The Latest on Data Security
Every couple of years we provide clients with an update on cybersecurity and overall data security. This update comes with two goals: to inform clients on our progress on these fronts and to share with you what we’re seeing in this ongoing battle.
Provident is in the early stages of a cybersecurity consultation with Charles Schwab and our IT partner, N2M Technologies. This project isn’t undertaken as a result of any known problems; rather, it is a proactive effort to identify areas needing improvement. The bad guys keep getting better at hijacking data, so we need to keep improving as well.
Over the years we have taken a range of steps to improve our defenses. These include moving key applications to “the Cloud” where large companies with cybersecurity budgets many times greater than our revenue work to safeguard our clients’ data, and the use of two-factor authentication in critical applications. Our most recent improvement was the addition of an email monitoring system that attempts to weed out suspicious communications. This is one of the few changes that is visible to clients as our emails include the message “This email has been scanned by Trend Micro Hosted Email Security.”
Our cybersecurity consultation will likely result in additional changes, and we hope to keep our efforts largely behind the scenes like our past steps. Even though you may not be able to see the fruits of our efforts, know that keeping client data safe is considered mission-critical at Provident.
Moving on to general trends in data security, we’re seeing a mix of old and new tricks from data thieves. “Phishing” attempts continue, but the tricksters are becoming more convincing. “Phishing” refers to emails, and now text messages as well, that try to lure readers into clicking on a link that allows hackers to gain access to your device. Once in, they can monitor communications and log keystrokes to steal user IDs and passwords or even enough data to open accounts in your name (known as “ID theft”). They typically come from what appears to be a trustworthy source such as your bank or Microsoft, warning of dire consequences if you don’t renew a software license or update your password.
Phishing emails used to be almost laughable with poor spelling and grammar. They have become much more convincing, but the goal remains the same: to instill fear that causes users to let their guard down and click on a link or an attachment that can contain harmful computer code.
A client had a costly experience after clicking on a link purportedly from Microsoft saying that his/her computer and cell phone had been compromised. The email included a phone number to call for help. It didn’t turn out well as the phone number was as fake as the email.
Defend yourself against phishing by being skeptical. If an email purporting to be from a financial institution claims that your bank or credit card account has been locked, don’t click on anything and don’t call the number listed on the email. Instead, pull out your credit or debit card and call the institution at the number on the back of the card. If an email claims your phone or computer has been hacked, call your phone company or run your computer’s antivirus program.
We’ve seen many emails supposedly from Amazon confirming a large purchase made on an account. Not recognizing this purchase, it is tempting to call the number in the email to block the purchase and get your money back. Instead, look at your Amazon account online or on the app; every time I’ve done this I have found no such purchase. But the emails initially caused an “adrenaline rush,” almost enough to override my experience that these emails are fake.
Sometimes the tricksters aren’t employing technology to get their way. One client reported check forgeries after sending checks to charity. Someone stole them from her mailbox and used acid to erase the payee on the check, then proceeded to forge the check to pay their own bills.
The forgeries came to our client’s attention because she kept tabs on her bank account. Seeing the wrong payee on a payment, she called her bank. They traced it back and recovered her money, but only after many hours on the phone. If you keep your computer secure, paying bills online is generally safer than mailing checks. If you must mail checks, consider dropping them off at the Post Office or in a standard blue Post Office receptacle, preferably in an indoor location to reduce odds of tampering. And by all means, review your statements so you can spot theft if it occurs.
Recently, Provident received an old-fashioned fraudulent phone call. The caller claimed to be from a large business service provider we use. He was attempting to collect on an overdue bill. It mostly made sense except for a few puzzling aspects. He referenced an old Seger-Elvekrog.com email address that we had decommissioned, but even that made some sense as it would explain why we hadn’t received notification of the overdue bill. I was sufficiently convinced that I gave him my email address so he could send a new bill. But he kept insisting that he could “help us” make the payment, even when I told him we would review the invoice and pay it if appropriate. After the call, I checked the vendor’s website. There was no overdue bill and no email ever arrived.
Whether by email, text, telephone or snail-mail, data thieves are becoming more clever and we have to take steps to defend ourselves. Be skeptical of communications urging you to click on a link or attachment, or to call a number they provide you. Even if the communication appears to be genuine, call the company at a number you know to be correct, not one provided to you in the communication. Sometimes these emails will be real, but the only way you’ll know is by contacting the company yourself. Keep your cyberdefense/antivirus programs up to date. Review your monthly statements. The goal isn’t perfection. That is an unattainable standard as even the largest organizations and government bodies seem to be vulnerable to hacking. The goal is to not be an easy target.
Scott D. Horsburgh, CFA