April 29, 2020
Fiduciary Trust Company’s Chief Operating Officer Rob Jeffers discusses key steps to protect your identity and personal information. He also highlights fraud and phishing scams related to the coronavirus emergency so listeners can better recognize them and avoid being compromised.
Read our related article: Avoiding Coronavirus Fraud and Phishing Scams
Todd Eckler: Information security has become increasingly important as the use of digital channels has grown. Bad actors from around the world seek to prey on potential victims and are unfortunately taking advantage of the COVID-19 emergency to further their efforts. At Fiduciary Trust, information security is an important priority as we work diligently to help protect our clients and the firm.
Today’s discussion will highlight some common strategies criminals use to try to access your information, and we’ll also cover a number of specific techniques they’re using during this coronavirus emergency so you can be on alert and reduce your risk. I’m joined today by Rob Jeffers, Fiduciary Trust Chief Operating Officer. His responsibilities include oversight of many of the firm’s information security activities. He’ll be sharing his suggestions for how you can protect your personal information. Thanks for joining today, Rob.
Rob Jeffers: Glad to be here.
Todd Eckler: So let’s get started. Phishing is the term often used to describe the approaches criminals use to obtain your personal information such as Social Security numbers or credit card numbers. Before we delve into some specific phishing strategies that are used in the current coronavirus emergency environment, I think it would be helpful to cover some general principles people can take to protect themselves. Can you share your perspective on this front?
Rob Jeffers: Sure. So scammers use a variety of methods to try to attempt to get information from you. The reason they call it phishing is they will literally send out hundreds of thousands, if not millions, of texts, emails, social media requests, or phone calls, just hoping a very small percentage of people actually respond. They’re usually trying to get you to do one of three things: download something that probably is not good for your computer or could potentially take over your computer and cause you to have to pay ransom to get the computer information back; try to get you to give them passwords; or try to get you to give them information that will help them come up with your answers to your challenge questions or possibly even steal your identity.
So there’s a couple of things that you can do to protect yourself. First of all, never ever download any sort of file from somebody you don’t know. What they’re doing there is hoping that you will click on the file, download it, and then they will be putting some sort of virus on your computer. You might not even know it’s there, and they might be just looking at your keystrokes and this is a way that they can find information about you and it will send that information back to them and they might be able to take over your computer, take over your accounts, in a worst case scenario, take over your identity.
Another thing to be careful about is emails that report to come from a bank or an institution that you do business with. Sometimes scammers will spoof, meaning they’ll make it look like it’s coming from Bank of America or some other institution when it’s really not. A couple of things you can do is hover over the name and you will quickly see what the real address is. The real address is not going to be @gmail.com if it’s from Bank of America. My advice for any time that you get something from a financial institution is to never click a link. Instead, go directly to the website that you normally go to and log in with your credentials there. That way there’s no danger.
Rob Jeffers: What some of the times the scammers will do is they will send you a link. You will think that you are logging into your account, be it Bank of America or whatever financial institution and they’ll capture your name and password. You thought you just logged in. The site will crash and then you’ll maybe try again. What they’ve just done is stolen your name and password and will potentially try to take transactions within that account.
The last thing that they will try to do is get information. Many of you have probably seen the quizzes on Facebook. These quizzes are a form of social engineering. They’re asking you what might look like a bunch of innocuous questions, but they’re peppering in questions like, what was the name of your first dog? Or where did you go to high school? Where were you born? These are questions that might be a challenge question when you forget your password on a site. So they’re going to take that information and use it, but they might also take this information for some other social engineering scams that they try elsewhere. And we’ll talk a little bit about that later.
Todd Eckler: Thanks for sharing all those examples, Rob. It’s amazing how many different ways people are trying to access our information. Now, one of the things that you mentioned is being careful about opening emails or in particular clicking on email links. We at Fiduciary Trust send emails to our clients with Thought Leadership and other things. How do you know that they’re legitimate emails?
Rob Jeffers: Todd, the first thing you should do is look at the sender. If the sender does not look like it’s coming from Fiduciary Trust, then it’s not a real email from us and you should definitely ignore it. However, scammers can sometimes spoof emails and make it look like it’s coming from us. In that case, you should also hover over the link and when you hover over the link, it will show you where it’s taking you. If it’s to anywhere that’s a fiduciary-trust.com or go.fiduciary-trust.com, that is a legitimate email from us. Lastly, if you’re unsure, you can always just go to our website and all of our articles will be there directly.
Todd Eckler: Clearly there are a lot of ways people are trying to access your information through these various phishing schemes, but even if you’re diligent about where you click and what sites you visit, your device can also be compromised if you don’t have the appropriate security in place. How do you reduce your risk on that front so your computer, smartphone, or tablet won’t be compromised?
