Privacy and Security in an Online World

The internet can be a scary place. Lurking in the shadows behind cute cat videos and sports scores are hackers, fraudsters, and thieves. They are probing for access, looking for vulnerability, and hunting for victims. Their crimes range from massive thefts of private information to remarkably personal scams perpetrated against unsuspecting consumers. The techniques of nefarious internet thieves become more sophisticated and more targeted as time passes.

In the interest of protecting our clients and friends from potential harm, we are passing along information about some current internet scams and how to best protect against them.

Phishing – an email confidence game

Internet phishing is the act of dangling bait in front of unsuspecting prey. The bait tends to be links to websites or files that appear to be legitimate, but are in fact pathways to invasions of privacy, password theft, or computer viruses. Sophisticated hackers dangle bait in the form of emails expertly designed to mimic those sent by legitimate companies – Citibank, PayPal, Amazon, etc. But the links within the email take the user either to websites designed to infect the user’s PC with a virus or a fake site designed to trick the user into entering personal information.

Lately, we (and others) have seen emails with PDF or ZIP file attachments that appear to be from trusted users – Delta Airlines, The Royal Bank of Scotland, and even Century Wealth Management. On the surface, these emails look legitimate. They appear to contain important documents such as airline tickets or scanned files for review, but in reality they are attempts to get the recipient to click open a file that will likely wreak havoc on their PC. We even saw instances where emails were being sent as if they originated from a multi-function printer (Xerox.Device2@centurywealth.com) in our office.

When we became aware of this Phishing attempt that piggybacked on our web address, we immediately scanned our network and PCs for viruses and malicious programs. We found none. Upon further research, we found this to be a widespread problem without a solution.

When an email like this is sent from a forged return-path email address, it is the email equivalent of using a fake return address on a letter sent through the U.S. Mail. And just as no one can be prevented from writing 1600 Pennsylvania Ave. as the return address on a letter, no one can be prevented from putting Bill@Microsoft.com as the forged “from” address in an email about Canadian Viagra.

Ultimately, consumers must be vigilant about the emails they receive, the files they open and the links they click. Here are some tips to follow:

  • Hover over links in emails (the true internet destination will be revealed) to make sure they will take you the intended site.
  • Don’t open attachments you are not expecting to receive – airline tickets you did not order, information from the IRS (which, by the way, does not communicate via email).
  • If you need to confirm the validity of an attachment, email the sender and ask for clarification.
  • If an email is asking you to login to a site with which you do business (banking or credit cards), don’t click on the provided link. Go directly to the site and login as you normally would.
  • Always have up-to-date virus protection installed on your computer (even a Mac). It is an important last line of defense against hacker activity.
  • Lastly, familiarize yourself with the security procedures of your financial advisor, tax preparer, attorney, and anyone else who would have cause to send you sensitive information via email. Know what to expect and what looks out of the ordinary. In the case of Century Wealth Management, we do not send documents with sensitive information (tax IDs, account numbers, etc.) as attachments. Instead we provide a link to a secure site from which the documents can be downloaded

Wire Fraud – when hacking meets great client service

There has been a steady stream of stories from investment custodians such as Charles Schwab, Fidelity and TD Ameritrade regarding a unique brand of wire fraud that exemplifies the length to which fraudsters will go to perpetrate a crime.

The story always begins with a hacked email account (gmail, yahoo, etc) - usually resulting from a guessable password or maliciously installed keyboard logging software. With complete access to a compromised email account, the fraudster searches for emails to and from financial advisors or bankers. Once they find enough detail - names, accounts, historical transactions, and examples of previous requests – the fraudster crafts a new email to the financial advisor requesting a wire transfer to a third-party. The need for cash is immediate. The tone of the request is familiar but urgent. The sender is unreachable for the rest of the day. Here are the wire instructions. Make it happen.

In our business, when a client says “make it happen” we do just that, which is exactly the type of excellent client service response the fraudsters are counting on.

The interesting part is the length to which the fraudsters go to perpetrate this hoax. Not only do they hack an email account, but they craft an intelligent, customized request that appears to be from the client. The email may reference a real estate purchase in a vacation town the client recently visited. The fraudsters then monitor the account and respond to any replies until the wire is sent to an unrelated third party, and the funds are lost forever.

Thankfully, the custodians and banks are being vigilant in the protection of your assets. They have modified their own policies and procedures to require verbal authorization in any situation that has the potential to be fraudulent. This results in a bit more hassle from time to time, but it is well worth the protection.

Century Wealth Management’s response has also been to review and modify our internal policies and procedures. They now compliment the best practices of the various institutions we use to custody client assets. In any instance when a client is requesting a transfer of funds to an account with which we are not familiar, we will require verbal authorization as well. Our intention is to provide excellent, fraud-free, customer service.

Passwords – Long and Strong

This scam highlights the need for long, complex and secure passwords. This is a soapbox issue for us. Everyone needs to learn and maintain good password hygiene. The stakes are too high. There are several tricks of the trade that can make managing passwords easier:

  • Change your passwords - especially if you’ve been using the same password since Tom Hanks romanced Meg Ryan in “you’ve got mail.” As a starting point, assume your passwords have been compromised and start switching to new ones.
  • Make sure the new passwords are long and strong. A ten letter password would take a supercomputer nineteen years to guess in a brute force attack, versus a six letter password which could be guessed in just seven seconds.
  • Complexity is also a must – a combination of capitals, lower case, numbers and symbols; but stay away from words found in the dictionary. To fabricate such a password, start with a phrase or sentence that is easy to remember. Turn it into an acronym and modify the acronym by inserting the occasional symbol, number or capital letter.
  • Consider a password manager. These utilities 1 password, Roboform, and Dashlane will help you secure and manage a large volume of unique passwords, and encourage the use of long and strong passwords without inconvenience.

This article from Wired Magazine provides additional tips on password creation. This page from Consumer Reports has a wealth of information regarding internet security.

Posted by Jay Healy at 12:01 PM
Share |