According to Steve Morgan, the founder of Cybersecurity Ventures and editor-in-chief at Cybercrime Magazine, “If it were measured as a country, then cybercrime would be the world’s third-largest economy after the U.S. and China1.” It is estimated that ransomware will cost its victims around $265 billion (USD) annually by 20312. In fact, the MOVEit data breach that occurred in May 2023 has been verified to have affected more than 85 million3 people worldwide and was the result of a cybercriminal organization exploiting a flaw in software4.
While these instances and numbers may seem overwhelming, there are proactive solutions to protecting your online life. In February, CWM had the pleasure of welcoming Tim Villano, cybersecurity expert and Chief Information Officer at Artemis Global Security, for a webinar on personal cybersecurity to showcase the most common ways cybercriminals attempt to breach an individual’s defenses. Villano then provided simple, actionable steps and preventative measures to implement as part of your everyday cybersecurity best practices.
1) Implement multi-factor authentication (MFA) on your accounts (including e-mail, smartphone apps, and social media sites)
Multi-factor authentication requires the user to provide two or more verification factors to gain access to a website, app, or software. MFA can be a confirming text message or e-mail, a code sent to an authentication app, a fingerprint or facial recognition, or a FIDO passkey. The most secure method is the FIDO passkey option. Barring access to either a passkey, an authentication app, or biometrics, a text message is preferable to an e-mailed code as e-mails can be easily compromised.
CISA recommends adding MFA across all your accounts, including e-mail, smartphone apps, social media sites, and gaming and entertainment services. Many financial institutions already strongly recommend the use of MFA, so the next time you log on to your bank or 401k account be sure to set up MFA. Multi-factor authentication can reduce the risk of getting hacked, as this second layer of identification gives the site you are trying to access the confidence that it is really you.
2) Update your software
Be sure to check your devices (smartphones, tablets, computers) for updates as well as applications and web browsers (think Chrome, Mozilla, Edge). When available, turn on automatic updates so you don’t have to think about it. Companies like Apple and Microsoft will push out updates as a matter of course to fix bugs or flaws in their operating systems. Keeping your software up-to-date can deter bad actors from exploiting flaws in the system.
3) Think before you click
According to CISA, more than 90% of successful cyberattacks begin with a phishing e-mail. Rather than clicking on a link in an e-mail, the best practice is to navigate directly to the website the e-mail wants you to access. This way you can avoid any potentially malicious software that can be installed by clicking a seemingly legitimate link. You can also hover over a link within an e-mail and your computer will show you the path embedded within the link – allowing you to verify it is legitimate before clicking.
4) Use strong passwords
Gone are the days of a password with a 6-character minimum saved in a password-protected spreadsheet and reused multiple times across different platforms. Depending on the length and complexity of your password it can take a hacker anywhere from seconds to 26 trillion years to crack your password (see chart below). The best course of action is to use a password manager to generate and store unique passwords (see Resources at the end of this article for a partial list).
5) Things to Watch Out For: Common Scams via Phone, Text Messaging, or E-mails
Threat actors, scammers, and hackers search out the weakest link in the line of cyber defenses. Often, the weakest link is you. Here are some common e-mail and phone scams that bad actors employ to catch you unawares and undermine your defenses.
- Tech Support – Someone claiming to be from Microsoft calls or e-mails you to offer tech support. Companies will NEVER cold call you to offer help. DO NOT provide information to the person on the other end, especially username or password information. NEVER download software from someone calling you out of the blue urging you to download it. When in doubt, don’t answer the phone or just hang up.
- Browser Pop-Ups – At some point in your online life it’s possible you will navigate to a website that displays a pop-up alerting you that your computer is infected and to call a number to resolve the issue. Simply close out of the window by hitting the “x” button and navigate away from the website. Do not click on the pop-up and do not engage with the message.
