Cybersecurity: An Alarming True Story and How to Protect Yourself

Posted on by Steve Medland

On the morning of January 12, 2022, I took a quick look at my checking account balance, as I do most days. Instead of seeing around $9,000 or $10,000 as I had expected, the balance staring back at me was $109.97. Huh?! There had to be some mistake.

I looked at recent transactions and saw $2,500 and $6,8000 withdrawals that morning. I called my credit union, and the representative said, “Yes, I see here that you made two cash withdrawals from our Lawrenceville, Georgia branch this morning.” I told him I lived in California and had never been to Lawrenceville, so he immediately transferred me to the fraud department, which helped me file a fraud report. 

Apparently, someone used a fake ID to enter the branch and withdraw $2,500 cash. They then saw the remaining balance on the withdrawal slip was $6,909.97, so they got back in line and withdrew an additional $6,800 in cash, leaving the balance at $109.97. 

Fortunately, my credit union put the missing funds back in my account before opening an investigation, and last month they concluded the investigation ruling in my favor. In the intervening months, I opened new checking and savings accounts and reestablished all of my ACH and electronic transfer links. Despite the low-tech nature of the crime, I reset my online access username and password, added a security layer by setting up a verbal phone password, and added alerts to my accounts so I’ll be immediately texted about any suspicious activity.

Cybersecurity Breaches are Everywhere

A recent Accenture study found cyberattacks cost the banking industry $18.3 million annually per company, but the onus is really on us to protect ourselves.

While my situation was frustrating and somewhat time-consuming, it was a walk in the park compared with the fraud that one of our longest-term client households experienced over the past several months. They agreed to allow me to write their story, but I’ll use the pseudonyms, William and Sandra, to protect their privacy. 

Sandra kept diligent records, and the spreadsheet below (with names, key details, and financial institution names also changed for privacy) will give you an overview of what happened. The details of each attempt are less important than understanding the relentless natures of the repeated fraud attempts (you can click on the graphic to open it in a new tab and click again to enlarge it).

I did reach out to two professionals I trust to help our clients but wish I had done so earlier. One of them was Linh Ho, the Founder of Fortress Networks, our IT consultant. The other was Jason Makevich, the Founder of Greenlight Information Services, which offers cyber protection and IT services. They provided a wealth of information and guidance. Fortunately, the cyberattacks have since stopped. It’s likely that the actions our clients took made the cyber thieves give up and move on to an easier target.

Just remember, you don’t want to be that easier target! In the hopes that this will be helpful to other clients, I’ve summarized their recommendations below.

How to Protect Yourself from Hackers and Identity Theft

The list below may seem overwhelming, but they’re all relatively easy to do if you take them one step at a time. These are things you should do if you suspect you’re a victim of identity theft, but you don’t have to wait until then because then it might be too late. Many of the items on this list are best practices that will help you avoid being an identity theft victim in the first place.

  • First, change your usernames and passwords for all of your financial accounts. Sign up for two-factor authentication (2FA) with any institutions that offer it. That way, even if someone has your password, they won’t be able to log in unless they have a code that is texted to you or the authenticator app on your cell phone.
  • Check your email accounts and look for any existing forwarding rules. If you’re unsure how to do this, you can do a Google search for “how to forward email in Yahoo (or Gmail or Outlook).” Then follow the directions for your specific email program to see if anyone has set up email forwarding.
  • Check the login history on your email accounts. Google is another great source of information here as well. You can do a Google search on “how to check the login history in Yahoo (or Gmail or Outlook).”
  • Next, turn on 2FA in your email program if that’s an option.
  • Sign up for a password manager. Quite a few options are available, and PC Magazine has a great overview with recommendations in this article. These password managers allow you to manage all of your passwords in one place. You can create one strong, complex, long password and set up 2FA for extra security. I started using a password manager almost 10 years ago. Although it took some time and patience to set up, it saves me lots of time every day because I’m no longer wasting time trying to remember or look up passwords. It’s also much more secure than reusing passwords, writing them on a sticky note, or saving them in a file on your computer. Costs vary but are reasonable for the value you get. To give you an idea, the program I use only costs $36 per year.
  • Report the identity theft on the Federal Trade Commission’s website at https://www.identitytheft.gov/#/. This website allows you to report what happened through an interactive question and answer process and creates a recovery plan for you based on your responses. You can also consider reporting the identity theft to your local police department. Each state has different rules, but under the law in California, where most of our clients live, you can report identity theft to your local police department.
  • Consider using different/unique answers to password recovery questions when you set up different websites. For example, a lot of websites will ask you questions like “what was your first pet’s name” or “on what street did you grow up.” Giving different answers to those questions on different websites would make it harder for hackers to gain access to multiple sites. However, you’ll have to keep track of your answers. I keep the answers to those questions in the notes section of my password manager for each individual website.
  • If you’re helping a loved one who’s had their identity stolen, make sure they are not secretly working with an “expert” that claims to be helping them with this. Unfortunately, many scammers and hackers impersonate experts to gain trust and access. They pass themselves off as an advocate when they successfully predict and accurately identify attacks that they’re secretly performing. In some cases, they convince their victims to tell no one, including family.
  • Install internet kill switches on your home computers. A kill switch is a physical device you can buy on Amazon for around $25, and it plugs in between the router and the computer itself. After you’re done using your computer, you can push one button so nobody else can remotely access it.
  • Freeze your credit. The three major credit bureaus, Equifax, Experian, and TransUnion, all allow you to freeze your credit for free. If your credit is frozen, nobody can open a credit card or take out a loan in your name without unfreezing your credit first. This protects you by presenting an extra barrier to would-be scammers. You can freeze and unfreeze your credit by writing a letter to the credit bureaus, but the easiest way is to do it online. Just do a Google search for “how to freeze (or unfreeze) credit with Equifax (or Experian or Transunion).”
  • Ask your bank or credit union if you can add a phone codeword or personal identification number (PIN) to your account. That way, even if someone knows your Social Security Number and date of birth, the representative won’t talk to them unless they also know your verbal codeword or PIN.
  • Finally, consider putting a lock on your physical mailbox or using a P.O. box. Identity theft doesn’t always occur through high-tech means. It’s possible that someone can steal your physical mail and gain enough information to steal your identity, so a lock can be a good defense.

