Cyber Theft: The Modern-Day Pickpocket

The past 12 months have been marred with a number of high-profile cyberattacks (CapitalOne, Facebook, First American Corporation, and even the credit reporting agency Equifax). With the number of attacks on the rise, many cybersecurity experts believe it is not a matter of if you will be exposed to a cyberattack, but when. In this article, we aim to educate you on the types of fraud being perpetrated and some simple precautions you can take.

Fakebook: A cyber-story

Beverly Beauregard sat quietly in her usual spot near the front of the bus on her way home from playing pickleball with her social club. Her eyes were glued to her tablet as she scanned her social media feed for new pictures of her grandkids or tweets from her favorite political pundits. She noticed a message from a name she remembered from childhood… one she hadn’t heard in years.

Jillian Friedman had been her next-door neighbor and best friend as an adolescent. Beverly and Jillian had lost touch over the years, but Beverly was pleasantly surprised by the contact and anxious to reconnect. After some messaging back and forth, Beverly learned that Jillian had come down with some serious medical issues and could not afford proper treatment. Beverly had accumulated a modest nest egg to fund her retirement and wanted to help her long lost friend any way that she could. The funding gap was $75,000 and although this was a sizable chunk of change for Beverly, she wanted to help.

Beverly insisted on meeting face to face with Jillian to catch up and go through the details. Jillian agreed to meet, but said that she needed the funds immediately and pushed the meeting back until after the procedure. Jillian provided the bank account information for the generous donation and Beverly quickly worked with her financial advisor to raise and transfer the funds.

The operation day came and went and Beverly had not heard from Jillian. Beverly began to fear the worst. When she called the hospital, she was told they had no record of Jillian Friedman as a patient. She then called Jillian’s bank to inquire about the account and learned that all funds had been withdrawn and the account was closed. Just like that, Beverly fell prey, like countless others, to a sophisticated and deftly executed “social engineering” cyberattack.

Global Cyber Risks:
"The combination to the air shield is 1 2 3 4 5"

In the 1987 Mel Brooks Star Wars parody, "Spaceballs", the evil Spaceball empire, who over-polluted their planet, is seeking to steal all the fresh air from the peaceful, neighboring planet Druidia. The Spaceballs ransom the Druish princess, coercing the King to divulge the secret password to the planet's air shield...

"The combination to the air shield is 1 2 3 4 5" [King Roland]

"That's the stupidest combination I've ever heard in my life. That's the combination an idiot would have on his luggage!" [Dark Helmet, Spaceballs General]

"1 2 3 4 5? Amazing! I have the same combination on my luggage." [Spaceballs President]

Coincidently, or perhaps even presciently, thirty years later exposing weak passwords and waging ransombased attacks remain common tactics for cybercriminals. CNN Business reported on the top 10 most frequently used passwords. Not surprisingly, five of the ten are consecutive numbers, with others involving sequential letters or the word "password". While a weak, easily guessed password may not lead to loss of the Earth's atmosphere, it could certainly lead to exposure of sensitive information or financial ruin.

The 2019 Global Risk report, published for the World Economic Forum in Davos, Switzerland, recently cited technological risks as two of the top five global risks in terms of likelihood, trailing environmental risks only. A decade ago, negative impact from economic events was viewed as the most likely risk. It wasn't until 2012 that technological risk even made an appearance. This observation highlights the societal paradigm shift that accompanied our growth and reliance on technology. Indeed, Gartner, Inc estimates that "internet of things" devices will reach 20.4 billion by 2020, each being a potential entry point for a data breach¹.



Closer to home: It's getting personal Cyberattacks are real and are happening more than most of us realize. There have, of course, been some highprofile data breaches in the news, such as Equifax, Facebook, and most recently, CapitalOne. Odds are that one or more of these affected you. In fact, 60% of Americans report they or an immediate family member have fallen victim to a scheme to defraud, according to research from The Harris poll and the American Institute of CPAs.²

Financial institutions are obvious targets for cyberattacks. According to Boston Consulting Group, financial services firms are targeted 300 times more than any other type of company.³ Then why be concerned by data breaches on social media platforms such as Facebook or Reddit? It is probably not so the assailant can log on to your Facebook account and change your status or post an embarrassing picture.

