Understanding the potential threats can help keep your online accounts safeA recent post from Fidelity’s ‘Viewpoints Blog’ examines the extent and impact of online fraud, crime and cyber-threat. Reprinted with permission. Visit www.fidelity.com for more details.
You’ve likely spent a good deal of time thinking about investment risk. But have you stopped to think about more personal security issues, such as the safety of your online financial transactions and information stored on your computers? While most people recognize that online fraud or cybercrime is a potential threat, few know how or why they may be at risk.
Cybercrime can take many forms, and understanding who the enemies are and how they commit crimes may allow you to better defend yourself.
The “Bad Guy”
Economic cybercriminals pose the greatest online risk to your family’s personal financial data and assets. Make no mistake, many of these thieves are highly skilled and sophisticated. They may be individuals or coordinated groups that use technology to steal. For most of us, cybercrime can best be described as an extension of traditional criminal activity focused on personal financial data and monetary theft.
How Do Cybercriminals Operate?
In some cases, cybercriminals cast a wide net with “phishing” scams, among others, and hope the sheer quantity of potential victims will yield sufficient economic benefit (see “The makings of a cybercrime,” below, for more details on how cybercriminals attack).
Specific Victim Targeting
A growing and more concerning trend is the specific targeting of high-net-worth individuals. In many of these cases, criminals spend a great deal of time and effort identifying a worthwhile target and then developing a victim profile based on public and private information—such as property records, credit information obtained via hacking, and posted details on social networks—with the goal of stealing assets from financial accounts.
Although the actual criminal act can take several forms, the basic steps are often similar. Below is a relatively common scenario:
Step 1: The thief sends an email with a link or attachment to the victim that appears to come from a known party. The targeted victim then clicks the link or attachment, which includes malicious software (malware) that infects the victim’s computer.
Step 2: The thief uses installed malware to steal login credentials to the victim’s financial accounts or to remotely control the victim’s computer. This will generally allow the thief to log in as the victim.
Step 3: With access to accounts, the thief changes the victim’s profile at the financial institution and/or impersonates the victim and moves money to criminal accounts at a different institution.
That’s the bad news. The good news is that with some simple steps, you can improve your defenses and reduce your vulnerability to this type of crime.
How Do I Keep My Online Accounts Safe?
1. Protect your online access with unique user IDs, passwords, and 2-factor authentication for each site
Treat your computers and websites as you would your front door—restrict access and use tough security measures. Passwords are the keys to your online financial information. If cybercriminals find them, they can unlock the doors to your bank accounts, investment accounts, and your personal information. Unfortunately, a significant amount of malicious software trolls the internet looking specifically for account credentials (IDs and passwords). With an inadvertent click on what appears to be a legitimate link or the opening of an attachment designed to look legitimate, this software can be loaded on your machine and be ready to take your “keys.”
Go for 2
Adding an additional layer of security when you access your accounts, called 2-factor authentication, is a strong defense against most common attacks. Fidelity and many other financial firms now offer 2-factor authentication. It requires you to enter a unique security code, randomly generated and sent to your phone or other mobile device, in addition to your standard login ID and password. While not completely foolproof, 2-factor authentication raises the bar for cyberattackers trying to access your accounts. Consider enabling 2-factor authentication for non-financial sites, such as your mobile phone billing sites (e.g., AT&T, Verizon, T-Mobile, Xfinity) and email sites (e.g., Google Gmail, Apple, Microsoft, Yahoo, Hotmail).
Make sure your financial sites and email providers have your mobile phone number as it is generally used to secure your online access.
Go long and stay strong
You’ve probably heard this before, but it bears repeating: Never use names, birth dates, Social Security numbers, or any personally identifiable information as your login ID and password. Use a different password for every application and website. Why? The dangers of password reuse. Every year there are data breaches and more sets of credentials (user IDs and passwords) leaked onto the internet. It is common practice these days for criminals to collect these credential dumps and try these login IDs and passwords at financial sites, email providers, mobile phone providers, social media sites, and others. If a Fidelity customer were to use the same password here that they used on another website, and that other account was breached, their Fidelity account could be at risk.
What constitutes a good password? Long (10 or more characters), and complex (combination of special letters and numbers) help make passwords more unique. A string of unrelated words with numbers and special characters in between is best. Stay away from single dictionary words or common combinations of words.
Go with a password manager
These days, most of us have dozens of passwords covering multiple devices and everything from email accounts, telecom billing, and subscription services, to social media, online shopping, and banking. Remembering all these passwords, and changing them frequently, just isn’t sustainable and as a result we have a tendency to reuse the same password everywhere. This is the worst practice though. Fortunately, there’s an app for that. Password manager apps generate and store all your passwords in a secure environment. They’ll even auto-fill login information for stored sites. Many now sync your passwords across all your devices and automatically generate new ones on a regular schedule. The cost of state-of-the-art password managers is negligible—especially when compared with the convenience and security they provide.
2. Secure devices and software, keep them up to date, and perform regular backups
One of the smartest things you can do to keep your financial information safe is to use modern and up-to-date, operating systems. Software makers have teams of cybersecurity specialists dedicated to fixing vulnerabilities in their current systems, and they are always on the lookout for new ways cybercriminals can hack into their products to access users’ computer files or install malicious software.
Updating your systems is easier than it used to be
Today, most operating systems let you set your preferences to automatically install updates and patches as soon as they are available. That goes for software too, including antivirus protection. Don’t forget to update your mobile phones and tablets, and the apps installed on them. You can set update preferences to do this automatically on your devices.
