a different bank, and keeping the account balance as low as practicable for ongoing debit card use. If your debit card is compromised, there will be a limit to how much money is at risk, and the financial inconvenience of waiting for the bank to recoup stolen funds is minimized.
Most banks allow you to lock your debit card. This is a good idea for someone who uses a debit card only occasionally, to access cash from an ATM machine, for example. When you want to use your card, simply unlock it using the bank’s phone app or website, then lock the card again until the next use. This may seem like an inconvenient overabundance of caution, but not when considering the worst-case alternative that we experienced.
Finally, set up alerts for all financial accounts. Log into your accounts online and look for the section that deals with security settings. Here you should be able to set alerts for withdrawals, for credit and debit card usage, online transactions, foreign country transactions, purchases that exceed a certain amount, etc. If setting up alerts on the website is not entirely clear, call the customer service number on the back of your card, and discuss enabling security alerts. With alerts enabled, you will know right away if something suspicious is going on and can get in touch with the fraud department of your bank right away.
Tech Support Scams
A tech support scam is often prompted by large, intimidating pop-ups that fill your computer screen with a message that your computer has been compromised, infected, etc., sometimes accompanied by a loud, looped voice recording warning of imminent danger. Often you are prompted to click on a link or call “Microsoft” to immediately address the issue. We use Microsoft because it is probably the most common misdirection. But similar schemes may present as a different company or governmental organization.
It may be tempting to comply, to click on the link or make the phone call, especially if you have no go-to technology person in your life. First and foremost, stay composed and do nothing. Do not click on any links, even if the link reads “close this popup” or something similar. Do not click anywhere within the field of the popup. Do not call any numbers provided in the popup. This is not Microsoft. Microsoft will never contact you directly, unless you are a large corporation paying them a lot of money. This is a fraudster who may ask you to pay them money or tell you that they need to access your computer remotely and then steal information from your computer.
What should you do? Microsoft suggests closing your whole browser immediately (the X on the top right of the screen). If you are not able to close the browser due to the pop up, try pressing ALT+F4. If that doesn’t work or you can’t remember the keyboard command, then completely restart your computer. In many cases, if you haven’t clicked on anything in the pop-up, no damage has been done. These popups are sometimes all bark and no bite. However, if you think your computer has been compromised, you should turn it off and seek assistance from a knowledgeable and trustworthy source to further check and/or clean out your computer. Also, consider using a different computer or device to change your passwords as soon as possible.
To reduce the likelihood of receiving one of these terrifying pop-ups, be sure to turn on the pop-up blocker in your web browser. This is usually found in settings under the privacy/security section.
The speed at which technology advances was predicted over 40 years ago. “Moore’s Law”, postulated by Gordon E. Moore in 1965, is the theory that, because the number of transistors that will fit on a microchip doubles every two years, we can expect the capability of computers to increase exponentially over time and the cost of computers to decrease exponentially over time. As technology gets faster, better, and cheaper, everyone relies more upon it, including criminals.
There seems to be an endless supply of information and resources available today to inform, teach, warn, even scare you about the ways in which fraudsters will try to steal from you using technology. The goal of this communication is to present in a conversational, easy to understand manner some of the issues to be aware of. We have presented tips for proactively reducing your risk exposure and tips for how to react when a fraud attempt presents itself. In summary:
- Enable multi-factor authentication, when it is available, for any account you log into, especially email.
- Change your email (and all other passwords), to something sufficiently lengthy and complex.
- Use a credit card, rather than a debit card, for most purchases.
- Never click anywhere on a popup, especially the type warning that your computer has been compromised. Never call a number provided within the popup. Shut down your browser and/ or shut down your computer immediately. Seek help from a technology professional if needed.
We understand that if you have not already implemented our recommendations, it may seem like too much hassle, especially if to your knowledge you have never experienced a cyber security breach. However, think of how much more secure you will feel if you were to have a unique, sufficiently long and complex password for every online account you own, have dual factor authentication enabled everywhere, and simply start using a credit card rather than a debit card. If taking these precautions is a great deal more than what you have done in the past to safeguard your online accounts, then well…….this is probably why you should 😊.
We hope you have found this to be informative and useful.
Very best wishes from our families to yours for a happy Thanksgiving.
Personal Investment Management, Inc.