It's more likely to be a scheme such as "Credential dumping" - when a hacker uses stolen username and password combinations to systematically test logins to hundreds or thousands of online platforms (usually financial) using automated computer algorithms. The hope is that the victim uses the same login credentials across multiple accounts. Here is a good place to pause and self-evaluate. Would credential dumping work on you? If the answer is yes, your homework is to update any repetitive or easy to guess passwords to unique, secure passwords. We give some practical advice on setting strong passwords and managing credentials later.

Cyberattack strategies are constantly evolving and can take many forms. The figure below illustrates some of the broad categories of cyber threats. If you are not up to speed on the cyber-lingo, see the National Institute of Standards and Technology's computer security glossary. According to the Financial Conduct Authority, phishing and ransomware attacks are the most reported types of cyberattacks on financial services firms comprising 52% and 20%, respectively.⁴



Financial gain, of course, is the primary goal of these attacks. According to a 2018 study by Dr. Michael McGuire, who works in the Criminology department at Surrey University, a conservative estimate of the global cybercrime economy is $1.5 trillion annually.⁵ With that sort of financial incentive, we don't expect cybercrime to go away any time soon.



Last year, Ginni Rometti, IBM's CEO, stated that "cybercrime is the greatest threat to every company [and in the next the five years, every person] in the world." While this sounds like a phrase that could be written on the cardboard sign of a psychotic street-side apocalyptist, the statement holds some merit. Cybercrime damages are anticipated to reach $6 trillion by 2021. This number "represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined."⁶

Misappropriation of data from a major financial firm might be the "holy grail" for cybercriminals, however companies which house large amounts of sensitive data also have the best defenses. According to an estimate from cybersecurity experts, IT security spending could hit $124 billion in 2019, up 8.7% from last year.⁷

Cybercriminals have therefore discovered other more accessible targets. In 2019, the FBI issued a warning to raise awareness that the elderly demographic makes up the majority of successful cyber scams.⁸ The warning is based on an observation that seniors are more susceptible to attacks as they are more likely to have cognitive impairment, health issues, and generally be less sophisticated with technology than younger generations. Coupled with the fact that many seniors have amassed retirement savings, you can see why they are prime targets.

Fortunately, there are some simple precautions everyone can take to identify and abate these attacks. According to Cybint, a cyber solutions company, 90% of cyberattacks are due to human inexperience or error and could be avoided.⁹

• Do not use the same password for multiple logins. A password manager (e.g. LastPass) can help you organize your credentials.
  
  
• 12 characters minimum on passwords, including numbers, symbols, and upper and lower case characters. Password managers have a handy feature that will automatically generate a random password of a given length and complexity.
  
  
• Periodically change your passwords. If you have been using the same password for over a year, it is time to change it.
  
  
• Use two-factor authentication. You should have this enabled on all accounts where this option is available (e.g. your Schwab, TD Ameritrade, Client Portal accounts, etc.). Please contact us if you need help setting this up. We are happy to assist.
  
  
• Use good judgement when opening unknown emails. If you do not recognize the sender, or the domain name, ignore and delete the email. If you do recognize the sender, but weren't expecting a message from them – especially if they are asking you to open an attachment or follow a link – ignore and delete the email. If it is a legitimate message, and it is important, they will contact you by phone or some other method.
  
  
• Never give out username, password or personal information over email. Financial firms, mortgage/title companies, the IRS, etc. will never ask for your social security number, username, password, date of birth, etc. over email. If you receive a message requesting this type of information, it is likely a phishing attempt.
  
  
• Use anti-virus and anti-malware software. Fortunately, if you are running Windows version 10 or later, the operating system has Windows Firewall and Windows Defender automatically built in. Similarly, MacOS includes Gatekeeper, XProtect and malware removal tools.
  
  
• Consider purchasing identity protection. If you feel you are a particularly high-risk target or simply want the comfort of some added defense, you might consider purchasing identity protection (such as LifeLock). These services monitor transactions at banks, wireless carriers, payday lenders, and blackmarket websites to alert people when there is suspicious activity or if fraudulent accounts are opened.
  
