Cybersecurity: How to Protect Your Finances from Cybercrime
In today’s digital age, cybersecurity has become more important than ever. With cybercrime on the rise, it’s crucial to know how to protect yourself and your data from online threats. On this episode of Your Life Simplified, Michael MacKelvie, wealth advisor, sits down with Chris Cook, senior vice president of information security, to provide you with valuable insights into the world of cybercrime and how you can safeguard your personal information.
Transcript
Michael MacKelvie: Why you should really care about cybersecurity when it comes to your finances. That’s what we’re going to talk about today.
Sitting here with Chris Cook, industry cybersecurity professional. He’s going to help us answer some questions here today. How are you doing, Chris?
Chris Cook: I’m great.
Michael: So, Chris, I started off today actually pretty hot. I remembered my password. And any day that I hit that, especially on the first try, especially if it’s a password that I haven’t at least entered in the last few calendar days, I feel pretty good. But what about you, man? How many password resets would you say you’re averaging every week?
Chris: Oh, man. Across the firm, I would say, I don’t know, a few daily. We try to really make it so you only have to remember one, maybe two, a password safe, plus logging into our main system. But passwords and password complexity is definitely a big issue.
Michael: Yeah, it’s a big issue. Unfortunately, it’s kind of seen as an annoyance. So when you have to reset your password, there’s some friction there, and it’s like people, at least I get this way, I don’t know if you feel this way at times, but it’s like, “All right, just get me in.” There’s so many little barriers, any time there’s friction to anything, it can become an annoyance. But again, we’re here to talk about, and I’ll be honest, in doing just a little bit of research into this topic, it actually really changed my perspective of it. And we’re here to talk about the reasons why it maybe shouldn’t just be viewed as an annoyance, but some steps that you can take in protecting yourself, and why you should really care about this, especially in this day and age. And I guess my first question, with that being said, is why is this becoming increasingly important?
Chris: I would probably start by saying that information data, at its lowest form, is currency. And I think since the dawn of time, someone has always been incentivized in some way to take that away from you. And so that doesn’t make this any different. And I think that until people are refusing to pay for illicit information, your Social Security number or your email address or your home address or any of those kinds of things, this will be a persistent risk. And I think it’s one of those things that just gets more evolved, it gets faster, which lead to things that happen to be more complex to slow some of these actors down. And unfortunately, in our case, advisor, the associate, they have to bear those complexities. And I think you as an individual, have to do the same thing. Nobody likes changing their credit card number in every single online website they have when it gets compromised. So that is the tactic. That is the tool they have. And I think, like I said, everybody has to just feel the pain from some of those things now.
Michael: Right. And it’s really easy to forget the ease of use that technology really provides us. You mentioned credit card right there. I was thinking of my dad, and growing up and just watching him do the bills every week, actually writing out physical checks and sending them in and how just everything is on autopay now. So it’s like when these systems are working correctly, it obviously really makes everything easy for you, but that doesn’t mean that it can’t be compromised. And when that does happen, obviously it can feel like an annoyance, but there’s really an importance there. And I guess that brings up another question, which is, let’s just say we have an individual investor. What are some of the basics and steps that they should take when it comes to really maybe cyber proofing or at least improving the cybersecurity of their financial well-being?
Chris: Great question. There are a few different routes we could go to attack this question. I would say, first and foremost, without a doubt, the thing that I recommend to everybody first is to freeze your credit. It is something that used to be extremely painful. And so a lot of people, I think, have a bad taste in their mouth from doing that in years past if they’ve done that. But ever since the compromise of Equifax, there’s been a lot of substantial pressure to allow the ease of that, and to remove the fees of doing so, to where now you can just do it from apps on your phone. It is a painful process if you forget your passcodes or your logins or those kinds of things. So maybe I should say a password safe is number one. But freezing your credit, without a doubt, will prevent the largest risk and the most damage to your financial life, for sure.
Michael: So, when you say freezing your credit, you mean if you lose a card or if it gets compromised or something like that?
Chris: No. So freezing your credit is actually where anybody who tries to attempt to run your credit, to open a new credit line, i.e., buy a house or open any large loan, will not. It’ll be denied instantly, and you’ll be notified that it happened. Even credit inquiries and things like that, all get logged. And so, in those situations, you’re preventing yourself from having any of these massive things that you don’t know about. I don’t know if you read the news. Some of the stuff that makes the news is somebody will have bought an RV across the country that they didn’t buy. It’s the same as people that file tax returns. And all of this comes with the using of data when you don’t know about it. And freezing your credit is kind of one of those things that you put a stop at an institutional level that will prevent them from doing you personal damage.
