You’ve likely spent a good deal of time thinking about investment risk. But have you stopped to think about more personal security issues, such as the safety of your online financial transactions and information stored on your computers? While most people recognize that online fraud or cybercrime is a potential threat, few know how or why they may be at risk. Cybercrime can take many forms, and understanding who the enemies are and how they commit crimes, may allow you to better defend yourself.
Fidelity is a global leader in security and risk mitigation, and we know that high-net-worth individuals are especially attractive targets for cyberattacks. This article is intended to be educational and help you improve your defenses against the most common threats to your online security.
The “Bad Guy”
Economic cybercriminals pose the greatest online risk to your family’s personal financial data and assets. Make no mistake, many of these thieves are highly skilled and sophisticated. They may be individuals or coordinated groups that use technology to steal. For most of us, cybercrime can best be described as an extension of traditional criminal activity focused on personal financial data and monetary theft.
How do cybercriminals operate?
In some cases, cybercriminals cast a wide net with “phishing” scams, among others, and hope the sheer quantity of potential victims will yield sufficient economic benefit (see chart for more details on how cybercriminals attack).
Specific victim targeting
A growing and more concerning trend is the specific targeting of high-net-worth individuals. In many of these cases, criminals spend a great deal of time and effort identifying a worthwhile target and then developing a victim profile based on public and private information—such as property records; credit information obtained via hacking; posted details on social networks; with the goal of stealing assets from financial accounts.
Although the actual criminal act can take several forms, the basic steps are often similar. Below is a relatively common scenario:
- Step 1: The thief sends an email with a link or attachment to the victim that appears to come from a known party. The targeted victim then clicks the link or attachment, which includes malicious software (malware) that infects the victim’s computer.
- Step 2: The thief uses installed malware to steal login credentials to the victim’s financial accounts. This will generally allow the thief to log in as the victim.
- Step 3: With access to accounts, the thief changes the victim’s profile at the financial institution and/or impersonates the victim and moves money to criminal accounts at a different institution.
That’s the bad news. The good news is that with some simple steps, you can improve your defenses and reduce your vulnerability to this type of crime.
Steps you can take to help keep your online accounts safe
1. Use two-factor authentication and strong passwords.
Treat your computing devices as you would your front door—restrict access and use tough security measures. Passwords are the keys to your online financial information. If cybercriminals find them, they can unlock the doors to your bank accounts, investment accounts, and your personal information. Unfortunately, a significant amount of malicious software trolls the internet looking specifically for account credentials (IDs and passwords). With an inadvertent click to what appears to be a legitimate link or the opening of an attachment designed to look legitimate, this software can be loaded on your machine and be ready to take your “keys.”
Go for two
Adding an additional layer of security when you access your accounts, called two-factor authentication, is a strong defense against this type of attack. Fidelity and many other financial firms now offer two-factor authentication. It requires you to enter a unique security code, randomly generated and sent to your phone or other mobile device, in addition to your standard login. While not completely foolproof, two-factor authentication raises the bar for cyberattackers trying to access your accounts. You might also consider it for nonfinancial sites—Google, Apple, Microsoft, Facebook, Amazon, and Twitter all offer two-step authentication options.
Go long and stay strong
You’ve probably heard this before, but it bears repeating: Never use names, birth dates, Social Security numbers, or any personally identifiable letters or numbers as your password. Use a different password for every application and change them often. What constitutes a good password? The most important factor is length (at least 12 to 14 characters is best), but complexity also makes passwords more unique. Use a combination of letters, numbers, and special characters and stay away from dictionary words or common combinations of words. It’s also best to avoid common substitutions within words, like replacing the letter “o” with a zero. It’s just too obvious. A string of uncorrelated words with numbers and special characters is best. Importantly, when selecting a password, don’t rely on free password strength checkers—they often miss the mark.
Install a password manager
These days, most of us have dozens of passwords covering multiple devices and everything from social media to subscription services, e-commerce, banking, and Wi-Fi. Remembering all these passwords, and changing them frequently, just isn’t sustainable. Fortunately, there’s an app for that. Password manager apps generate and store all your passwords in a secure environment. They’ll even auto-fill login information for stored sites. Many now sync your passwords across all your devices and automatically generate new ones on a regular schedule. The cost of state-of-the-art password managers is negligible—especially when compared with the convenience and security they provide.
2. Install industry-standard systems and software, keep them up to date, and perform regular backups.
One of the smartest things you can do to keep your financial information safe is to use industry-standard operating systems and keep them up to date. Credible vendors have teams of cybersecurity specialists dedicated to fixing vulnerabilities in their current systems, and they are always on the lookout for new ways cybercriminals can hack into their products to access users’ computer files or install malicious software.
Updating your systems is easier than it used to be
Today, most operating systems let you set your update preferences to automatically install patches as soon as they are available. That goes for software, too, including anti-virus protection. Don’t forget to update your mobile phones and tablets, and the apps installed on them. You can set update preferences to do this automatically, but many devices need to be plugged in to your computer for a complete upgrade. It’s a good idea to connect your mobile devices to your computer via a USB port at least once a week so these updates can be downloaded and installed properly.
You can never have too much backup
Backing up your data is good system hygiene. It prevents your information from being lost forever and immunizes you from ransomware attacks. In this increasingly common scheme, criminals lure you into clicking an email link that downloads malware and blocks your access to the computer. The perpetrators can hold your hard drive hostage, demanding a hefty ransom to unblock it. If your system data is backed up elsewhere, it eliminates any leverage the scammers have, neutralizing their threats.
