I’ve read a lot of articles on the subject of identity theft over the years. Most of the time they focus on how identity theft can happen. Things like stealing your mail from the trash, or misplacing your wallet in a public place. I’m not promoting forgetting about these easily solvable issues, but let me tell you why this is wrong.

First of all, this is not the movies. Identity thieves are not selecting a “mark” and following them around for days learning their habits so they can find a way to steal from them. That is a lot of work, and why would they go through all that effort when the simple truth is, they don’t have too?

So what are they doing? They’re going online and buying your information from a website. Now, don’t think that you’re so special that they targeted you specifically, because that is not how it works. They just buy a list of credit cards and go down the list until they find one that works and start charging it.

It doesn’t have to be credit cards, it could be your social security number, bank account information, or any other information that might lead to identity theft.  But how are identity thieves getting this information in the first place?  Let’s briefly review how businesses are consistently falling short of consumer expectations to secure data.

Companies are not doing enough

If you follow any sort of news whether it be TV, online, newspaper, etc. chances are you have heard of numerous security breaches. The simple truth is, most organizations are bad at Cybersecurity. It’s not entirely their fault, the bad guys are constantly looking for the slightest hole to exploit. A simple mistake of an employee clicking a link in an email is enough to lead to an event where all of your data is lost.

Take the Equifax breach from 2017 as an example. If you’re a US citizen with a social security number, there’s a good chance you heard about it. That’s because this breach led to 143 million Americans’ social security numbers being leaked online. Yes, that’s right, your social security number is out there and it has been for over five years. And of course this isn’t the only incident which leaked customer data.

(Statista – 2022)

We don’t have to look that far back to see examples of breach events. In 2021 alone, there were 4,145 publicly disclosed data breaches. Chances are you didn’t hear about anywhere near that number of breaches. Many of these were small breaches which didn’t impact consumers or only impacted a small number of consumers.

The bottom line here is this: companies are not doing enough to keep your data secure. So what should you do about it? By now you should begin to understand that you cannot count on a company to keep your data secure. So take matters into your own hands, and take steps to prevent yourself from being impacted.  Let’s outline a few simple strategies you can use to take matters into your own hands.

#1 – Take online security seriously

The best way to keep yourself secure is to take it seriously. Build security practices into your life as standard practice. There are a few ways to do this and the strategies differ based on what the goal is. So let’s outline a few methods for doing this.

The number one thing you can do is utilize good authentication practices. In a previous article I discussed how you can utilize good password practices to make it very hard to break into your online accounts.

Assume that all your data can be stolen at any moment from every company you’ve ever used. So, take steps to limit the amount of your data they have. If you don’t use an account anymore, find out how to delete it. Contact organizations you no longer do business with, and ask them to remove your data.

Use a security mindset when opening and reading email. If you have an email that looks like it might be spam, don’t even open it, just mark it as spam. If a friend sends you an email or text asking for information they wouldn’t normally ask for, don’t provide it. Contact them and make sure their account hasn’t been compromised.

If anyone asks you for your password or other type of login information, don’t provide it. Technical and customer service teams will never ask you for login information. So if someone is asking for login information, chances are very good it is not legitimate.

#2 – Simple steps to prevent financial fraud

There are a few things you can do to help prevent fraud and identity theft from ever occurring to you. Admittedly, these steps do add a little bit of inconvenience to your life. But would you rather have a little inconvenience or your life turned upside down by identity theft?

First, understand how credit works. There are four credit bureaus – Equifax, Experian, Trans Union and Innovis. Start a security freeze on all four of them. This article by Krebs on Security is an excellent resource to help with the steps of security freezes. A security freeze prevents new credit accounts from being opened, eliminating the possibility of identity theft.

Monitor your credit cards and bank accounts regularly, at least weekly. If any fraudulent charges show up, immediately notify your bank or credit card company and request a new card.

Also, stick with companies that are easy to work with when it comes to fraudulent reporting. I once had a fraudulent charge from North Korea show up on an account. The company was awful, it took me weeks to get that charge and the international fee removed from the account. As soon as those charges were off my account I closed that card.