Michael: Gotcha. Okay. And the way that you could do that, what is a way that somebody would do that?
Chris: So there are three main credit bureaus, Equifax, Experian and TransUnion.
Michael: I’m taking notes by the way, man.
Chris: The three of those, they all have mobile apps now. It’s a little easier on the website, at least to set it up initially. But what you’ll do is you’ll go through the process of authenticating yourself, identifying yourself. You have to put in some personal information, things like that. It’s basically everything you would need to do to perform a credit check on yourself. Once you’re done with that, they just go into freeze state and they will be frozen in perpetuity until you unfreeze them. But there’s also this theory, this mechanism called a thaw. And so people are like, “Well, I don’t want to have to go through this,” and things like that. And a funny story, I think we were going through trying to get preapproved to refinance our house when rates were still low. And I was like, “Yeah, we should probably do this.” And I was on the phone with the mortgage lender, and they’re like, “Hey, we can’t run your credit. This is the last thing. Rates are pretty volatile. We want to lock this in.”
And I was able to unthaw my credit while I was out for a walk in my neighborhood on my phone. So the thaw is just a point in time. So a week, a day, 48 hours, that you allow new credit inquiries to be accepted. And so that is really the mechanism that you should use coming into wanting to open a line of credit or do a HELOC or even go purchase furniture or something like that on those 0% loans. Any of those things would all apply, but the thaw mechanism is really pretty simple.
Michael: That’s really helpful. Yeah, that’s really helpful. So again, if I’m understanding correctly, again, there’s a few different ways that you could do this, you freeze it, and then at moments that you need maybe a large credit event, you would thaw it out, which is a fun usage of words there to use it. And I think another question that comes up sometimes, because we see fraudulent charges that occur with credit. And a lot of times, I think the assumption now is people do get covered in those events, which is interesting because it feels like it’s changed. So I’ve seen events of friends of mine, they’ll say, “Well, somebody just used my credit card in Mexico, or something like that. And I reported it, nothing happened. But obviously that person was able to use it to purchase something.” What’s the likelihood now where you have that fraudulent activity, and it doesn’t get refunded by the credit company? So what is the protection that’s there if you don’t follow these steps?
Chris: I’d say it’s still relatively low, unless it happens a lot. So they do in fact keep track of you. So if you’re one of these people that denies charges consistently, they’ll deny you from being a client of a customer of theirs over time. But it really is pretty simple. Usually, it’s like you had a charge at a gas station local to you, and then you have another charge in Mexico an hour later, it’s like, I don’t think you could probably do that. And so a lot of them are pretty straightforward. But to that point, the big thing is not the financial loss for them, and it’s not the risk that you’re going to have to pay it. It’s that anytime that that happens, instantaneously, you have to go through the act of changing your credit card and everywhere that is saved and every bill that gets paid on it monthly or anything like that, all has to be changed.
And it is long. It is usually 40, 50, 60 places that you’ll find over the course of the next five to six weeks. So like I mentioned at the very beginning, it’s like the complexity now lands on the customer to solve this problem. So it’s not financial, but it definitely has its own toll.
Michael: Definitely. There’s the obvious annoyance that’s there, which compounds if you have to go back and change everything. What about sometimes, where I think about this is in email exchanges. And so when I’m emailing a client, making sure that I secure that message, if you will, by encrypting it when I send documents or just personal information to a client. But for somebody that’s out there that is emailing, maybe, and doesn’t have this encryption service, what should they do? What are some things they should think about beyond just, “Hey, you probably shouldn’t click on that link from Nigeria”? What are some things that you should think about while you are maybe emailing or just in the process of just, I guess as a consumer, talking about confidential or personal information?
Chris: Great one. So when it comes to email itself, email is probably, without a doubt, the largest risk to our business, and also the easiest way to compromise you personally usually because you’re clicking on it from of a computer, that is it’s all these complexities, this burden that we talked about at the beginning. It’s like you have to make sure you have all the applications up to date, make sure you have the operating system up to date. Make sure you have all these things to avoid it. But it’s also a good point for social engineering. So even if someone’s not giving you a bad link to click on, they could be impersonating someone else. So it’s like someone else could be compromised, and now they’re talking to you as that person. They’ve read all their previous messages, they know who they are roughly. Maybe it’s someone you’ve done business with, and you can reach out to them with a heartfelt help. And it happens every day where people are stuffing $100 bills in between the pages of books and mailing them across the country. It is something that is, I think, continuing to grow.