Rob Jeffers: There are two main things that I recommend. First of all, whenever you see that little thing that comes up and says, “An update is available,” for whether it be your phone or your computer, click that link. You want to make sure you always have the most up to date software. The reason that you want to have that is almost every time that they’re updating the software is because they have found a vulnerability in the code. A hacker has found a way into the code and they’ve found a way to prevent it.
So if you’re not updating your systems, you are vulnerable. Nine times out of 10, when you hear that a company has been attacked or they have some sort of ransomware, it’s because they haven’t updated their code and the hacker was able to get in on a backdoor or something that was widely known. So as long as you’re up to date, it makes it much harder for anybody to get into your computer.
The second thing is you should have some sort of virus software on your PC or your Apple. There are plenty of great software out there. Norton and McAfee are two of the biggest names, but you want to make sure you do have some protection that is just looking for unusual activity that’s going across your account.
Todd Eckler: Another area of information security risk is hackers seeing your activity through unsecured WiFi, which could occur in your home or a coffee shop, a hotel or some other location. Can you talk about what unsecured WiFi is and how to protect yourself?
Rob Jeffers: Sure. So there’s two types of WiFi, you have secured and unsecured. So when you’re at Starbucks or at a hotel, you’re most likely on an unsecure WiFi network. That means people can pretty easily see what you’re doing. Therefore, it’s fine to use that WiFi to surf the web, to look at some information. But I would definitely recommend never logging into any of your financial institutions or anything that has personal and private information. It’s great for just getting some information. Maybe even checking your email would be fine, but nothing that requires any sort of passwords.
When you’re at home, you’re usually on an encrypted WiFi. So that means somebody can’t just easily see what’s going on. But there are a couple of things you can do to make sure that it is even more secure. The first thing you want to do is you want to make sure the name of your WiFi isn’t something that easily identifies where this WiFi is. So for example, if you live on 23 Elm Street, you should not name your WiFi WiFi at 23 Elm Street because then somebody going there knows exactly where the WiFi is, they know your address. They can probably figure out who lives there and it might make it a little bit easier for them to get in and see what you’re doing.
When you get a home WiFi, it normally gives you a very long password, at least 20 characters long. If you do decide for any reason to change that password, make sure it’s at least 20 characters long. The length of the password is the most important determinant on whether somebody can crack it. It is much, much harder to crack a 20 character password than a simple six or eight character password.
Another thing that you can do is if you’re going on vacation, turn your WiFi off, unplug it. You’re not going to use it, so no need to give anybody access to it, try to hack into it. So, those are just a few of the things that you can do to protect yourself and just be conscious, especially when you’re out in public of what you’re doing on your phone using any sort of unsecure WiFi.
Todd Eckler: So if you’re using WiFi at home and there’s no password, does that mean it’s unsecure WiFi?
Rob Jeffers: Yeah, it’s very unusual that you would have a situation where there was never a password. For most WiFi setups, you will have to enter the password once and then it will remember that device. Anytime you have a new device, you’re going to need to put that password in again. So if somebody comes and visits you, they’ll often ask you what’s the WiFi password? If there is no password at all on it, then you definitely should put one on because that is essentially a public WiFi and anybody can get onto your server.
Todd Eckler: Rob, you were talking about 20 characters being a good length for the WiFi password. Is that a good rule of thumb for passwords in general for email accounts and elsewhere?
Rob Jeffers: We believe the length of password is the most important, because most attacks are what we would call brute force. They’re just trying to try every single combination. As you can imagine, the more that you go out, it exponentially gets higher. Currently the recommendation is to have passwords of at least 14 characters or more. You can do sayings. It doesn’t have to be a single word. You can do a sentence, your favorite poem or the first words of a book that you like. That’s a great way to have a nice long password that’ll be very hard for somebody to use a brute force attack to try to get into your account.
Todd Eckler: That’s good to know on the password front. Shifting gears back to the phishing attempts, and we’ve talked a lot about email phishing and things online. Clearly there’s phishing and scams that are going on through the phone and those have been going on probably long as the phone has been around. Could you talk about some of those scams that are currently going on and how you can protect yourself?
Rob Jeffers: Yep. So the first thing is if you don’t recognize a number, don’t pick it up. If it’s important, they’re going to leave a message. But it’s funny you asked me this question as just this morning, I received a robocall from somebody who was claiming that there’s been some unusual activity on my Social Security number and name and that I was to give them a call right back. Otherwise, they would have to issue a warrant for my arrest.
So whenever you get something like this, even if they, in this case, they did leave a voicemail, this is fake. First of all, we know it’s fake because there is no law enforcement institution that is using robocalls to tell people that they were about to be arrested. Second, the person never left their name. Third, they never said what agency they were from. Fourth, I saw that it was coming from out of this country, so I knew that it couldn’t possibly be legitimate.
