Cybersecurity
I've been thinking a lot about cybersecurity.
A month ago, my magenta-hued cell phone provider allowed the personal data of me, my wife, and fifty million of our closest friends to be easily stolen. If that weren’t enough, my newsfeed is full of stories of doom and gloom: software giants, the Florida water supply, oil and gas pipelines, computer manufacturers, and meatpacking plants have all been compromised in large-scale attacks. Even the highest levels of the United States government have not been immune to significant data breaches.
These examples, however, are not what keeps me up at night. What occupies my mind is the safeguarding of our client's information and investments: what if we accidentally authorize a fraudulent wire transfer, could a hacker get access to our internal email or document storage software? If so, how? If we determine how, how can we prevent it? For me – that’s the stuff of nightmares.
Now, the SEC imposes stiff financial penalties (into the millions) on firms like ours over cybersecurity failures, which, admittedly, sounds awful. But what sounds worse is the impact on our clients. Trust in, and loyalty to our firm could be shaken if such a breach were to occur—especially a breach that could have been preventable: something within our control.
WHAT ARE WE LOOKING FOR?
The aspect of cybersecurity most within our control as a firm, and within your control as well, is not falling victim to phishing scams. The term "phishing" (and the idea) has been around for a long time. It's probably something we've all heard of. But the techniques of the criminals have gotten a lot more complex (and, dare I say, elegant) in recent years. This month, we conducted training for the SoundView staff to ensure we were all on the same page when it comes to this threat.
Phishing is most closely associated with emails: emails with links pointing to fake websites or attachments that aren't what they seem. Basically, someone is attempting to trick you into clicking something that isn't what it seems. With the information they steal, these criminals will do a variety of bad things. The more sensitive the information, the worse the fallout can be. These emails appear more and more legitimate every day. They could appear they are from companies you know: your bank, Schwab, Pershing, your 401(k) provider, Microsoft, etc., or even individuals you may have had contact with in the past.
Here are a few things to look for to spot a phishing email:
The email is unsolicited or unexpected – from out of nowhere
The "from" address doesn't seem quite right – it's close to the name of the company, but not quite
There are spelling, grammatical, or formatting errors that seem… (sorry for this)… fishy
The essential info you "have to see right away" is in an attachment (not in the body of the email)
STOP, COLLABORATE, AND LISTEN
Most email clients have spam filters in place, and some are pretty good, but that's not going to catch everything. The crucial thing you can do to protect yourself from getting fooled into giving away your personal info is to STOP! Do you know that big red sign on street corners? The octagon? That one: STOP!
Just stop, take a deep breath, and reread the email. We're conditioned to click. We LOVE to click. Clicking feels right and good. But that's how we fall victim to these things: by clicking instead of thinking. Before you click, think. If you have any doubt whatsoever about the authenticity of the email, DO NOT CLICK. I promise you the world will not end if you don't click the link, even if the email turns out to be real.
Additionally, never send personal information via email (passwords, Social Security number, full account numbers, date of birth; you know the drill). Don't open any attachments if you're unsure about what it is or who sent it. SoundView Advisors will never ask you to send private or personal information over email – we use a service called ShareFile for secure, encrypted (and SEC-compliant) file transfer.
I'm not trying to scare you, but I AM trying to scare you. Giving away sensitive information won't ruin your life entirely, but it will be a source of frustration for a good long while.
BUT, WHAT IF I?
No one is perfect and falling victim to one of these crimes is not a badge of shame. So, if you believe you have inadvertently been a target of a scam like this and have divulged credentials to a website, log in and change the password right away (if you can). If you are unable, contact the customer support of the site and let them know what the situation is. They will help you.
If you believe financial accounts may have been compromised, let us know right away. This is part of our job, and we are here to help. We will never be too busy or too involved in other projects not to make this a top priority. I cannot stress this enough; please involve us if you even suspect any of your financial accounts may be or have been compromised. We’ll do everything we can to help.
BETTER SLEEP
I trust you see we take this stuff seriously. It's a big deal to us because YOU are a big deal to us. Your trust, finances, and future are important to us. We're far from a perfect firm, but we always endeavor to be learning, growing, staying informed, and safeguarding everything within our control.
My co-worker Julie just told me this morning the results of our external phishing-simulation audit came back. We didn’t tell our staff this would be happening, and no one fell for it. Not one employee over multiple weeks “clicked”. That’s a nice feeling. I’ll sleep a little more soundly tonight, I suppose.
Tell you what: I’m going to hit “save” on this article, go make a cup of coffee, sit on the porch, and listen to the rain on the roof. And, for as long as I can possibly justify it, I’m not going to click on any links at all.
You’re welcome to join me.