You can never have too much backup
Backing up your data is good system hygiene. It prevents your information from being lost forever and immunizes you from ransomware attacks. In this increasingly common scheme, criminals lure you into clicking an email link that downloads malware and blocks your access to the computer. The perpetrators can hold your hard drive hostage, demanding a hefty ransom to unblock it. If your system data is backed up elsewhere, it eliminates any leverage the scammers have, neutralizing their threats.
Backups are most effective when done frequently. Savvy users employ redundant methods—typically a USB-connected external storage device in tandem with an encrypted cloud-based service. External storage offers more immediate data retrieval, while cloud-based services can store much more data. Also, in the event of a flood or fire, both the computer and external storage device may be lost, but offsite backups to a cloud-based service would be safe.
Don’t forget to include mobile devices in regular backups. This can be done via a cloud-based service, but a full backup may require connecting to a computer. By syncing up your photos and home movies to your computer, they will then be included in regularly scheduled backups, keeping them secure.
3. Avoid accessing financial accounts or e-commerce sites through links in email
Cybercriminals are getting smarter about making their phishy emails look legitimate. These emails mimic those of financial institutions, complete with logos and convincing signature lines. Sometimes, the criminals impersonate emails appearing to come from friends, family members, or professional contacts you trust. Searching Google and social media sites makes it easy to personalize these emails with your name and subject lines like “Your recent transaction with us.” All of this is designed to lower your guard so you’ll be more apt to click a link to a fraudulent version of your financial website. This allows the scammers to download malicious software onto your computer or gain access to your passwords and usernames.
When it comes to security, emails cannot be trusted
Avoid clicking links in your emails to access your financial sites online, no matter how compelling the language in the email appears. Instead, go directly to your provider’s website by using a link you’ve saved in your “Favorites” menu. That way, you’ll be sure you arrive at a legitimate website. Always look for the “https” prefix in the site’s address. This indicates that the connection to the site is encrypted to protect your sensitive data from prying eyes. And if there is an ask by email to send money, always call your contact by phone to confirm the request along with transfer details even if you were expecting the ask.
4. Always access your accounts from a secure Wi-Fi location
Your home Wi-Fi network comes with built-in security. Your network provider supplies you with a wireless router ID and password, but these are default settings. Cybercriminals know the defaults for major network providers. If you’re using these settings, your “secure” home Wi-Fi network may not be as secure as you think.
Home networks now connect computers and smartphones to thermostats, TVs, refrigerators, and residential security systems. Each device is a potential weak spot in your Wi-Fi network. As your home becomes more dependent on the internet, so does your exposure to a network breach.
When setting up your home network, consider changing the default WiFi network name and passwords.
Beware of public Wi-Fi
Everyone loves free Wi-Fi, but unsecured public wireless access points are easy to intercept, providing an opportunity for attackers to snoop on your online activity. A safer alternative is to use only secure Wi-Fi networks. If you use your laptop or mobile devices while traveling, purchase a subscription to a paid hotspot provider in which the networks are password protected and have additional levels of security.
5. Consider using a dedicated device for online banking
One of the best ways to secure your online financial information is to dedicate one device exclusively for banking and financial use. Many cyberattacks come from malware installed while you’re web surfing and reading emails. Eliminating those activities from a dedicated banking computer goes a long way toward keeping your financial information out of harm’s way.
Help us help you!
A dedicated banking device also helps financial institutions keep your accounts secure. Most, including Fidelity, monitor client accounts for fraudulent logins from unauthorized computers and will alert you if there is suspicious activity in your account. When Fidelity surveyed client login patterns, we found many users logging in from multiple devices. One or two were common, but some clients routinely logged in from a seemingly random assortment of systems, making it difficult for an institution to distinguish a legitimate login from a fraudulent one. By using one device for all transactions, an illegitimate login stands out, and the institution will be able to move quickly to alert you and secure your account.
6. Understand your computing environment and consider whether you need help
If you have a complex computing environment, a comprehensive cyber-risk assessment may be an appropriate step in protecting your personal information. Individuals with complicated online footprints may want to consider implementing additional systems (e.g., intrusion prevention and detection, firewalls).
Because cyberthreats evolve almost as fast as technology itself, consider retaining a firm to provide ongoing system surveillance, support, and maintenance. These services include everything from monitoring your home internet traffic and blocking outside threats, to educating family members about smart social media practices, safe web surfing and e-commerce protocols.
A good risk assessment will be specific to each person and should consider questions like:
- How many computers, mobile devices, tablets, TVs, home security systems, and appliances are connected to your home Wi-Fi network?
- Are they shared across personal and business or home office use?
- Do non-family members regularly in your home have access to your Wi-Fi network or computing devices?
- What backup procedures are in place for each device?
- Are you or other household members active on social media like Facebook, Twitter, or Pinterest?
No one wants to spend time thinking about all the bad things that can happen, but it’s important to understand potential threats to your assets and take measures to eliminate them. When it comes to protecting your financial accounts from cyberthreats, practicing good system hygiene and making a few changes in your online habits will significantly improve your security. You play a key role in helping Fidelity detect fraud by maintaining a general awareness of your accounts, including staying alert to notifications regarding password resets, money transfers and account changes, and periodically logging in and checking for unusual transactions and activity.
Fidelity uses sophisticated security measures to protect our customers. We also make many additional security tools available for customers to utilize, including 2-factor authentication and transaction alerts. Of course, we also provide a Customer Protection Guarantee for fraudulent activity. Make sure to visit Fidelity’s online customer security site to explore some of these features, and learn more about what Fidelity is doing to help keep your assets safe.