Protecting Yourself and your Clients from Cyberattack

​“Protecting Yourself and Your Clients from Cyberattack,” that’s the subject of today’s ACTEC Trust and Estate Talk.

Transcript/Show Notes

This is Travis Hayes, ACTEC fellow from Naples, Florida. Cybercrime is an ever-evolving threat for attorneys and their clients. Joining us today to discuss this topic is a former FBI cybersecurity agent, our guest, Jeff Lanza of the Lanza Group of Mission, Kansas. Welcome, Jeff.

Thank you very much. It’s a pleasure to be here. Thanks for the opportunity to present some important information about keeping yourself and your clients safe from fraud. There are a few things that I want to highlight in this session that will help keep not only you, but your family members and your clients safe. I’ll get right into it. But a little bit more about me. I spent 20 years with the FBI. And for most of my career, I investigated white-collar crime. But one major part of the FBI’s white-collar crime program is cybercrime. Another one’s identity theft. And I want to cover just a little about both of those topics today.

Tips to Help Clients Prevent Identity Theft

Freeze Credit Report

So, one of the things you can help your clients with – especially wealth advisor clients who may get their identity stolen and be used for fraud by a criminal – is to encourage them to freeze their credit reports. All four of your credit reports. There’s a fourth credit reporting agency named Innovis, and if you’re going to freeze your credit reports, don’t just stop at the major three. Freeze all four of them. It’s easy to freeze your credit reports at the online websites for each agency.

And the reason why we do this is to prevent criminals from opening up credit card accounts or getting loans in a victim’s name. If a credit report is frozen, they can’t do that because the credit reporting agency will not release the credit history to the potential creditor. So, the accounts don’t get opened. Freezing your credit reports is free. It’s easy to do. And it can be lifted easily when you need to lift them yourself. And you can also protect kids in families. This is how wealth advisors – especially talking to clients and attorneys that are dealing with families – encourage families to keep themselves safe. Not just the main client. We’re talking about generational protection as well.

Freezing a Minor’s Credit Report

So, you can freeze kids’ credit reports. Federal law allows you to create credit reports for minors and freeze them at the same time. And that keeps them safe from, potentially, years of fraud. So, it’s highly recommended that you freeze credit reports and also help your clients by encouraging them to do that for their kids as well. So, that’ll keep you safe from a lot of different types of fraud and these new accounts from being opened in your name.

Create an online Social Security Account

Also encourage your clients to create an online Social Security account. You can do that at any age. It’s particularly important if you’re 62 or older. And that’s when someone can use stolen information – personal identity – to open up Social Security accounts online and have Social Security benefits directed to the criminal’s bank account. And that’s a big mess to clean up. So, setting up your online Social Security account. It’s called mysocialsecurity@ssa.gov. It’s an important thing to do for fraud prevention. So, that’ll help you keep safe from many forms of identity theft.

Tips for Preventing Cybercrime

Site Identity Padlock Icon

And let me talk a little bit about cybercrime now, because the criminals are using lots of tricks to try to get access to the information from us personally or maybe even get access on our computers. So, a couple of things to look out for here. One is when you’re on a website, to make sure that you’re on the right place. Always click on the lock and get a drop-down, which shows you a certificate that is provided by a third party to make sure you’re in the right place.

So, let’s say you were going to the IRS website to check on a tax return or stimulus payment for example. Click on the lock. If there’s not a lock, it’s not the IRS site. You’re not in the right place. If you click on the lock, you’ll get this drop-down that tells you whether you’re in the right place or not. Now there are 15,000 fake IRS imposter websites that are set up by criminals to try to lure us to go to a place that’s actually a criminal’s website to get information from us. Mainly your Social Security number, which can be used to steal your identity. So, clicking on the lock helps reveal that.

Hovering with Mouse to Reveal URL

One thing that you can do with your mouse, when you’re on the computer, on a website, is to click on a link – any links that you’re planning on clicking on. Hover over the link. Don’t click on it yet, like we clicked on the lock. But hover over the link. Hold your mouse there. And you’re going to reveal where that link is really sending you to. So, that may not be your actual bank account. Or it may not be the site you think you’re going to. Hovering helps reveal that. And hovering over the sender in an email also helps reveal information about who the true sender is. Use your mouse to hover to get that information for links and for senders in emails.

And you can do the same thing on a pad or a phone. You can’t hover because you don’t have a mouse but pressing and holding on those links will reveal the true site you’re going to be sent to. So, that predicts potential fraud, which you may not be going to the site that you think you’re actually going to.