We never found out specifically how William and Sandra’s identities were stolen, but our best guess is that it started when someone hacked into Sandra’s email account. After the dust settled, she found a Yahoo email alert from earlier this year that said:

“Your Yahoo account was used to sign in to a new third party application. If this wasn’t you, please use this link to revoke third party access to your account, and change your password.”

She completely disregarded the email when she first received it, but she clicked on the link when she was searching for clues and found the email last month. The link took her to a Recent Activity and Connected Devices page. That page showed multiple logins at all hours of the day and night from someone in Pasadena. Since Sandra lives in Orange County, it appears that was the root of the problem.

She removed their access and changed her password again, and no incidents have happened since. Fortunately, all of William and Sandra’s cash and fees were reimbursed, but it cost them countless hours of stress and frustration getting to that point.

Ways to Put More Money in Your Pocket as Interest Rates Rise

I wrote about this topic in our quarterly report cover letter last month, but I’ll include a slightly modified version here to get this information out to a wider audience.

One of our great long-time clients called me recently to ask about strategies to earn more money on his cash sitting in the bank. It was a timely call with the Federal Reserve raising interest rates while his bank pays him 0.05% interest on his savings. There are a lot of cash management options that weren’t viable even six months ago, so I’ll briefly outline some of the strategies we discussed below:

  • Online Banks – Ally Bank, Capital One 360, and similar online banks currently pay rates around 1.60%. That’s a great rate in today’s environment for a fully liquid account with no fees, but you’d need to be comfortable using an online bank with no physical branches. Still, these deposits are FDIC insured and pay significantly higher rates than traditional banks.
  • Money Market – The rates for Fidelity money market accounts have increased significantly in recent months and are currently paying upwards of 1.7%. With the fed expected to raise rates by another 0.50% at next month’s meeting, Fidelity money market rates will likely approach 2.5% by the end of the third quarter.
  • 1-year Treasury Bills – The yield on these government bills has increased from around 0.07% last August to about 3.1% currently, one of the fastest increases on record. These bills are guaranteed by the US Government and are among the safest investments available. Someone with $400,000 sitting in the bank at 0.05% interest could earn approximately $12,000 more over the next year by switching to these bills at the current rates.
  • Series I Savings Bonds – Finally, I bonds can be a good option, although there are several caveats. I bonds currently pay 9.62%, the highest guaranteed rate of any government bonds and the highest rate since being introduced in 1998. So what’s the catch? This rate is variable and resets every six months, so it could go down on the next reset this fall if inflation subsides. In addition, the only way to buy these bonds is through the cumbersome treasurydirect.gov website. You’re also limited to purchasing $10,000 per year, although couples and owners of trusts can double or triple that amount. Finally, you must keep these bonds for at least one year, and you would lose three months of interest if you cash them before five years. Despite the drawbacks, rates this high make them something to consider.

Last month’s inflation report announced annual inflation of 9.1%, the highest in nearly 41 years, so the above strategies could be important in minimizing the effects of inflation.

My interview on SiriusXM Radio

Last month I was interviewed by Wharton professor Kent Smetters, who is also the former Deputy Assistant Secretary of the U.S. Department of the Treasury, on his show, Your Money. We discussed a range of financial planning topics and my book Spiraling Up: Discover Financial Serenity, Make Work Optional, and Live Happily in Retirement.

The program was originally aired on SiriusXM Channel 132, Business Radio Powered by The Wharton School.

If you’d like to listen to the interview, you can click on the play button below:

Summer is Almost Over

It’s hard to believe that summer vacation is almost over and that my daughter Audrey is starting 10th grade and my son Conrad is starting 8th grade next week. We had a wonderful summer with Audrey going to surf camp and Conrad at a horse camp. We also had a family vacation in Hawaii, including grandparents, aunts, uncles, and cousins, 11 of us in all. Below are a few of my favorite pictures from the summer.

Sincerely,

Steven W. Medland, MBA, CFP®