Are you protected….. enough?
It’s no longer a question of if, but when. Cybercrimes are becoming more profitable than the global drug trade. Now more than ever it is important to be aware of how fast this industry is continuously changing. Just when you think you’ve seen it all, cyberthreats become more creative.
There are several kinds of cyberthreats, but some of the common ones include:
• Phishing. These scams attempt to trick users into sharing sensitive and personal information such as passwords, credit card information, Social Security numbers and login credentials. Fraudsters send deceptive emails or messages, or publish a website, that present themselves as being legitimate in effort to get the information.
• Malware. This malicious software — such as viruses, worms, trojans, ransomware and spyware — is designed to damage computer systems or steal sensitive information.
• Insider threats. Someone misuses their access and exposes the organization to having data stolen, damaged or compromised.
• Malvertising. The perpetrator spreads malware through online advertisements that appear to be legitimate with the goal to get users to click on the ads and become exposed to malware.
Any one of these alone could be detrimental. Being prepared is both crucial and necessary today. Let’s discuss a few ways to help protect your team, your organization, and your clients.
Adopt strong cybersecurity practices
Like many financial advisory firms, we discuss cybersecurity with our team. We review our cybersecurity procedures and best practices at least twice a year. As part of these meetings, we share the kinds of things we are seeing and best practices to encounter any threats. Recognizing phishing attempts and other types of cyberattacks can help minimize the likelihood of falling victim to these situations.
The most common cybersecurity issue we see are suspicious emails, which have become increasingly sophisticated. These often come through as an email with a file attached or an email asking you to click on a link. In these situations, it is important not to click on any of the links or open any attachments in the email before verifying that the email is legitimate. The very first thing we advise our staff to do when they receive an email is to review the email address it came from and confirm whether it is from a legitimate or fictitious email address. For example, we have received emails that appear to be from DocuSign, but when hovering over the sender’s name the email address it is actually from a fictitious Gmail account.
Similarly, we have received an email that appears to be from a client but the email reads somewhat suspiciously. When we review the email address, it is a fictitious email account. When in doubt, following up with a phone call is always a safe option, especially if the email is requesting the movement of funds or assets. As a best practice, if we receive an email from a client requesting the movement of cash, we will always follow up with the client directly by phone. More important, make sure to use a number you have on file, preferably from a CRM system. This helps minimize the risk of taking instructions from a fictitious email.
Keep software and back-ups updated
Because technology is continuously evolving, staying up to date is important. Keeping your software, operating systems, applications, and security tools updated with the latest patches can help minimize being exposed. Along with that, regularly performing backups to an external hard drive and making sure remote backups are stored securely offline or in a separate, isolated network can help prevent ransomware attacks.
Encourage your clients to keep their software updated to date and use an external hard drive to help keep their information secure. It is also important that all backups are password-protected.
Use strong passwords
How often do you update your passwords? At a minimum, passwords should be updated every 90-120 days. A strong password should include a mix of uppercase and lowercase letters, numbers and special characters. Passwords should be 10 or more characters. Strong password policies are essential, but make sure to balance that with usability. It is also important to avoid using personal information when creating passwords. As many are seeing, scammers are becoming creative in many ways, and they are gaining access to much more personal information.
Using multi-factor authentication may help with this. Whenever possible, add an extra layer of security by using two-factor authentication. Two-factor may be either a password or PIN traditionally sent via text or a physical device that provides a security token. In either case, a one-time code is generated that is then entered when you are logging in to the specific system.
We all know it is impossible to remember every password, especially when we’re being advised to use more letters and characters. Using a password manager can help. Password managers allow you to secure all your passwords and login info in one location. You will need to remember only one master password to get in. There are many password managers out there such as:
• 1password, www.1password.com.
• Dashlane, www.dashlane.com.
• Keeper, www.keepersecurity.com.
It is critical to share with your team and clients the need to be cautious of emails, especially those that contain file attachments or links, or ask for any information. For example, we recently had a client who became a cyberattack victim from an email. The email seemed to be sent from the client’s software provider. It said their software subscription was set to renew automatically and to call the number provided if they did not want to renew.
The client called the number and the person who answered asked for personal information. After a few questions, the client quickly realized that they were being scammed. They immediately hung up and began monitoring their personal accounts.
We had not yet been notified by the client, but realized an odd transaction in the client’s account and immediately reached out to them. At this point, the client shared that they had been scammed. This had been less than 24 hours from the time the client made the phone call to the fictitious number. We internally made sure all team members were notified of the issue and were to be on alert for any unauthorized transactions. Upon reviewing the original email more closely, our client confirmed the email address was not legitimate and was actually sent from a fictitious Gmail account. Thankfully, the scammers did not succeed in stealing from our client. Still, this is a perfect example of how easily and quickly a person can become a victim.
Regularly reviewing your cybersecurity policies and procedures as a team is crucial. It is nearly impossible to avoid cyber threats, but finding ways to mitigate them and having best practices in place can help minimize vulnerability. Encourage your clients to be skeptical of the emails they receive and to regularly review their passwords, systems, and ways to identify fraudulent situations.
Assunta (Susie) McLane, CFP, is a managing director and senior wealth advisor with
Summit Place Financial Advisors in Summit, N.J.