Multi-Factor Authentication

And also, I would encourage you to use multi-factor authentication for all your important accounts. This would be for financial accounts. Encourage your clients to use that if you’re a wealth advisor or for any type of account where you have money or information at stake.

Multi-factor authentication is really an important way to keep those accounts safe. It requires you not only to log in with a password, but also a code that is sent to your mobile device. And that sends the criminal, who’s 1,000 miles away in another state or maybe 6,000 miles away in another country – they have your credentials to log in, but they can’t do it because they don’t have your phone. Using the pin code on a phone – multi-factor authentication – is a great way to keep your accounts safe. So I highly recommend that.

Passwords Tips – Passphrase

And then in terms of passwords, one of the biggest problems we have with computers is passwords. No one likes passwords. And it got very complicated when we had multiple accounts that require strong passwords and people fall back on, maybe, convenience of using the same password for multiple accounts. I highly recommend using strong passwords. But I’ll offer an alternative.

And that would be using passphrases. Passphrases are like a sentence or a phrase that you put together to form one long string, at least 12 characters long. And that makes it super strong, so you don’t need the complexity that’s associated with an uppercase, a lowercase, a number or a symbol. And since people don’t want to come up with multiple ones of those, they recycle them. And that’s not secure. So, you want to use a different password or a passphrase for every site. It becomes easy with passphrases because you can make them unique to that site.

I’ll just give you one example here. Amazon. Let’s say we’re going to set the passphrase for Amazon. What does Amazon have that’s unique? Well, it kind of started this free delivery in two days, one day, sometimes even same day, with Amazon Prime. They’re even moving towards something even more unique. It’s free delivery yesterday. Actually, get things before you think about ordering them. Yeah. So, this is why we need to come up with the unique passphrase for an account. So, that would be a passphrase for Amazon as an example. Free delivery yesterday. As long as it’s long enough – at least 12 characters – it’s super strong. And you make unique ones for each site that you have that way. So you’re much more protected against hacking and you’re more protected against what criminals use.

Another technique is credential stuffing. Right?  They’ll get a passphrase – well, password from one site and put it in another site. It may not even be your fault. But if it’s the same password, they get access to the second site. Passphrases prevent that from happening. Now, if you’re required to put in the upper/lowercase and complexity that some sites want, you could still have a passphrase.

Another example – and I’ll just close with this example. My Social Security account. I talked about setting that up earlier for clients. You set that up. What would be a good passphrase for Social Security? How about this one? Show me the money. That’s a good one for Social Security. That would be unique for that account. But the Social Security administration doesn’t accept that. They want upper and lowercase and numbers and symbols. So, how about making the “S” a capital, making the “O” a zero, put in a dollar sign at the end (Showmethem0ney$). So, you still have a passphrase, but you have those extra characters to meet their requirements. And there’s a good way to create a passphrase that’s unique for Social Security. Do that for all your accounts. You’ll be a lot safer.  And if you combine that with multi-factor authentication, you’ll keep those accounts really, really, locked down. So, I highly recommend that.

And one more thing I’ll just add here. If you still can’t remember all your passphrases, you may consider a passphrase manager. They’re also called password managers. There are lots of good ones out there. Keeper, DASHLANE, 1Password, LastPass. You can take a look at those and see what the costs are and how they meet your requirements. But they are considered to be fairly reliable and secure in managing the passphrases in our life.

So, I’m just going to leave it right there. Thank you for listening to the podcast. And if you need more information about this topic, please feel free to reach out to me on my website at thelanzagroup.com. Thank you very much for listening to my podcast.

Thank you, Jeff, for educating us on this very important topic of cybersecurity and fraud prevention.

This podcast was produced by The American College of Trust and Estate Counsel, ACTEC. Listeners, including professionals, should under no circumstances rely upon this information as a substitute for their own research or for obtaining specific legal or tax advice from their own counsel. The material in this podcast is for information purposes only and is not intended to and should not be treated as legal advice or tax advice. The views expressed are those of speakers as of the date noted and not necessarily those of ACTEC or any speaker’s employer or firm. The information, opinions, and recommendations presented in this Podcast are for general information only and any reliance on the information provided in this Podcast is done at your own risk. The entire contents and design of this Podcast, are the property of ACTEC, or used by ACTEC with permission, and are protected under U.S. and international copyright and trademark laws. Except as otherwise provided herein, users of this Podcast may save and use information contained in the Podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing, of this Podcast may be made without the prior written permission of The American College of Trust and Estate Counsel.

If you have ideas for a future ACTEC Trust & Estate Talk topic, please contact us at ACTECpodcast@ACTEC.org.

© 2018 – 2024 The American College of Trust and Estate Counsel. All rights reserved.