What they’re hoping you’ll do is that you’re going to call that number back and they’re going to ask you for your Social Security number. Under no circumstances, give your Social Security number to anyone over the phone that you don’t know. There’s no reason that they would need that. This is definitely a scam. But what’s really important is as much as you might want to give them a call back and kind of just give them a hard time because, “Hey, this is kind of annoying and I think what you’re doing is wrong.” Don’t do that. Because once you do that, they know that your phone number is a good phone number and there’s a real person behind it.
As I mentioned in phishing, they’re sending out millions of calls and they’re just hoping to get some responses. If you respond, your phone number has become more valuable and will be sold to other scammers. So just block the call, ignore it, and move on with your day. The other thing to think about when you get calls is sometimes people will say, “Hey, there’s something wrong with your account,” and they’re going to ask you for personal and private information to verify you are who you are. No bank is ever going to do that to.
If somebody is asking you for information to verify who you are, if they’re saying they’re from a financial institution that you use, hang up the phone and call the phone number that you know, the one on the back of your card, the one on your statement. Do not give that information to somebody that you’ve never spoken to before over the phone.
Todd Eckler: That’s a great example and very timely, Rob, and some great guidance on that front. I’ve had people call me as well trying to pose as Microsoft or a company’s IT help desk and telling me I had some out-of-date virus software and I needed to download something. Clearly I thought it was a scam and hung up, but had I thought it really was our IT department and didn’t recognize the voice, of course the right thing to do in that situation would be to hang up and to call a number you know to be a correct number.
Also, you were mentioning the Social Security call that you got, and one thing I just wanted to point out that we have in some of our other articles is around setting up the my Social Security account with the Social Security administration. That is a great way to help protect your Social Security information, at least with respect to the government because you want to be the one who sets up that account and gets the password and access.
You can monitor some things in there. You go to ssa.gov/myaccount. To sign up the first time, they’ll ask you some of the information that’s on your credit report, so you’ll want to have that be familiar to you and also not have your credit report locked if you’re going to set that up. But that’s a really good thing. Whether you are drawing Social Security or not, that’s a good thing to have set up yourself so a bad actor can’t set it up for you and start doing things.
I wanted to shift gears now because we’ve covered a number of general principles and strategies for protecting your information, but as I mentioned earlier, criminals are taking advantage of the current coronavirus emergency to implement new approaches to gain access to people’s information. So could you talk about some of these strategies so people can be aware of them and increase their ability to protect themselves?
Rob Jeffers: Sure, so one that we’ve heard about and we know that’s happening are people are calling or emailing individuals asking for bank account information in order to deposit their stimulus check. The IRS is not going to call you and ask you for your bank account information. They’re not going to email you for that either. They will deposit the money directly into your account because you already have a relationship with them from filing your taxes or receiving Social Security checks.
If they can’t do that, they are going to mail you a check. Those are really the only two options that are going to happen. If you are expecting a check and you haven’t received it, you should go to irs.gov to look at what the next steps are. But you should not give your bank account information to anybody who is claiming to be from the IRS, over phone or over email, because that is not how they operate.
Another area where we’ve seen some fictitious calls is from Medicare and Medicare benefits around coronavirus. They also are not making calls out to people. They would have to call hundreds, over almost a hundred million people if they were going to really do that. So that is not a legitimate call. If you have questions about Medicare benefits, you should go online or call their number to get more information on that.
Another area we see is people pretending to be from the World Health Organization or the CDC saying that they need some information, that they’re taking surveys to get an idea of what’s going on in your neighborhood. The CDC and the WHO are not calling people for this type of information. Sometimes you will have groups that might ask some very high level basic information, which would be okay, but they would never need to know anything like what we would consider personal and private, which are things like Social Security numbers, account information, place of birth or anything like that. They would never ask those types of things over the phone. In most cases I would say it’s perfectly fine to ignore.
One of the more what I would consider insidious scams is there’s emails coming from the CDC with a file attached to it saying, here is a list of names of people in your neighborhood that have tested positive for COVID-19. Please take a look and let us know if you’ve been in contact with them. Now, why this one works so well is a lot of people are very scared and all of us would want to know if I’ve been in contact with somebody. But this isn’t a real email. And we know that for two reasons.
First of all, the CDC doesn’t have your email. There’s no reason why they would have your email address, so they wouldn’t be contacting you that way. Second of all, it is against the law to tell an individual somebody else’s health information. So even if somebody in your neighborhood is positive with COVID-19, it is against the law for anybody to reveal that information to you. So that is not what’s in that file. What’s in that file is some sort of virus or some sort of ransomware that is going to be downloaded onto your computer.