Backups are most effective when done in a continuous, real-time environment. Savvy users employ redundant methods—typically a USB-connected external storage device in tandem with an encrypted cloud-based service. External storage offers more immediate data retrieval, while cloud-based services can store much more data. Also, in the event of a flood or fire, both the computer and external storage device may be lost, but offsite backups to a cloud-based service would be safe.
Don’t forget to include mobile devices in regular backups. This can be done via a cloud-based service, but a full backup may require connecting to a computer via a USB port. By syncing up your photos and home movies to your computer, they will then be included in regularly scheduled backups, keeping them secure.
3. Use caution when linking to financial accounts or e-commerce sites through email.
Cybercriminals are getting smarter about making their phishy emails look legitimate. These emails mimic those of financial institutions, complete with logos and convincing signature lines. Searching Google and social media sites makes it easy to personalize these emails with your name and subject lines like “Your recent transaction with us.” All of this is designed to lower your guard so you’ll be more apt to click a link to a fraudulent version of your provider’s website. This allows the scammers to download malicious software onto your computer or gain access to your passwords and user names.
The best offense is a good defense
Use caution when linking to your financial institution via email. Instead, go directly to your provider’s website by using a link you’ve saved in your “Favorites” menu. That way, you’ll be sure you arrive at a legitimate website. Always look for the “https” prefix in the site’s address. The “s” indicates that the site is using a Secure Sockets Layer to encrypt data transfers, a more secure protocol than sites designated as “http.”
4. Always access your accounts from a secure Wi-Fi location.
Your home Wi-Fi network comes with built-in security, but it’s not foolproof. Your network provider supplies you with a router ID and password, but these are default settings. Cybercriminals know the defaults for major network providers. If you’re using these settings, your “secure” home Wi-Fi network may not be as secure as you think.
When setting up your home network, consider changing the default network ID and passwords. Consider installing an Intrusion Detection or Intrusion Prevention system, as well as an applications-based firewall, to further secure your network.
The Internet of things
Home networks now connect computers and smartphones to thermostats, TVs, refrigerators, and residential security systems. Each device is a potential weak spot in your Wi-Fi network. As your home becomes more dependent on the Internet, so, too, does your exposure to a network breach.
Beware of public Wi-Fi
Everyone loves free Wi-Fi, but unsecured public wireless access points are easy to intercept, providing access into your computer files. A safer alternative is to use only secure Wi-Fi networks. If you use your laptop or mobile devices while traveling, purchase a subscription to a paid hotspot provider in which the networks are password protected and have additional levels of security.
5. Consider using a dedicated device for online banking.
One of the best ways to secure your online financial information is to dedicate one device exclusively for banking and financial use. Many cyberattacks come from malware installed while you’re Web surfing and reading emails. Eliminating those activities from a dedicated banking computer goes a long way toward keeping your financial information out of harm’s way.
Help us help you
A dedicated banking device also helps financial institutions keep your accounts secure. Most, including Fidelity, monitor client accounts for fraudulent logins from unauthorized computers and will alert you if there is suspicious activity in your account. When Fidelity surveyed client login patterns, we found many users logging in from multiple devices. One or two were common, but some clients routinely logged in from a random assortment of systems, making it difficult for an institution to distinguish a legitimate login from a fraudulent one. By using one device for all transactions, an illegitimate login stands out, and the institution will be able to move quickly to alert you and secure your account.
6. Understand your computing environment and consider whether you need help.
If you have a complex computing environment, a comprehensive cyber-risk assessment may be an appropriate step in protecting your personal information. Individuals with complicated online footprints may consider contracting with a professional to implement and administer the recommended systems (e.g., intrusion prevention and detection, firewalls).
Because cyberthreats evolve almost as fast as technology itself, consider retaining the firm to provide ongoing system surveillance, support, and maintenance. These services include everything from monitoring your home Internet traffic and blocking outside threats to educating family members about smart social media practices, safe Web surfing and e-commerce protocols.
A good risk assessment will be specific to each person and should consider questions like “How many computers, mobile devices, tablets, TVs, home security systems, and appliances are connected to your home Wi-Fi network?”; “Are they shared across personal and home office use?”; “Do non-family members regularly in your home have access to your Wi-Fi network or computing devices?”; “What backup procedures are in place for each device?”; and “Are you or other household members active on social media like Facebook, Twitter, or Pinterest?”
No one wants to spend time thinking about all the bad things that can happen, but it's important to understand potential threats to your assets and taking measures to eliminate them. When it comes to protecting your financial accounts from cyberthreats, practicing good system hygiene and making a few changes in your user habits will significantly improve your online security. Clients can play a key role in helping Fidelity detect fraud. They can help us help them by maintaining a general awareness of their accounts, including staying alert to emails regarding password resets and account changes, and periodically logging in and checking for unusual transactions and activity.
Fidelity uses sophisticated security measures to protect our customers. We also make many additional security tools available for customers to utilize, including two-factor authentication and transaction alerts. Of course, we also provide a Customer Protection Guarantee for fraudulent activity. Make sure to visit Fidelity’s online customer security site to explore some of these features, and learn more about what Fidelity is doing to help keep your assets safe.
- Learn about Fidelity Private Wealth Management.
- For information about Fidelity’s security measures and how to protect your identity and safeguard your accounts, visit Online Security at Fidelity.
- For additional information on safeguarding assets and information read Personal Security from All Angles.
Fidelity Brokerage Services LLC, Member NYSE, SIPC, 900 Salem Street, Smithfield, RI 02917