The Fiscal Feminist


My Cybersecurity Nightmare

Pipe

*The following incident involved my personal identity, personal phone number and personal financial accounts. My professional communications with The Bahnsen Group, occur through a highly encrypted system that is protected to a strong industry standard, and none of my professional communications were compromised.

Special thanks to Kenny Molina, Associate, Solutions and Analytics, at The Bahnsen Group, for his research for, and collaboration on, this article.

My cell phone suddenly had no service on a Tuesday in April…

What????  My bill was fully paid and up-to-date, of course, I am the Fiscal Feminist, so I endeavor to be financially organized!  I had a doctor’s appointment in the early afternoon, and prior to walking into the doctor’s office, my phone had service and was working fine. I came out of the doctor’s office a half-hour later, and nothing, zilch, no phone service. I was wondering if there was a national emergency as I knew my bill was in good standing.  What to do?

I couldn’t call Verizon because I had no service, so I dialed 611 hoping that would work, and luckily got a customer service representative, who told me that Verizon had no record of me or my phone number. How could that be???  I had had that phone number and account with Verizon since 2009. Impossible I said, Verizon must have some knowledge of me and my account.  Two hours later and after a long, frustrating phone call, Verizon determined that my phone number had been “ported”.  What did that mean?

Essentially, when a phone number has been “ported”, it means a fraudster has taken over your mobile phone account and phone number, and, seizes control of your phone number.  This allows fraudsters to then use your phone number to seize control of many of your other accounts, including financial accounts.  And that is exactly what happened to me.

The next thing I knew, my bank had emailed me confirming that I had changed all my internet banking login details, which I categorically had not done.  When I tried to login to my bank account, I was locked out!  The fraudsters had taken control of my bank accounts, as though they were me, and were wiring money to outside accounts.  I was unable to see what was going on, and, had to rely on the bank to inform me. Further, the bank was questioning if I was somehow involved with the fraudsters, if I had provided them inadvertently, or intentionally,  with my details, which I absolutely had not.  From there, it continued to spiral, with the fraudsters using my American Express card.  When I discovered this at 5:30AM the next morning after my phone number was ported, I swung into action to protect myself.

Fiscal Feminist PODCAST

Where are we in 2019 with Cybersecurity breaches and Identity Fraud?

According to a study by Javelin Advisory Services, after three years of successive increased fraud rates, the overall fraud incidence rate fell in 2018.  However, this was in the area of fighting card fraud, and unfortunately, there has been a resurgence in higher impact fraud such as account fraud, account takeover and misuse of non-card accounts.  Mobile phone account takeovers are on the rise, increasing by almost 60% in 2018.  New account fraud is also on the rise with losses increasing from $3 billion in 2017 to $3.4 billion in 2018.  Common targets include mortgages, student loans, car loans and credit cards.

A recent study by Norton/Symantec stated that as of 2018, 60 million Americans have been affected by identity theft which is almost 20% of the population.  Malicious software, known as malware, is now not only affecting laptops and desktop computers, but also now mobile devices. New malware variants for mobile devices increased by 65% in 2017, and many malicious apps were found in the Lifestyle category followed by music and audio apps and books and reference apps. Hence, use of third-party apps (apps which are made by someone other than the manufacturer of a mobile device or its operating system – which are the majority of apps used), when downloaded can infect your smartphone or tablet with malicious software.

That coupled with all the information we share with various entities, which usually includes your name, address, phone number, credit card information, birthday or social security number, put our information in harm’s way due to data breaches of such organizations.   Hence, if an organization has your information, a cybercriminal may be able to access it.  The United States is the number one target for targeted attacks, and according to a study from Juniper Research, cybercriminals will steal approximately 33 billion records in 2023!

Why did this happen to ME???

During this very terrifying and nerve-wracking experience, I was trying to figure out how someone could have gotten access to my user names, passwords, and pin numbers.  I felt very violated, and I ultimately discovered that my personal email account had been hacked, and my private information was being sold on the dark web repeatedly.  So how did I get to this point?

This debacle appears to be the result of a confluence of factors.

  • It could be related to my debit card being compromised in January. This involved a series of charges on my debit card that occurred within a 36-hour period that far exceeded all limits. Further, my bank’s fraud department did not notify me, however, I did get a call that looked like it was from my bank (their phone number and name popped up on my phone screen), but it was not actually my bank calling because the bank number was “spoofed” (this means a hacker impersonates another user on a network in order to steal data, spread malware or bypass access controls).   Although I did not give the fraudster impersonating a bank employee, any personal information, they apparently already had it.
  • I had a very easy password to my personal email address that did not include special symbols or capital letters, and I had been using this email password for approximately 9 years. And to compound the problem, I used that same password for many accounts.
  • I used the same pin number for multiple accounts, including my Verizon account and my bank account (just writing this I feel like a dolt!).
  • I did not routinely update my personal computer at home when I got notifications to do so. I put it off and then ultimately forgot.
  • I routinely used the internet in hotels and in airports – which is totally unsecured and a hacker’s delight!
  • I didn’t use two-step authentication when possible.
  • EVERYONE NEEDS TO WATCH THIS COMPILATION OF SHORT VIDEOS – EYE OPENING and now I know how that spoofed call had something to do with my cyber meltdown HERE!  