Finally, you can take an extra step to prevent fraud charges from ever showing up on your account. Assume your cards are being compromised regularly. Every 6-12 months, request a new card from your bank or credit card company. Once you have the new card, ensure the old one is deactivated. This way, if your old card is stolen in a breach you have nothing to worry about.

#3 – Stay vigilant offline as well

Ok so the steps above should prevent the vast majority of identity theft and fraud. But what about those other steps mentioned commonly by other articles online? Yeah, those steps are still important as well.

Get yourself a good quality shredder with cross-cut and shred every financial document. Even those pre-approval notices, shred those also. This prevents anyone from being able to use your mail or any other physical documents to steal information. Decent shredders range from $50-150, don’t just buy the cheapest one, do a little research and get a quality one.

Better yet, use the permanent Opt-Out process to remove yourself from those pre-approved notices. It’s a simple process that involves filling out an online form, and then printing and mailing a short document. Learn more at www.optoutprescreen.com.

Stay vigilant over the phone as well. If someone calls you and asks for payment information, be sure they are who they claim to be. There are countless scams out there claiming to be everything from the phone company to the FBI. If the FBI was going to fine you, they wouldn’t be doing it over the phone. Make sure you know the person asking for money. If in doubt, use a previous statement or the companies website to find their customer support number and call them to pay instead of relying on this stranger that called you.

Last, if you lose your wallet or any other financial information, act as if it’s been taken by a fraudster. Deactivate everything and get all new cards. Hopefully your wallet is found by a good Samaritan and returned, but don’t count on that strategy.

Conclusion

Ok there you have it, a few simple strategies you can implement to help prevent identity theft and fraud. There are always new things going on in the world that may require new strategies in the future. If you want to stay up to date on the latest strategies you can use to stay safe online, follow us on social media or sign up for our newsletter.

References

Ok so you’ve decided Cybersecurity is important to know a little bit about, now what? Well first off, just the understanding of Cybersecurity’s importance puts you in the minority of those who are harder to hack, so congratulations!

But now we start down the path of understanding what you can do to be more secure. This topic is a bit of a rabbit hole, so lets start with just a few of the more critical items and why they are important.

Before we get started, I want to point out something for anyone thinking this journey is going to mean a massive amount of work.  It doesn’t have to mean that at all actually.  Keeping yourself secure online is really about having a little knowledge and implementing a few simple practices to rely on.  Any good security professional knows when security is too complicated, people will find a way to avoid using it.

Start with your email

Your email account is by far the most critical thing to secure. That’s right, I just said email is more important than your bank account in this journey.

Why? Well for a hacker, if they have your email account, they pretty much own all of your accounts. This is because almost every website out there relies on your email for password resets. So if your email account becomes compromised, an attacker can simply reset your other passwords and now they have those also.

Take a minute to reflect on what that means for you. Your bank accounts, credit cards, school (if you are a student), social media, online shopping and more are all gone if your email is compromised. These days, most of us have just about every facet of our lives online in some way.

Ok, so now you understand why it’s so important.  How do you secure it then?

Secure your email account

For starters, use a really strong and unique password.  The password you use for your email should not be the same one you use for anything else.  It should be as random as possible, and as long as possible; preferably by a random password generator, and at least 16 characters long.  We’ll get into how you remember that random password in just a little bit.

Ok so now you have a super complex password, that’s it right? Wrong. Next, enable 2-Factor authentication (2FA) on  your email account. Enabling 2FA requires your account to have a second extra security layer to login, usually in the form of a randomly generated six digit number.

Right now you might be thinking “hold up, didn’t the author say this didn’t have to be complicated?” Yes, I did.

Enabling 2FA on most modern email systems is a simple process that takes only a few minutes one time. You can also configure it so it will only periodically ask for the second factor such as when you’re logging in from a new computer or once per month. I strongly suggest using these practices as it will make 2FA very minimally intrusive to normal use while also preventing an attacker from accessing your account.

One more thing, do not rely on SMS or text messages for 2FA. Use an app like Google Authenticator or another similar one that works with your provider. Not to get to into the weeds on this, but text messaging is not a secure form of authentication. I’ll save that topic for another day.

Secure your financial accounts

Ok, your email is secure now, what’s next? Your bank, credit cards, 401k, any other type of financial accounts you have are the next thing to think about.  What do you do with these?

