Years ago, careful watch over your wallet and important documents was sufficient protection against identity theft and fraud. Unfortunately, those days are long gone, as such theft is growing exponentially, and cybersecurity breaches impact millions of people each year. Each individual must take action in order to keep his or her information safe. It is a mistake to assume that the safeguards your financial institutions (banks, credit cards, financial advisor, etc.) have in place are all that is needed to protect you.
Please note that this post is about preventative measures. If you have already been hacked, we recommend following the steps outlined in this document from Schwab.
Below we highlight some cyber security best practices:
- Use a password manager to store details and generate strong and unique passwords across the board. Without a password manager, many of the steps we recommend below become nearly impossible and/or highly inconvenient.
- Create long, unique, and hard to guess passwords, preferably using random characters. Do not use personal information such as name, date of birth, address, children/spouse birthdays, etc., as your password.
- Do not repeat the same password across different sites. This is a convenient yet dangerous practice, even if the password itself is complex. In the past few years, there have been major breaches of sites such as Yahoo and LinkedIn where the hackers obtained usernames and passwords for those sites. It is unlikely that the hacker’s goal is to learn about your job connections on LinkedIn: instead, knowing that most people reuse passwords, the hacker will then try the login credentials on banking and credit card sites. This is the major risk in re-using passwords: as soon as one site is breached all others become vulnerable. Unfortunately, in these cases, the company often doesn’t know or report the breach until it is too late for you to change all of your passwords. Use this tool from the NY Times to see how much of your personal information has been exposed to hackers.
- Use “dual factor” or “multi factor” authentication to the greatest degree possible, and especially in conjunction with the aforementioned password manager. This ensures that even if your password manager is hacked, you have an additional layer of security. This usually comes in the form of a 6 digit code that is either texted to you or displayed on an authentication app on your phone. Sites for which we strongly recommend using this form of authentication include:
- Your password manager. Do not use a password manager lacking this feature
- Email (all major email services now offer dual-factor authentication options)
- Bank accounts and investment accounts (note that both Schwab & Fidelity offer this feature)
- Do not share passwords or “password formulas” via email. A password formula example would be “the password is my zip code + our daughter’s middle initial.” You should only share passwords orally or via a password manager with a sharing feature. Text messages, while not ideal, are still preferable to email.
- Do not use “security questions” that are easily searchable. A hacker can easily find your ‘elementary school’ or ‘mother’s maiden name.’ Instead, consider instead creating easy-to-remember relationships with the most common security questions and answer those instead. If you often use the “elementary school” security question, then perhaps you should always answer it with the name of your best friend from elementary school, and so on.
Website Browsing, Computer Management, and Email Practices
- Keep your computer’s firewall on, use anti-virus software, and keep your computer up to date. Yes, those system updates that require restarts are very annoying, but they are often critical for your security!
- While giving away personal or financial information on any website, check if its URL begins with “https.” Also look for the lock icon, which indicates that the connection is secure.
- Become familiar with the construction of a website address and in particular recognize the domain name. This is simpler than it sounds. We are all familiar with the common suffixes of .com, .net, .edu, etc. but be aware that a site’s domain name immediately precedes it. For example, “chase.com” is not the same as “chase.secure.com”. While the former belongs to Chase Bank, the latter could be owned by anyone that bought the “secure.com” domain name. It is common to see links that begin with the name of a reputable company followed by a domain that is not. In this vein, banking.chase.com, if such an address existed, would be part of the chase.com domain whereas chase.123.com would not.
- Do not click any email links to access your bank’s website or any other online account. If you receive an email purporting that your account has been compromised, or that you have been awarded points or rewards, do not follow any links in the email. Instead, use your browser to go directly to the web address of the company to log in and view messages.
- Create a mental checklist for every email you receive using this useful guide: Email – Social Engineering Red Flags.
- Never respond to pop up ads that may come up on your screen. Close such pop-ups from the task manager; press Alt+Ctrl+Delete as a last resort to remove them if they are continuous.
- Sometimes ads, even those on reputable websites, are compromised. Try to avoid clicking on them, or use an ad blocker if you can.
- Use your primary email address to stay in touch with people you are acquainted with. Delete any emails both from your inbox and your “sent” folder that contain personal or account information.
- Add unwanted emails to your spam list. Be wary of “unsubscribe” buttons in emails unless you know it is coming from a valid source, as the unsubscribe button can be a sneaky way of getting you to click on a bad link. Instead, a better practice is to block the sender, which any email service (Outlook, Gmail, Yahoo, etc.) will allow you to do.
- Here is a scary thought: on public Wi-Fi, hackers can use software that captures every character you type. So, do not use public networks if at all possible, including inflight, airports, coffee shops, hotel lobby, subway, etc. If you have to use a public network, never use it to access secure websites or email including the mail apps on mobile devices. Many smartphones have the ability to create a private Wi-Fi network – this is far more secure than public Wi-Fi and should be used if you need to work remotely in public places.
- If you store any critical information such as social security number, credit card number, bank account details, passwords, etc., in external storage devices, ensure that the data is encrypted, and in securely password-protected documents.
Working with Us
There are various steps you can take to improve your security when working with us. Most notably:
- Do not email us unsecured documents or login credentials for third-party banking/investment sites – if we send a password-protected PDF, and you print/sign/scan, you should not email this back in an unsecure fashion. Ideally, make use of our client vault for sharing confidential documents and for the delivery of your monthly statements. Some clients mistakenly believe that because of hacking, electronic statements are less safe than paper ones. This is not the case; electronic statements can offer dual-factor authentication and leave a trail, while paper statements can easily be taken or lost with no trail.
- Use dual-factor authentication with client portal. For our legacy portal (Sharefile), you will need to follow these instructions. For our new portal, you will be prompted to set this up when you join, and we recommend that you use the text passcode instead of answering security questions.
- Set up or re-familiarize yourself with your Schwab/Fidelity/Pershing login credentials. Many of our custodians now offer more secure ways of sending documents and authorizing wire transfers, but only if you know how to log in. While Schwab receives tens of thousands of wire fraud attempts each year, it has received ZERO such attempts associated with the electronic wire-authorization program rolled out last year. Not only will these programs provide more security for money movements and account openings, they are faster and can be completed with a few simple taps on your smartphone.
Other Third Parties
We are just one example of a third party that has access to much of your confidential information, and we take this responsibility very seriously. Please feel free to contact your advisor should you have specific questions regarding our security setup. However, you work with other third parties who also have access to your personal information, especially accountants and attorneys. We thoroughly evaluate the cybersecurity practices of our vendors; in the same way, you should ensure that your trusted partners follow sufficient security procedures. If your attorney/accountant is sending you unprotected documents via email, speak up – demand that they at a minimum protect such documents with a password or a secure mail service, and implore them to invest in a secure client vault.
Now for the bad news: there is no way to guarantee that your information is protected at all times. Any site or firm which tells you they are “hacker-proof” should be viewed with suspicion given that entities with seemingly endless resources (including J.P. Morgan and the U.S. Government) have proven vulnerable. However, there are many steps that you and your third party partners can take to greatly reduce your risk. The above list may seem overwhelming or impractical, but with constant vigilance and the use of tools such as a password manager, it is easier to put into practice than you may think, and well worth the time invested.
For more on this topic, see our identity protection whitepaper.