But to give you some practical tips as to what can really prevent compromise in these situations is just hovering over… in a lot of cases, not knowing what you’re looking at this on, is clicking on the name of the person that sent it to you, or if you’re on a computer, just hovering the mouse over the top of it. Both of those things will tell you the exact email address that it’s coming from. It’s very, very easy to make a fake email address that looks like it comes from me, to put my name on it as the first and last name. And for ease, the email comes in and says, “Oh, it’s Chris Cook. Great.” Well, one, it’s an extremely common name. And two, it can be any email address underneath it that looks that way. And that’s what we see most of the time, is just impersonation is what we call it, and it is probably the easiest basis of attack.
Michael: That’s funny, I am flashing back to when I was in high school. And there was a prank that we’d play on some of my teammates. We’d be on these trips for basketball. And one of them was we would make fake emails of the North Carolina assistant coach and send a recruiting email to a teammate of ours while we were on a trip. And the idea of it was to, so he would read that and get all excited about it, and then we’re all sitting there, we start laughing about it. But just even at that time, we were watching 17-year-old friends of ours, truly get bent out of shape, so excited that they were getting this email from a North Carolina assistant that they were getting recruited to play basketball there, and completely fooled them. That was over 10 years ago now, and that was us just having fun within a five-minute span. So I think being cautious and mindful of who is actually sending that email, making sure that it truly is coming from that person is really important. I don’t know.
Chris: Yeah. They always call this harmless crime. Cybercrime in itself is usually called harmless crime. There are people that have done unthinkable things to themselves and others based off situations they’ve been in because of digital crime. So I wouldn’t blanket call it harmless, but a lot of these people are just doing their job. When you do research on where a lot of this comes from, there are rooms, if not warehouses, of people, that are coming to work for an hourly wage to scam-call you, to send you emails, to do research into the dark web and collecting email addresses and passwords that have been leaked from other websites, to doing everything that they can. It’s a play of numbers. It’s a game of numbers. It’s really trying to… the wider net they cast, the more people they catch, because when we think about personal security… yeah. When we think about personal security in itself, it’s about not being the last person to get at the end, when you’re being chased. It is not being the low-hanging fruit, if you will. If you do more than average in terms of research and being vigilant in some of these preventative things, you’ll be too hard to compromise, and nobody will want to put forth the effort because there’s still so many others to compromise, who aren’t willing to understand, learn, gain the knowledge and just the basics of some of this stuff.
Michael: That’s a really interesting and great point of just not being the low-hanging fruit. If you put up some resistance as an investor, as a personal means of defense, it will deter that person because there are others that will not. I think that is just, if we’re going to summarize this episode, that’s probably one of the best ways to do it, which brings up another question. We’ve talked a little bit about emails. We’ve talked a little bit about what you can do with your credit. What about just backup and recovery? This is another thing that comes up, I guess for me, because everything that you have now in this digital world that’s even just on your phone, and there’s the cloud, and it’s like, “Okay, well, where is that going?” But there’s also all this information you have on your computer. What is the best way to really back up your important documents, store them, and also what’s the importance of that?
Chris: It’s going to be very hard for me to stay away from mentioning specific products in this because I think there’s some really, really good ones.
Michael: There’s no affiliate links here for us.
Chris: But I always like to try to relate some of these scenarios to real life. And when you think about the things that you hold most dearly to you, a lot of people use stuff like fire safes or safety deposit boxes or things like that. And then when it’s on a computer, you have this false sense of security, like the hard drive that it’s running on or the computer that it’s inside is going to last forever and be infinitely accessible and all the data will be there forever. And that confuses me some, but I think that’s the point where the education is the most valuable, is that just how vulnerable stuff is when it’s just sitting on a single place, a single computer, a house fire, ransomware… any of these things will take that away from you, where it’s potentially unrecoverable completely.
And a lot of this, a lot of the tears that I’ve seen in my history, whether it’s my friends or family members, their friends and family members, they come to me in these really dire situations where they’re like, “All of my birth photos from when my kid was born was on this computer. Is there anything you can do?” We have clients that call their advisor, their advisors call us and say, “Is there anything that we can do?” And there are some things that you can go through recovery processes, but it’s so much easier to either back them up manually onto a flash drive and put them in your fire safe, like the old analog way of doing things, or to find a good reputable backup service that encrypts your data, very much like a password safe would or any of those things that has…
Michael: Would Drive or Dropbox encrypt, let’s just say, the more normal cloud-based storage systems that are out there?