Unfortunately, most financial institutions are slow when it comes to keeping up with security. This can be seen pretty easily as almost all of them do not have any form of 2FA beyond SMS/text messaging. “Wait didn’t he say text messages were not secure?” Yes, I did. Now you understand my statement.

Believe me this is one of the things I find most annoying about my own bank. This is one of the many reasons why we cannot rely on a company or institution to secure our data (or our money). Take the power into your own hands and use good security practices instead.

In this case, use a very strong, secure password which is unique for each account. Take special notice of unique for each account.  If you have five banks, you should have five passwords. And of course, if your financial institution has the option to enable 2FA via an app and not rely on text messages, enable that functionality. This should be the case whether it’s a bank, stock investment account, retirement account, crypto, etc. Anything where finances are involved.

Other accounts

Ok so now we’re getting into the “less critical” accounts. This would include things like shopping, social media, online gaming, and others. I’ve seen many articles discussing using an “important password” for things like your bank, and an “unimportant password” for these other items.

Personally, I think that is a bad idea. You should use the same password security practices you’d use for your bank. If there’s an account, it should have a unique password used only for that account.

When it comes to enabling 2FA for these other accounts, that’s where I think the line should be. For those accounts that aren’t going to have a significant financial impact if they were to be compromised, there’s probably no reason to enable 2FA.  Of course, some factors can change that and it’s up to you to decide if each account is important enough to add a little extra security.

Get a secure password vault

I know what you’re thinking: “I must have 100 accounts online. Do I have to remember 100 different passwords?”

I personally have over 600 accounts (662 to be exact). I understand the burden of managing accounts. But no, I do not know 600 different passwords. In fact, I don’t know any of the passwords for any of my accounts, except one: My secure vault password.

Here’s how it works: I created a unique 16 character password and memorized it specifically for my secure password vault. I used my secure vault to generate and store all the passwords for my online accounts. My secure vault is now accessible on all the devices I use regularly. It also auto-fills my passwords for me so it’s easier for me to login as I’m going about my online activities.

You may or may not have heard of this kind of solution before, but they’ve been around for many years. There are many available options out there. In a future article, I will review and breakdown the features of some of my favorites.

Everybody should put a little bit of effort into a password vault that works for you. There is definitely one out there which will work for you and make your online life more secure and easier.

Conclusion

Keeping yourself safe online doesn’t have to be a lot of work. It requires just a little bit of knowledge on the subject and maintaining a few good practices.

Let’s summarize the basic security practices:

1. Get yourself a secure password vault.
2. Utilize unique, complex, and randomly generated passwords for each account you have online; preferably 16 characters or more.
3. Enable 2FA on your email and financial accounts, and any other account you deem as “more important” to you.
4. When possible, do not rely on text messaging for 2FA or any other security related activity.

There are many more topics to cover in the #HomeSecurity series.  If you want to stay up to date and keep yourself secure, sign up for my email list.  I will send you updates anytime a new article is posted.  If there is any topic you’d like covered in more detail, please post below.

Most people think hackers are only targeting big banks or other larger financial institutions. While it is true in some cases, they are premium targets, this is not always the case. The motivations behind hackers has largely boiled down to a handful of reasons.

Let’s take a quick look at the top reasons for why attacks take place and why security is important for everybody.

(Based on data from the 2012 Verizon Data Breach Investigations Report [DBIR])

As you can see above, Financial gain is the overwhelming primary reason for cyber attacks. This is seen in all data between 2012 and 2022. Espionage is a distant second place. The remaining attacks make up small percentages, but among them grudge sticks out as one we should discuss in more detail.

I want to discuss each of these in more detail as they apply specifically to home users. This would apply regardless of what company you work for, or if you’re self-employed. So let’s analyze each of these to understand why you are not as safe as you believe.

Financial gain

Most people think that financial gain means a hacker is going after a bank to steal money. But here’s the problem with that belief… if a hacker breaks into a bank, what’s to stop them from taking your money? Think about it, in the typical bank robber movie, did the bad guys stop when they realize that average people would be impacted?  No, they steal everything in the vault. So why would a bad guy hacker only steal money from the bank and not your personal money as well?