- Billing – You may receive an e-mail or phone call alerting you that a subscription has been renewed and you need to call or click to cancel. Another variation is a notification that your payment processing had an error and you need to click a link to update your method of payment. In this instance, if it is a service you know you are subscribed to, your best option is to navigate to the webpage directly and log in to make changes. If it is a subscription or service you don’t recognize, just delete the e-mail. One way to determine if it’s a legitimate e-mail is to pay attention to the e-mail address it comes from. In this example, the sender e-mail is not associated with McAfee and has a Gmail sending address.
- Fright – Another tactic bad actors use is attempting to convince you that your computer has been taken over and that you need to engage with them to get it back. Don’t believe it. Your best course of action is to immediately delete the e-mail or text message. Do not engage or click on any links. Instead, turn off and unplug your computer and immediately contact IT support. (Geek Squad is a potential IT resource for home computer/network users.)
- Billing & Shipping – You may receive a text or e-mail message that says “There’s a delivery issue, click here to correct it.” Your best course of action is to log in to the website you are expecting a delivery from and check the status of your order there. USPS knows your address and does not need to confirm it. Remember, scammers try to catch you when your defenses are low, so this scam is particularly prevalent during the holiday season when many people are extra busy and turn to online shopping for holiday gifts.
- Secure file shares – Scammers will send you an e-mail that says “We’ve shared an important file with you, click here to login and download.” This one can be tricky as many companies move to online services such as DocuSign or DropBox for sharing files. As a best practice, if you are not expecting a shared document DO NOT CLICK. If you receive a DocuSign form and were not expecting one DO NOT CLICK. If you recognize the sender, reach out to them to verify that this is a legitimate file share.
- Free Gift! – As the saying goes, “Beware of Greeks bearing gifts!” If it seems too good to be true, it probably is. Your cell phone or cable provider is not likely to send you an e-card or gift card simply because you paid your bill. Once again, DO NOT CLICK THE LINK and delete the text message or e-mail.
- Long Lost Friend – Beware of outreach from unidentified phone numbers. The scammer could be trying to confirm your identity or that your number is in service. In this situation, it is best to ignore the text message and delete it.
The bottom line is: Be wary of ANY and ALL links texted or e-mailed to you, especially from unknown senders. If you don’t recognize the sender or the service - or if you were not expecting anything from them, delete the message and do not engage.
6) Things to Watch Out For: Social Media
There are so many ways for us to be connected, and bad actors have found ways to exploit this too. From Facebook and Instagram to X, TikTok, and even LinkedIn, scammers will try to take advantage of your presence (or lack thereof) on social media sites.
- Refuse unknown outreach – Did you receive a message or connection request from someone you don’t know? If so, ignore and delete the request or message.
- Utilize multi-factor authentication – As shared earlier in this article, all major social media platforms have the option to set up MFA for a secure login experience.
- Deactivate or delete unused accounts – Taking a break from social media? Set up protections so that a hacker can’t take over your idle accounts by deactivating the account (if you plan to return) or delete the account completely.
- Memorialize accounts – All major social media platforms offer some version of memorializing an account when a loved one has passed. By memorializing an account, threat actors won’t be able to access and repurpose the account for their own uses.
7) The Wild, Wild West and The Internet of Things (IoT)
As the use of Internet or Bluetooth-connected devices increases in our homes, it’s best to understand their vulnerabilities and how you can protect your home network. IoT devices can act as a point of entry for a cybercriminal to access your entire network, spreading malware and viruses to every computer and device connected to it. Examples of Internet-connected devices are: vacuums, light bulbs, thermostats, fridges, baby monitors, security cameras, coffee makers, doorbells, gaming systems, and wi-fi routers. However, with just a few straightforward precautions you can add barriers to these devices to deter and prevent cybercriminals from gaining access to your home network.