  
• Regularly check your credit score and financial accounts. The three credit reporting agencies (TransUnion, Equifax and Experian) will issue a free credit report at least annually. Be aware of what appears on your credit score. If you find an error, work with the agencies to correct it. You should also regularly examine bank or investment account statements, credit card statements and other financial information to be sure all transactions are recognized. If you find anything amiss, notify your financial institution immediately.

WT Wealth Management’s commitment According to the SEC, 74% of advisors have experienced cyberattacks either directly or through one or more of their vendors.¹⁰ It is no longer a question of if an attack will happen, but when. According to an IBM report examining the financial impact of data breaches, an average breach involved 25,000+ computer records, $8.19 million in costs and took 279 days for the company to become aware of the breach. Moreover, the study found that small and midsize businesses (fewer than 500 employees and annual revenues of less than $50 million) suffered the worst financial consequences on a relative basis at an average cost of $2.5 million per breach. Further, companies are 31% more likely to experience a data breach today than in 2014.¹¹ With all of that in mind, here are some things that WT Wealth Management is doing to protect your information:

• All client data is housed on off-site cloud computing platforms and datacenters using fully redundant data storage, internet and power infrastructures. All data is transmitted securely using 256-bit SSL and is encrypted.
  
  
• All firm computers are protected and monitored by state-of-the-art firewall, anti-virus and anti-malware protection.
  
  
• All employee logins to platforms holding client data require two-factor authentication.
  
  
• Vulnerability scans are performed at least annually by all third-party software vendors.
  
  
• Firm policy requires verbal confirmation of any move money request.
  
  
• Incoming emails are screened using industry best practice techniques, such as IP block lists, to filter messages containing phishing and other types of scams.
  
  
• Staff are trained annually on cybersecurity best practices and developments.
  
  
• WT Wealth Management specifically insures for cyber risks and periodically reviews this coverage to ensure it is sufficient and appropriate.

As we continue to increase our reliance on technology and the interconnectivity of our digital lives, it is clear that cybercrime will continue to grow as a key global threat. Fortunately, there are measures you can take, and measures WT Wealth Management is already taking, to decrease the chances of falling victim to cyberattacks. Protection of your sensitive information is a top priority for us and we are dedicated to ensuring that our policies, processes and systems keep your information safe.

As we learned in this article, cybersecurity is a two-way street. We hope that you take advantage of the simple steps described herein to avoid falling prey, like Beverly and countless unsuspecting others, to a costly, yet avoidable, cyberattack.

If you need help with your security settings or would like more information on how we keep your information safe, please do not hesitate to contact us: Info@WTWealthManagement.com • 800-825-0616

Sources:

¹www.gartner.com/en/newsroom/press-releases/2017-02-07-gartner-says-8-billion-connected-things-will-bein-use-in-2017-up-31-percent-from-2016

²www.aicpa.org/press/pressreleases/2018/nearly-half-of-americans-say-id-theft-likely-to-cause-them-finan.html

³www.ciodive.com/news/cyberattacks-hit-financial-services-300-times-more-than-other-sectors/557372/

⁴www.zdnet.com/article/phishing-ransomware-are-top-cyberattacks-on-financial-services-firms/

⁵www.thesslstore.com/blog/cybercrime-pays-new-study-finds-cybercriminal-revenues-hit-1-5-trillionannually/

⁶www.herjavecgroup.com/wp-content/uploads/2018/12/CV-HG-2019-Official-Annual-Cybercrime-Report.pdf

⁷www.darkreading.com/2019-security-spending-outlook/d/d-id/1333826

⁸www.fbi.gov/contact-us/field-offices/phoenix/news/press-releases/fbi-warns-of-elder-fraud-in-arizona-topfive-cyber-crimes-targeting-arizona-seniors

⁹www.cybintsolutions.com/employee-education-reduces-risk/

¹⁰www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf

¹¹www.dailyvoiceplus.com/westchester/westchester-business-journal/latest-news/ibm-average-data-breachcosts-us-companies-819m/773320/