In reality, it’s actually more complicated than this…

First, hacking into a teller machine doesn’t mean an attacker can transfer money. Most often they are getting access to a system that doesn’t even connect to where the money is stored. Second, those types of systems have a ton of security around them making it extremely difficult to hack. If they could get access to those systems, bank transfers are slow so the likelihood of success is low. Finally, there are much easier and faster ways to make money.

(From 2022 Verizon Data Breach Investigations Report [DBIR])

Ransomware is a type of virus which locks you out of your files by encrypting them. Typically these viruses will ask for some form of payment to “unlock” the files. Desperate users who did not have good backup practices will quite often pay the ransom. But the dirty secret is that those users only get their data back about 30% of the time when they do pay. Most experts recommend not paying and relying on good backup strategy instead.

Ransomware attacks are on the rise in a big way globally as seen in the above graph. These types of attacks are cheap and easy to execute. If you know where to go, you could go buy a Ransomware kit in a few minutes. Then just send it out to a list of emails which you can buy from a myriad of sites online.

Espionage

(From 2015 Verizon Data Breach Investigations Report [DBIR])

Espionage is admittedly probably not going to occur to you directly, but may target your company. Interestingly, according to the DBIR the most common vector for espionage attacks come from email. So it is important to be aware to be on the lookout for suspicious looking email.

I’m not going to go over espionage in as much detail as these attacks don’t typically target home users. If you are an employee of a larger company however, you are at risk for this type of attack. I will cover this topic in more detail in a future post.

Grudge

Grudge attacks typically starts with a bad breakup or a friendship which falls apart for some reason. One party then decides to hack into the other parties Facebook, or Twitter, or some other online presence they are aware of. They might post obscene pictures or comments on your social media, or steal private pictures. They may even use these pictures and access to your accounts as an attempt to blackmail you.

This is probably the one type of attack which is targeted more often to home users than businesses and organizations. Most people will probably never actually experience this type of attack. But it is an important type of attack to be aware of when events happen in life which might lead to anger in another person.

Many people aren’t aware but often times, when people get angry or upset, they look for help. I’ve seen job ads online where people pay experts to help them break into accounts. Whether these jobs are actually executed, I cannot say but be aware that it does happen. Just because you don’t think the person has the skill to steal your account doesn’t mean they won’t go looking for help.

(Example posting by user requesting help accessing an account — this may be legit but anyone could post similar messages for someone else’s account)

I want to add one more point about grudge attacks. I have been speaking primarily about direct attacks against others as if from a friend. But grudge attacks do also happen against companies and employees of those companies.

This is where things get dicey, it depends on the specific motivations of the individual and their skill. Without getting too into the weeds, they may target anyone from the CEO down to the lowest level employee. Whoever might help them achieve their desired outcome could be a potential target. This makes every employee a potential target.

Other

The other category covers all other reasons for breaches which have occurred. This could include employee error or malfunctions. Most often these types of issues will not impact home users, however, the potential is there to impact home users.

For example, if a particular vulnerability is identified for a very popular home router it is likely to be exploited at a large scale by attackers. These attackers may go unnoticed for years before anything actually happens in your home network, but it gives them a foothold inside your home network.

Here’s the core issue: once a hacker has a foothold inside your home network, they can get into anything within your home network.

Conclusion

Financial gain is by far the biggest reason for cyber attacks. These types of attacks are cheap and easy to execute. This makes these types of attacks very easy to target any home user.

You very likely receive hundreds of emails a day that you don’t see because your email provider filters them out. But some will inventively make it through the spam filtering. Stay vigilant and don’t click on attachments or links if you don’t recognize the sender.

There are many more topics to cover in the #HomeSecurity series. If you want to stay up to date and keep yourself secure, sign up for my email list. I will send you updates anytime a new article is posted. If there is any topic you’d like covered in more detail, please post below.

References

Verizon Data Breach Report 2015: Top 10 Charts and Summary

The 2020 Cyber-Espionage Report pulls seven years of data to determine threat actors, motives and actions

What Motivates Hackers? Money, Secrets, and Fun

40 Worrisome Hacking Statistics that Concern Us All in 2022

2022 Data Breach Investigations Report