Chris: That’s a great question. Typically, no, especially the free ones. So when you think through them offering you free services, we’re the ones that read all the end user license agreements that you click okay to when you sign up for these things. A lot of those say, “There’s no duty for us to restore any of that information if we lose it.” Because it’s a free service. And so if you’re paying for it, they will save it for you, but it’s still not encrypted. So if they get compromised, it’s gone.
Michael: Interesting. That is fascinating. And again, it kind of brings up this point, you mentioned this false sense of security. But if you think about how much of your life is just digitally stored now, the thought of me losing photos, it would be like going on a vacation and someone stripping the memories of that vacation. You would feel as though, okay, what was the purpose of going on that vacation? It’s maybe not the exact same effect, you would lose all the memories, but the thought of losing photos, in a lot of ways, it’s like truly losing memory, and that is so valuable to us. So just even personally, the importance of backing it up, jumps out. And you mentioned again, this false sense of security.
And I was thinking of, it’s really like you take a step into anything and you find complexity. You find more and more complexity. I think a computer is perhaps one of the greatest examples of this. But when that computer breaks down, or let’s say somebody were to hack your computer, just whatever reason, it physically gets damaged, you lose access to those memories. You’re kind of instantly met with that complexity. It arises in a way that it reveals itself where it’s like, “Oh, that’s right. This isn’t indestructible. This can actually be lost.” And unfortunately, it’s those moments where we finally get motivated to take these steps. It’s the pain factor, if you will, that actually gets us to take the steps we need to take, which shouldn’t be the case, especially with something as important as this, right?
Chris: Yeah. It’s unfortunate, I think, because that’s when the damage is done, and in a lot of cases, it’s unrecoverable. And so maybe you’ll do better in the future, but what if this doesn’t happen to you until you already have all of these memories and all of these years captured? I recommend people do three methods. Just me being a computer guy, obviously, I’m probably a little bit more drastic than most. Having them in two places is what I would say is the best. And I’m not talking just photos, which is what people naturally gravitate to. I’m talking about digital copies of your trust and all of your estate documents, your living wills, your power of attorneys. All of these important documents are, in a lot of cases, able to help you be recovered, even if the physical one is lost.
So say your house burns down, you lose your passport, you lose all these other kinds of things. Some of these agencies will actually take a copy of it as kind of like, “Hey, we did give them. We did already do this once.” And I’ve even seen in cases where they’ve used scans and stuff like that as evidence in court and stuff, if the original has been damaged or lost. So make sure that you have not only just your photos in two different places, but anything else that is personal and private to you. An easy way to do it is to put it at a family member’s house. Usually, if one thing would happen at your house, it wouldn’t happen at the other. So back in, before all of this cloud storage days, I used to back up all of my stuff. There’s time machine on Apple, there’s Windows backup services that’s on Windows computers. Everything is free and already installed for you that you can use to back up to an external hard drive. Just make sure that external hard drive is then safely secured somewhere else at someone else’s house.
Michael: That’s a great point.
Chris: And so I used to do that for years. But there’s literally encrypted backup services that cost you no more than 50, 60 bucks a year. That has to be some of the cheapest insurance, I think you can probably buy for what it’s safeguarding.
Michael: Yeah, that’s a big takeaway for me, especially given what you said about Drive and Dropbox and Apple. Another thing I was thinking about, I was connecting at the airport the other day to the public Wi-Fi on my phone. And I don’t know if anybody else thinks through this now, but it’s like every time I take that step of hopping on a public Wi-Fi, there’s something in me that’s like, “Okay, is this really safe?” If I’m sitting in a cafe or in an airport and I’m using my phone and I hop on public Wi-Fi, am I safe while I’m on that? You feel a little bit more safe at the house, just with your own Wi-Fi. From what I could see, there’s nobody in my lawn currently trying to hack into my Wi-Fi, but maybe they’re on the back side of the house. I don’t know. But what should you do there? Is there anything you should be thinking about before joining a public Wi-Fi?
Chris: When you’re on public Wi-Fi, imagine being in a pitch-black room with 50, 100, 1,000 strangers. Do you trust all of them? Because that’s effectively what you’re doing when you connect to those public Wi-Fi systems. And I know that sounds very, very scary when you think about in the physical world, you don’t know what’s going on or who you’re bumping into or anything like that, but there’s vulnerabilities called zero days that come out for your computer the day that are already actively being exploited, meaning that people are breaking into systems and things like that.