- CHANGE the default username and password that comes with the device
- UTILIZE multi-factor authentication on the device
- UPDATE software and firmware on a regular basis
- ASK FOR HELP or avoid these devices altogether if you are unsure how to change the default username and password or set up multi-factor authentication
8) Artificial Intelligence Concerns
Agencies such as the Department of Homeland Security, the Federal Bureau of Investigation, and the National Security Agency are all telling us that incredible advances in AI are going to be exploited to attack us. The very same AI technology that is used to help us be more efficient and productive in our day-to-day lives is also being used to create deepfake threats that can impersonate people with growing proficiency, leading to increasing instances of fraud. In a recent example of a successful AI deepfake attack, a company in Hong Kong lost the equivalent of USD 25.6 million after an employee met via video call with who he believed to be several other members of staff, but all participants on the call turned out to be deepfake recreations (Finance worker pays out $25 million after video call with deepfake 'chief financial officer').
The best recommendation to protect yourself and your identity from AI recreation is to safeguard your image and your voice to the best of your ability. What does this look like?
- Don’t answer calls from unknown numbers - Microsoft’s VALL-E voice cloning software only needs 3 seconds of a speaker’s voice to recreate a passable clone5
- Be conscious of the images and videos you share online
If you happen to be on the receiving end of a deepfake scam – one that is currently popular among cybercriminals is receiving a call from a loved one saying they are in trouble and need money – hang up and call or text the person back at the number you have saved for them.
How CWM Safeguards YOU
CWM maintains robust cybersecurity measures and participates in continuous training and education for the team on cybersecurity threats. We encrypt and protect your information. We utilize a secure Client Portal to communicate sensitive information. We require verbal authorization on EVERY money request transaction. And we will always call if we have questions or if something seems out of the ordinary. Our biggest strength is the relationship we build with you.
Ultimately, hackers and scammers want access to your information so that they can get money. If you proactively construct roadblocks to avenues that lead to your funds, scammers are more than likely to move on and attempt elsewhere. Common sense is your best defense: guard your personal information, use multi-factor authentication on everything, view electronic information with a skeptic’s eye, ensure good password management and construction, and if you are unable to verify the validity of a link go directly to the website rather than clicking on a link.
If you have yet to establish access to your secure CWM Client Portal, please contact us and we’ll coordinate a time to enroll you and walk you through its features.
Our webinar Personal Cybersecurity: Protecting Your Online Life featuring Tim Villano, CISA®, CISM®, CGEIT®, CRISC® is available on our News page. The webinar runs approximately 60 minutes.
CWM is here as a resource and to partner with our clients. If you have any questions or if you think you may be the victim of cybercrime, give us a call – we’re always happy to help at Comprehensive Wealth Management.
Resources*
Anti-virus software
Password Managers
*This is not intended to be a complete list of anti-virus software, password managers, or cybercrime prevention. Individuals are responsible for conducting their own due diligence on the resources suggested. CWM is not affiliated with or responsible for products and services provided by outside companies or organizations.
1Morgan, S., Cybersecurity Ventures, Morgan S., McLean, E., Cameron, L., & Moretti, J. (n.d.). 2022 Official Cybercrime Report. https://s3.ca-central-1.amazonaws.com/esentire-dot-com-assets/assets/resourcefiles/2022-Official-Cybercrime-Report.pdf?utm_medium=email&utm_source=pardot&utm_campaign=autoresponder
2 Freeze, D. (2023, July 10). Global ransomware damage costs predicted to exceed $265 billion by 2031. Cybercrime Magazine. https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/
3Kondruss, B. (2023, December 19). MOVEit hack victim list. KonBriefing Research. https://konbriefing.com/en-topics/cyber-attacks-moveit-victim-list.html
4Robinson, P. (2024, February 8). The MOVEIT attack explained. Lepide Blog: A Guide to IT Security, Compliance and IT Operations.
5House, K. (2023, January 12). Microsoft’s new AI needs just 3 seconds of audio to clone a voice. Freethink. https://www.freethink.com/robots-ai/voice-cloning-vall-e
