Each year Queens University hosts an Estate Planners’ Day where leaders in our industry speak on estate planning topics. This year, one topic in particular caught my eye: JP Morgan presented on cybersecurity. My initial thought was, “I’ve got this.” In fact, I wrote an article on the topic back in 2016: Protecting Yourself from Cyber Threats. Debbie Taylor followed up with additional information in her 2019 article Security in Our Modern World. Some of our key points from those pieces include:
I learned from the speaker and through additional research that this is just the starting point. We must continue to stay vigilant and work to make it harder for cybercriminals to access our personal information. Based on my new information, I have a lot of work to do.
We get barraged with emails. It is the best way for cybercriminals to try to get into our computers. JP Morgan states that 95% of all cyber-attacks result from a successful phishing email. We’ve all received them. The email appears to be from someone we know, inviting us to click on a link. That link then downloads malware to our computer or directs us to an authentic-seeming website to enter confidential information such as a login and password combination. Don’t be fooled!
“Hi Mary Lou, we’ve noticed some suspicious login attempts on your Amazon account. Click here to review the activity.” “Hi Mary, we’ve got an opportunity to refinance your home at below-market rates. Download the necessary paperwork here to get started. Just log in using your normal username and password.”
The first email, supposedly from Amazon, seems like it could be authentic until I look a little closer. Notice that the company name is misspelled in both the sender’s email and in the address when I hover over the link.
The second email is a little trickier. It appears to be from someone with whom I have a business relationship, but it feels a little off to me. The address looks okay; the link seems okay. But Bob Banker knows to call me Mary Lou. And I’ve never received a link from him to download paperwork that I wasn’t expecting. These are all clues that the emails are not what they claim.
The best response to both these emails is to NOT CLICK ON THE LINK. Instead, if you think action needs to be taken, do a little more research. If an online account is referenced in the email, open a new web page and go directly to the site. Once on the website, proceed to where you can verify or eliminate the concern. For example, you can verify the devices linked to your Amazon account within your account settings.
For a suspicious email from someone you know, call—do not email—and confirm whether they did, indeed, send the email and what it is regarding. Their computer may have been compromised and the cybercriminals are now targeting the individuals in their address book. If this seems farfetched, know that this very scenario occurred to a colleague. It was only because he sensed that the email wasn’t quite right that he didn’t fall victim himself.
The FTC has a good article on Recognizing and Avoiding Phishing Scams. (If you hover over this link, notice the domain reads “https://consumer.ftc.gov/articles…”)
Cybercrime Magazine expects approximately six billion people to be connected to the internet and interacting with data in 2022. Based on their calculations, if you added everyone’s time together, we spent more than 1.3 billion years online in 2021.
I know I spend too much time on the internet. I grocery shop, pay bills, play games, learn new languages, and search Google for anything and everything—primarily dog training these days. If you are like me, we need to take a few precautions.
Many websites now require multifactor authentication (MFA). When using MFA, an additional “factor” beyond your password is required at login to prove you are an authorized user. An example of MFA is using a code that has been texted to your phone to complete your login. One downside of this method is that cybercriminals are increasingly able to gain access to our text messages.
A more robust form of MFA utilizes an authenticator app that is installed on your phone or mobile device. The app generates a code that is required to access your connected accounts, and the code changes every thirty seconds or so. The constantly changing code adds an extra level of complexity and makes it almost impossible for a cybercriminal to gain access to your account. If you have the option to use an authenticator app, please do so.
Biometric authentications are another strong form of MFA. Instead of a code, these rely on unique biological characteristics such as facial recognition and fingerprint scanning. During COVID, you may have become frustrated with your phone’s biometric authentication because it could not recognize your face while you were wearing a mask.
Our last suggestion for the internet relates to your hardware and setup. It may surprise you to learn we prefer you have multiple networks at home. One network is for your primary computers, the other for guests, gaming children, and connected devices like Nest, Alexa, and Peloton. Online instructions are available for most modem models to walk you through setting up two networks using one modem. I’ve put this one on my “Honey Do” list for my husband to figure out.
A password manager is a software application that stores and manages online credentials. Usually, these passwords are stored in an encrypted database and locked behind a master password. Both at Bragg and at home, we use password managers. I have set up my personal password manager on both my iPad and iPhone, allowing me to access all my passwords from either device. Additionally, I can share passwords with specific people who use the same password manager, my sons, for example. This has cut down on the late-night phone calls when one of them is trying to watch a movie and needs my Netflix password.