 How did I fix this – what to do when this happens??

We, at The Bahnsen Group, recommend a cybersecurity company, called Global Guardian, to our clients for proactive protection of their cybersecurity.  I immediately called Global Guardian and they came to my home to evaluate my home system and to evaluate if it had been compromised.  It had been compromised, and even though I had just purchased a new router, that had already been compromised.   Through the email hack, my systems had been totally infected. Global Guardian helped me to set up a new system, shared with me best practices regarding all things cybersecurity, and I retain them now to essentially encrypt my home computer system, my laptop and my phone, along with monthly monitoring of all traffic and blocking of suspicious activity before it enters my system.

Due to the upheaval in my life due to this compromise, I decided that I needed the extra protection, however, there are several things that should be done immediately once you have been breached.

  • Isolate:
    • Immediately reach out to all credit agencies, banking institutions, investment accounts, and credit card accounts, and freeze or close the accounts. I immediately closed my bank account and changed banks altogether, and froze my credit agency accounts.
      • When you freeze your credit agency accounts, the freeze can be lifted when needed.
    • Research the scope of the problem; i.e. how would they have gained access?
  • Deny
    • Change passwords on all accounts.
    • If your email account has been hacked, delete it, and set up a new one (even if it is inconvenient!).
    • Place fraud alerts on your existing institutions and accounts.
    • Setup/add notifications at your financial institutions
      • g. card not present transactions, online transactions, transactions over a certain limit.
    • File reports with FTC, local police station, etc.
      • Banks and credit card companies may place the burden of proof on the consumer in relation to fraud investigations; I was instructed to file a police report at the local police station where I live, and the bank requested a copy of this in relation to their own fraud investigation.
    • Monitor
      • Sign up for credit/online activity monitoring.
      • Frequently monitor your account history.
      • Access your detailed credit reports (free from all three major bureaus once a year) and reconcile information. I pay a monthly fee to have access to all three credit bureaus’ reports and activities, so I can monitor it regularly.

How can I be proactive and prevent this from happening?

  • Don’t be lazy like I was and keep everything too simple!!!
  • Utilize password management tools. I now use LastPass, as my password manager generator for a low monthly fee (you get to try it for a free trial period).
    • Most consumers have access to other helpful tools through their phones; iCloud keychain and Samsung Pass are examples.
  • Setup two-factor authorization and alerts for as many services as possible.
    • The more complicated the security systems we have in place, the harder our accounts are to access.
  • Be very wary of online auto-fill settings!
    • If they gain access to your credentials/computer, they will get the keys to the kingdom—that is what happened to me!
  • Do not use the same email address for all things. Create several email addresses for different activities.  For example, create an email address dedicated to online shopping, one for bill payment, and one for personal emails.
    • Do not use personal identifiers in the email address – use aliases.
    • Consider using a ‘throw-away’ email for subscriptions and memberships.
  • Limit the value of the information you give away to non-essential institutions.
    • Give as little information as possible (don’t fill in phone number and address if it is not required).
  • Limit the information that you make publicly available.
    • Social engineering is an on-going concern and people make it too easy to become familiar with their habits, movements, hobbies, personal lives.
  • Trust but verify.
    • Most of us are too smart to send money to a stranger but the moment we see a familiar number or email we forget about common sense.
      • g., if an email from a family member is received asking for money, give them a call or use another means to verify the request … verify through multiple sources before taking any action when sending money or divulging information.
    • Do NOT use the WiFi in a hotel or at the airport! These are unsecured networks and hackers have a field day wandering around them.  Use a mobile hotspot for a secure, private connection.  Most smartphones have a built-in mobile hotspot function, or you can buy a portable hotspot such as a Verizon Ellipsis Jetpack.

The Upshot

Be vigilant!  Cybersecurity breaches are going to continue and affect an increasing number of people. It is worth the extra time that it takes to set up precautions against possible breaches.  Please learn from my mistakes.

Kimberlee Davis, J.D., CDFA® is a Partner and Managing Director in The Bahnsen Group, a wealth management practice with offices in Newport Beach, California and New York City.

Tags:

The Bahnsen Group is registered with HighTower Securities, LLC, member FINRA and SIPC, and with HighTower Advisors, LLC, a registered investment advisor with the SEC. Securities are offered through HighTower Securities, LLC; advisory services are offered through HighTower Advisors, LLC.

This is not an offer to buy or sell securities. No investment process is free of risk, and there is no guarantee that the investment process or the investment opportunities referenced herein will be profitable. Past performance is not indicative of current or future performance and is not a guarantee. The investment opportunities referenced herein may not be suitable for all investors.

All data and information reference herein are from sources believed to be reliable. Any opinions, news, research, analyses, prices, or other information contained in this research is provided as general market commentary, it does not constitute investment advice. The team and HighTower shall not in any way be liable for claims, and make no expressed or implied representations or warranties as to the accuracy or completeness of the data and other information, or for statements or errors contained in or omissions from the obtained data and information referenced herein. The data and information are provided as of the date referenced. Such data and information are subject to change without notice.

This document was created for informational purposes only; the opinions expressed are solely those of the team and do not represent those of HighTower Advisors, LLC, or any of its affiliates.