If somebody in your neighborhood has COVID-19, you might get contacted, but all they will ever tell you is that we believe you have been in contact with somebody who has COVID-19. They will never tell you that person’s name. Now, you may be able to figure it out, but they’re not going to tell you. So I’d say be very careful that one, it’s been very successful because people are very nervous and that’s what a lot of these scammers are preying on.
The last one that I would mention are health scams where there’s emails reporting to have vaccines or tests or things like that. And all you have to do is give them a bunch of personal information and they’ll send you the kit. I can promise you that if a vaccine happens, the way you are going to find out is not going to be via email. It will be widely reported on the news. For any type of information we recommend you go to reliable sources like cdc.gov, who.int, and NIH.gov, which is the National Institutes of Health. All three of those are websites that are great places to start. Also, in your state, the health department or the government site will probably have a lot of information there. So be very careful. As I say, on many of these calls when I’m talking about cybersecurity, if something seems too good to be true, it is.
Todd Eckler: Boy, it’s incredible all the ways that people are trying to take advantage of the coronavirus emergency to scam people and steal their identity. There are also some other things that are going around this year in terms of ways people are trying to take advantage of people. One of them is the U.S. census 2020. Could you talk a bit about what’s going on there and how to protect yourself?
Rob Jeffers: Yep. So we do have some scammers who are trying to call people and pretend to be from the census and asking for personal information. A couple of things of note. As of today, there are no calls or in-person census taking. Everything is being done online, it’s at 2020census.gov. You might receive mail telling you to go to 2020census.gov. Over time, there will be situations where they will reach out and maybe potentially want to schedule some time. However, that is not going on currently.
If anybody calls you or if anybody contacts you, the census will never ask for anything like bank account information, Social Security information, place of birth or things like that. None of that are typical census questions. My advice is go online and fill out the census. If you don’t want to do that, you will get a paper version that you can submit, but online you can see what those questions are and you’ll notice they’re not going to be things that can identify you, and potentially be used to steal your identity.
Todd Eckler: Thanks, Rob. One last example I’d like to go through is the grandparents scam. Can you just give us a quick overview of what that one’s about so people can be aware?
Rob Jeffers: Yeah, the grandparents scam targets older adults. They will call claiming to be the person’s grandchild or claiming to have the person’s grandchild in custody and they need money, and they need money quickly. They’ll try to make a certain sense of urgency and they’re going to play on your heartstrings. So, remember in the beginning when I was talking about the social media quizzes, a lot of times those quizzes will be used for this type of scam. That way they’ll be able to say things that make you think that you’re actually talking to somebody who is either your grandchild or is in contact with your grandchild.
You might have mentioned your dog’s name, you might’ve mentioned where you live or where you grew up. They can use all that information and this is called social engineering to make you think they are somebody who they are not or make you think that you are talking to somebody who’s in contact with them. If you ever get a call like this, call somebody else in the family, or call the person directly.
I unfortunately know somebody who did fall for one of these scams and when they called their grandchild, they were perfectly safe and fine and nothing had ever happened. If they had just picked up the phone and checked directly with the other person that’s purporting to be calling or is purported to be in trouble, they would have been much better off. So it’s one of those what I call kind of very mean because hey, everybody wants to take care of their family. It’s like playing on your heartstrings. Yeah, they are using all the information that’s out there to try to convince you that they are somebody who they aren’t.
Todd Eckler: Boy, that one really does pull at the heartstrings unlike some of the other ones, and it just goes to show you, you really can’t let your guard down and have to be vigilant on all fronts. Well, we’ve covered a number of areas, Rob. Is there anything else that you think people should be aware of that we haven’t talked about?
Rob Jeffers: Sure. We didn’t touch upon it, but there’s one other scam that takes many, many different forms, where you’ll get a request to pay for something and you need to pay for it quickly in gift cards. Anytime anybody is asking you to pay for something by going and buying a bunch of gift cards, it’s a scam. There is no legitimate reason why any legitimate business would need you to go get gift cards and send it to them. This scam takes on many forms from being from a government agency, a bill collecting agency, part of the grandparents scam, all of those there. But if anybody’s ever asking you for, oh, can you just get $500 in gift cards and send them to me? It’s a scam. It’s not real. Do not do it.
Todd Eckler: Rob, thanks for taking us through all those examples, as well as the general principles people can take to help protect their identities. I’d also like to thank our audience today. We hope you found the information useful.
You can find more information on this and related topics on our website at fiduciary-trust.com/info-security. If you’d like to learn more about Fiduciary Trust or if we can be of assistance, please contact a Fiduciary Trust officer or reach out to Rick Tyson at firstname.lastname@example.org or 617-292-6799. Thanks again for joining us and stay safe and healthy.