Password managers are very helpful in keeping up with ALL our passwords. According to an article published in November 2021 on tech.co, a study showed that each of us has over 100 passwords to remember. My personal password manager has 61 passwords, and my work one has 18 passwords. And I’m just getting started!
Just about every cybersecurity expert cautions against using the same password for multiple accounts. While I know this is important, in real life, this is how I managed my 61 personal passwords. I have two passwords that I use for almost all my accounts. Now that I am using a password manager, it tells me when I am using a duplicate password and prompts me to create a new password. It also offers to create a long string of gibberish to use as a password. Good thing it will remember it for me!
For those who really want to continue using a password for multiple accounts, the Estate Planners’ Day presenter suggested adding a new word at the end. And of course, make sure it combines upper and lowercase letters, numbers, and symbols. For example, if your go-to password is MyD0GisNa!a, perhaps you use MyD0GisNa!a_Wells for your Wells Fargo account. Then for USAA, you can use MyD0GisNa!a_USAA. The base stays the same and you change the ending each time. Just know, this practice weakens your account security across multiple sites.
The chart below shows how long it would take a computer to crack a series of increasingly complex passwords, according to Security.org. Even a ten-character password comprised of gibberish isn’t all that secure. They recommend passwords between sixteen and twenty characters. Notice that the seventeen-character password I made up is memorable (to me) but also very hard to crack.
In 1984, Apple ran an advertisement portraying IBM as an Orwellian “Big Brother.” In 2022, I feel confident saying that my iPhone and many of my apps are “Big Brother.” For example, I use Waze almost every day to learn about traffic, and on trips, it’s way better than a AAA TripTik. My Waze can tell you what time of day I drive to the office and where my office is located. As a matter of fact, any app to which I grant location permissions knows where my phone is at all times.
When installing new apps, always select “Never,” “Ask Next Time,” or “While Using the App” when prompted for location permissions. For apps already set up on your phone, you can change the location preferences in your settings.
Additional easy methods of securing your mobile devices are using strong passwords and biometric tools such as facial recognition or fingerprint scanning. And don’t forget to keep your software and apps up-to-date.
Cybercriminals scour every type of social media to learn more about us. Just last month, my son Tyler called me out for uploading a picture to Instagram that automatically listed my location. Oops! Depending on your device’s location settings or camera’s geotag settings, you, too, may inadvertently be sharing more than you intend. Upload a photo of your family in front of your home and cybercriminals may know where you live and with whom. Based on what else you post, they know what you like to eat, where you like to shop, and your hobbies. If you scroll through my Instagram account, you can quickly learn that I work for Bragg, frequent Lake James, like to paddleboard, and have two sons. Two new puppies joined the family, and my husband recently turned 56. That is a lot of information for them to know about me – and it’s only from one site.
Consider what you post and say online. Review the privacy settings for your social media accounts and remove personal information such as your birthday or your children’s birthdays. When posting pictures from a trip, wait and post them once you are back home. Don’t post them while your home is sitting empty.
In the end, it all comes full circle. Information learned on social media sites is used to send you phishing emails/texts/phone calls. Click on a link in a phishing email or text and you may likely open the door to a cybercriminal. With access to your entire computer, they can start work on hacking your passwords. If I can nudge you to make two changes, they would be these:
If you want to engage your children or grandchildren in learning more about cybersecurity, PBS and NOVA Labs collaborated to create videos and games to educate students. They have games that teach more about coding, password-cracking, social engineering, and network attacks. I played all the games and was saddened to learn that my super-secret nine-character password with upper- and lowercase letters, numbers, and symbols could be cracked in under 30 seconds!
In regard to your accounts at Bragg, we comply with strict industry regulations regarding the safekeeping of client personal information. We follow a written cybersecurity plan that documents Bragg’s procedures, processes, hardware, and software to ensure information security.
We are committed to keeping you and your personal information safe, and we are grateful for your trust in us. If you have concerns about your accounts, account information, online account access or the safety of your information, please contact us. We will always be happy to help you.
This information is believed to be accurate but should not be used as specific investment or tax advice. You should always consult your tax professional or other advisors before acting on the ideas presented here.