So there’s periods of like where the risk is higher and the risk is lower. But the vast majority of people don’t update their computer. It’s very annoying when this pops up and it’s like, “I have to do Windows updates, or I have to do a system update.” They’re like, “Yeah, let’s do it later.” Even here, I see people do it in meetings when they’re presenting and stuff like that, which obviously you can’t, but it’ll be hours if not days until it prompts again, and then you actually follow through with it. So in those cases, where you may be missing some of those updates, it’s very easy for someone to attempt to exploit you on a public Wi-Fi system. And then what they typically do is, one of the easiest things that used to work, and still does, I think, to some capacity is, have you ever gone to a website where you just go back to it and you’re already logged in?
Michael: Yeah. Yeah. Google does that, right?
Chris: It’s for convenience.
Michael: Yeah.
Chris: Well, that’s usually because you have what’s called an authenticated session, or you have a cookie that stores the session information just in a folder in your browser. And so what they’ll do is they’ll go steal all of those files, they’ll put them on their computer, and then they’ll start going to Facebook and Gmail and all these other websites, because one, they’re in the same place as you, they have the same IP address as you, they look very much just like you to the businesses they’re going to. But in a lot of cases, they’ll just trust that cookie and they’ll just be logged in as you to some of these sites. So places you don’t… This is where two-factor authentication makes a huge difference because in a lot of cases, it’ll detect stuff like that. But that’s one of the easiest ways that people will exploit public Wi-Fi systems.
And I don’t think I can scare you this much or give you what happens without telling you what I would do and what I do in my personal life is I use a personal VPN on my phone all the time, 24/7. And there’s a few very reputable ones that do it in a very anonymous fashion, i.e., where they’re not tracking you as you’re using it. They tend to be a little bit more expensive than other ones. But in those cases, you can use that. And what that does is give you a secure gateway to all of the traffic that leaves your device, no matter what network you’re connected to the internet on, where nobody can read it. And so people can’t even see your device to connect to it. So it just makes it a lot more resilient to the data you’re sending and receiving when you’re on those kinds of networks.
Michael: Interesting.
Chris: There’s people that drive around all the time just looking for open Wi-Fi points that they can go listen to traffic on.
Michael: It’s crazy.
Chris: Yeah.
Michael: I wish that I could somehow encapsulate you in some type of Siri device that I can bring along with me that’s going to help me encrypt my life, because I know that just in you saying that, there are things I need to take, steps we can all take in our personal, and certainly in our business life, making sure that we’re continually just keeping up to date with all of this because of how important it is. So this was a fascinating episode. We actually went a little bit long just because I enjoyed it so much, I want to keep asking you questions. But for those of you that haven’t, make sure to subscribe for industry insights, from industry professionals here at Mariner. This was a fun episode. Chris, again, thanks so much for joining us. Hope you guys found this helpful and take care.
Mariner is the marketing name for the financial services businesses of Mariner Wealth Advisors, LLC and its subsidiaries. Investment advisory services are provided through the brands Mariner Wealth, Mariner Independent, Mariner Institutional, Mariner Ultra, and Mariner Workplace, each of which is a business name of the registered investment advisory entities of Mariner. For additional information about each of the registered investment advisory entities of Mariner, including fees and services, please contact Mariner or refer to each entity’s Form ADV Part 2A, which is available on the Investment Adviser Public Disclosure website. Registration of an investment adviser does not imply a certain level of skill or training.
The views expressed in this podcast is for educational purposes only and do not take into account any individual personal, financial, legal or tax considerations. As such, the information contained herein is not intended to be personal, legal, investment or tax advice. Nothing herein should be relied upon as such, and there is no guarantee that any claims made will come to pass. The opinions are based on information and sources of information deemed to be reliable, but Mariner Wealth Advisors does not warrant the accuracy of the information.
Asset allocation/diversification is a strategy designed to manage risk but it cannot ensure a profit or protect against loss in a declining market.
CERTIFIED FINANCIAL PLANNER™, CFP® and federally registered CFP (with flame design) marks (collectively, the “CFP® marks”) are professional certification marks granted in the United States by Certified Financial Planner Board of Standards, Inc. (“CFP Board”). The CFP® certification is a voluntary certification; no federal or state law or regulation requires financial planners to hold the CFP® certification.