WASHINGTON — Imagine your social security number is sitting somewhere in a government or retail database, and that database gets hacked. Your personal information is sold on the black market to a cyber criminal, who opens up a credit card in your name, racks up a significant amount of debt and ruins your credit.
While tools like LifeLock or Identity Guard can help protect against identity theft, the scary part is that this type of attack is outdated. Cyber criminals now have a much more powerful arsenal of tools and are taking a more targeted approach to threaten your financial well-being.
Here are some new attack methods to be aware of, and how you can protect yourself:
Scenario 1: Your email gets hacked, but your hacker didn’t decide to spam your entire address book with the promise of an exciting business deal with a member of Nigerian royalty. No – instead, the hacker waits until a nugget of information finds its way into your email: a bank statement or tax form arrives, or you send an unprotected document containing your signature to a colleague. With the information gathered from your email, the hacker sends a wire form to your bank with your forged signature on it and tries to access your funds.
Lessons learned: Do a better job of protecting your email and add multiple layers of security. For example, you can add security questions to your email login or password-protect all the documents you send. Better yet, you can require your email provider to send you a text message with a random passcode each time you log in from a new device. Without that passcode, the hacker can’t access your email. Gmail and Yahoo have this. Check out Two Factor Auth to see if your email provider offers multi-factor authentication.
Scenario 2: Increasingly, cyber criminals are targeting specific individuals or businesses through publicly available information. The hacker will find you on LinkedIn, see that you work for a particular law firm or company, and look up your company’s 401(k) provider information (readily available at Brightscope.com). Once they know where your 401(k) is, they can send you an email, which looks like it’s from your 401(k) provider, claiming, “Your quarterly statement has been posted. Click here to download it.” Once you click the link and input your credentials, the hacker has your 401(k) password and can start all kind of trouble.
Lessons learned: The key here is to avoid clicking links that arrive in your inbox, especially in emails that look like they’re from financial institutions. You never know for sure if the link is valid or if someone looking to steal your information. You should also use unique passwords for each website. Password-management software such as LastPass or 1Password can help you generate and store passwords that are tough to crack.
Scenario 3: Despite your best efforts, your email account has again been compromised. The hacker notices that you’re buying a house and have been emailing your real estate agent and settlement company. The hacker waits for the settlement instructions, deletes the email you received with the escrow information, and replaces it with a fake email with a different account number – his own. Now, instead of putting a down payment on your dream home, you’re filling the pockets of a fraudster.
Lessons learned: In this case, go old-school. Pick up the phone and verify any account instructions verbally. You want to be sure that any account where you’re sending money is authentic. The short-term inconvenience of making a phone call could ultimately save you a small fortune.
Scenario 4: A cyber criminal does some online research and figures out who your financial adviser is. Most often, this would occur through an email hack. However, someone smart may be able to find this information elsewhere: an old statement that you threw in the trash, the accounts you follow on Twitter and Facebook, or your LinkedIn connections. The hacker then creates a fake email account and messages your adviser, telling them to “start using this new email address for all communications.” A week or two later, they request a withdrawal or wire from your account.
Lessons learned: It’s important to make sure you’re aware of what you’re broadcasting to the world. Don’t share personal information on social media and have a conversation with your financial advisor about how they prevent this type of fraud. Many firms have a policy in place to ensure that no changes are made to their clients’ information without verbal instruction. You can also use a budgeting tool like Mint (https://www.mint.com/) to monitor your financial transactions so that when something goes wrong, you can act quickly.
It’s often the simple steps you can take — such as multi-factor authentication, using different passwords for each website, and being vigilant of any information transmitted via email — that can go a long way towards protecting yourself. Cyber criminals like to attack easy targets, so it’s important to take these steps to deter financial fraud before it occurs.