“That will never happen to me.” We’ve all read story after story about the rise both of frequency and financial impact of cyberattacks. We’ve all taken reasonable precautions to guard passwords. And then it happened: My family joined the list of those caught up in these attacks.
It started innocently enough. My wife received a text, claiming to be from Amazon, which alerted her that someone was attempting to access her account from Delaware. The sender asked her to click a link if this was not her login attempt.
When my wife clicked on the link, the criminal gained access to her Amazon account and proceeded to strip off all her contact information — which locked her out of her account and took away her ability to reset the password. In addition to the payment information saved on the account, the thieves now knew her email address.
It remains unclear what, if any, access they gained to her email account, but they did take the time to sign her up for several cooking magazines written in languages that neither she nor I speak. While we were able to prevent any financial damage, this breach really made me pause and think about how important it is for advisors to cover this topic with clients.
We shouldn’t ignore or downplay the threat of cybersecurity facing our clients. Not only do many clients have an online presence, the reality is that most who do are not following best practices for security. It’s always going to be a battle for clients to maintain online access while protecting their security. Here is a list of ways for your clients to enhance security that they’re more likely follow if you explain and encourage it:
Use a Password Manager
Everyone in the family needs to get and use a password manager. There are several different providers. Some are free; others are available through in-app purchases or subscription services. Password managers provide the ability to use complex passwords that are unique to each site. As a bonus, since you now only need to remember the login credentials for the password manager so password resets for a forgotten one should become a thing of the past.
Get an Authenticator
Authenticators that generate random codes or use a click to confirm a login attempt can be an additional step to thwart hacking attempts. Authenticators are apps that can be downloaded from the usual places such as Apple’s App Store. Google has two called Smart Lock and Google Authenticator, Symantec has VIP Access, some colleges use DUO Mobile and LastPass uses LastPass Authenticator. The use of these ensures that without access to your physical phone, even with a password, the logins won’t be permitted.
Enable Two Factor Authentication (2FA)
Encourage clients to use this for every login that will allow it. It should also be part of their decision process about who they will and won’t do business with.
Block the Porting of Cell Numbers
Porting enables cell phone users to move their phone number between carriers. But a criminal can also ask to do this. If a criminal ports your client’s number, your client would lose control over the authentication process because the notifications would now go to the offender. So, your clients should ask their cell phone service provider to block porting of their cell number
When possible, use something other than an email address as a username. This provides another layer of security if a bad actor is aware of your client’s email address.
Consider Changing Email Addresses
Admittedly, this is an extreme step that will involve updating many relationships. But doing so and refraining from widely sharing or publishing the new account may also cut down on spam.
Limit Social-Media Presence
If your clients are going to be a part of these platforms, they should be aware of who has access to their information through friendships or followings. Encourage them to look at their privacy settings, including who can find them. When I looked at my Twitter account, I realized that I had several coffee shops in Seattle that were connected to me. I don’t drink coffee and I don’t live in Seattle.
Use Client’s Voice as Their Password
Many custodians now offer the option to keep a voice print on file. Having this in place will greatly reduce the risk that an imposter could act on an account by phone.
Senior Citizens Face Greater Risk
As advisors we owe our clients a duty to do what’s best for them. Discussing cyber risks should certainly be a part of it. This includes senior clients who are at heightened risk of being scammed.
Not only do senior clients tend to have more assets than younger clients, they’re often less familiar with using technology and less familiar with the risks it comes with. They’re more likely to use weaker, easy-to-remember passwords (such as names or birthday), or the same password for every account. They may also be more trusting, they may react slower, and they may have cognitive issues that impair their judgement. And they’re also likely to feel embarrassed when they realize they were victimized.
For clients who are hesitant to take these steps, it’s best to paint the picture of what could happen if they are victimized by a cyberattack: at best, a frustrating process of changing accounts, and at worst, the loss of a lifetime of savings. If clients are still reluctant to change or are fearful of using new technology, consider enlisting the assistance of a trusted child, sibling or friend to speak with them, teach them and help them set up their security measures.
Since our cyberattack, I’ve already spent about 20 hours switching everything for my accounts and we still need to work on several of my wife’s accounts. This has been an eye-opening experience to the true nature of how much work it is to fix this after the fact. You have the power to help your clients avoid this situation.
John M. Gehri, CFP, ChFC is an advisor with Harvest Financial Advisors in the Cincinnati/West Chester, Ohio area. He may be reached at email@example.com. This article is for informational purposes only. Any commentary and third-party sources are believed to be reliable but Harvest Financial Advisors cannot guarantee their accuracy.