Go to Top

Don’t Trust That Trusted Sender

brass padlock and chains on computer keyboard representing cybersecurity

When you work with people’s money, trust is essential. So it makes perfect sense that brokerages like Charles Schwab have robust systems in place to try to foil fraudsters who would abuse that trust.

Several weeks ago, our firm got a notice from Schwab about a rise in scams related to the sale and purchase of real estate. These scams use phishing attacks to steer customers toward giving up their personal information after receiving a legitimate-looking notice from Schwab. For investment managers, it was a reminder to verify wire instructions verbally before we send the information for processing – something we always do, but a step Schwab is reminding managers about with increasing frequency.

Cybersecurity has become quite a hot topic in the past few years, and not only for financial firms. A recent study by Javelin Strategy & Research shows that identity theft and fraud collectively cost $16.8 billion in 2017. Malicious hackers constantly create new ways to scam honest people into giving away their sensitive information.

“Ethical hackers” might sound like an oxymoron, but it describes a group of people who use the same set of tools to defend, rather than attack. These white knights of cybersecurity fight to find the weaknesses in a security system in order to inform individuals and businesses how to avoid common pitfalls and traps set by their malicious counterparts. And there are more of them than you may think.

There are entire conventions dedicated to the work of protecting the public’s sensitive data, including DEFCON in Las Vegas. Activities at the convention include a social engineering competition: Participants get 25 minutes to call a company, speak to the person manning the front desk, and try to obtain information about the business’s security systems, computer network and antivirus software. Ploys include offering a gift card in exchange for a survey and pretending to be a new employee who needs to get into the office.

In contrast to the Hollywood image of hackers breaking into a system with brute force, in real life hackers often rely on human emotion and people’s willingness to help. By doing just a little research before making calls, hackers can also obtain a lot of important information that makes the company, and therefore the consumer, vulnerable to attacks.

In order to help with the more technical aspects of this post, I spoke to a subject matter expert in the field, one of the ethical hackers. Due to the nature of his work, he asked to remain anonymous, but he was happy to discuss his work with me. After speaking with him for about an hour, I swore that I would go full Luddite and refuse to use computers ever again.

I admit, that is probably an overreaction. However, he urged me to stress to readers that while the prospect of having your identity stolen is scary, there are a few simple steps you can take to protect your information more effectively.

Build strong passwords. Most of us know that passwords are important, and most of us know that ours are too weak. Many people rely on common words for passwords. A recent article from Wired stated that a list of most commonly used passwords culled from caches of leaked account credentials included not only the usual suspects like “password” and “123456,” but also “dragon” and “monkey.” According to the expert with whom I spoke, having a weak or common password can extremely dangerous.

For a better way forward, he referred me to a strip from the web comic “xkcd,” which advocates creating a set of four commonly used words that you can remember by using them in a sentence or by creating a mnemonic. The comic illustrates that if you use four common words, such as “correct,” “horse,” “battery” and “staple,” it would take a hacker 550 years at 1,000 guesses per second to arrive at your passphrase.

Don’t reuse passwords. The cybersecurity expert also stated that you should not reuse passwords across different websites. It seems that every website we use requires a username and password; for the sake of time and brainpower, we often use the same information for each site. This is understandable, but dangerous.

With all of the passwords people are required to remember, he recommended LastPass, one of several password managers available today. A password manager is a system that lets you access your various passwords using only one strong master password. The password manager can also generate random, strong, unique passwords for each of your accounts to replace your existing weak passwords. No matter how many passwords you have or how complex they get, you only have to keep track of the master. LastPass also offers two-factor authentication, which is an important way to keep accounts secure.

One additional note on two-factor authentication: While any two-factor authentication is better than none, my source noted that receiving codes through text message is the weakest option. Apps such as Google Authenticator are better, and hardware keys such as YubiKey are the strongest way to receive codes.

Avoid clicking on links in emails, even if you know the sender. My source told me that it is never safe to click on a link in an email, regardless of whether you know the sender. Instead, type the URL of the website into the browser. Copying the link and pasting into an incognito browser window is also an option, though it may still be risky.

This may seem paranoid, but real-world examples prove why it is important advice. In the spear phishing attempt Schwab experienced earlier this year, clients received a fake email that appeared to come from Schwab’s fraud department and stating that the client’s accounts had been accessed by an unauthorized party. Clients who clicked on the link were redirected to a spoofed website that mimicked Schwab’s real website. The fraudulent website prompted clients to reenter their information, including their Social Security number, date of birth, driver’s license number, mother’s maiden name, email address and email password. For those who did, hackers had all of the sensitive information required to open new accounts and authorize wire transfers by posing as the client.

This scam is dangerous, but unfortunately common. In February 2018, hackers targeted Netflix subscribers with a similar attack, hoping to snare their credit card data. As these efforts become more sophisticated, relying on whether an email looks the part when deciding to trust a message is far from good enough.

If you do click links, make sure you really do know the email’s sender. In another form of phishing, called clone phishing, a hacker copies a legitimate email that contains links or an attachment, but replaces them with malicious versions. Since the email appears to be sent by someone familiar, the user clicks on the malicious links or downloads the attachment. This is yet another reason to avoid clicking links in an email.

If you are trying to verify an email’s sender, check for spelling mistakes within the email address, for instance “gmial” in place of “gmail.” Even if you know the person who sent you the email, there is no guarantee that their accounts haven’t been compromised. As my source says, it is important to “treat every email as [if] a person handed it to you in the parking lot of a sketchy part of town.” If you didn’t expect the message, or if it seems fishy or otherwise unsolicited, treat it with especially high suspicion. And, just like investment managers, you always have the option to pick up the phone and call to see if a message is genuine.

These steps alone, along with a healthy dose of skepticism, can help protect your sensitive data. But there’s no reason to throw your laptop out the window altogether. Rather than approaching cybersecurity with fear in mind, take proactive steps to protect yourself and know that you’ve done your best to keep your data safe.

Print Friendly, PDF & Email

The views expressed in this post are solely those of the author. We welcome additional perspectives in our comments section as long as they are on topic, civil in tone and signed with the writer's full name. All comments will be reviewed by our moderator prior to publication.

, , , , , , , ,

Leave a Reply