By Steve Jacobs
On the web, there are countless bad actors trying to take advantage of you, whether you’re an IT geek or a complete computer newbie. How in the world do you protect yourself against this constant onslaught?
There are many steps you can take to shore up your defenses, both big and small. We’ll cover a few of the essential needs now.
Raise your hand if you’ve got at least one password you use on more than one important website – something like your bank or mortgage, not your Netflix login. Many of us find it hard to keep track of all the many passwords we have and simplify by reusing passwords containing what we think of as obscure phrases.
We’re here to tell you those phrases aren’t so obscure. And obscurity doesn’t do you much good once the password has been figured out, anyway.
You could help by adding layers of complexity to the password: numbers, symbols, alternating capitalization, spaces. You always want to ensure your passwords are strong, secure and unique, as this makes them much harder to guess.
But as you may have guessed, this involves remembering some very long codes.
“If you don’t want to remember unique passwords, join the club. We’re all in that boat,” says Mike Slaugh, executive director of fraud prevention at USAA.
There are two decidedly easier ways to make sure your accounts are secure.
First, if you haven’t signed up for multifactor authentication (MFA) on all of your most important websites, do that ASAP. Essentially, any time you log in to those sites, it will trigger a second method of proof that it’s you logging on – whether that’s a security key, a push notification on your cell phone or a call.
According to Slaugh, “It’s the most effective thing you can do to protect your accounts.” He calls it the eating your broccoli of cybersecurity: “Yes, it requires a little extra work at login, but it’s worth it when compared against the efforts you’d have to undertake to recover from an identity theft scenario.”
Thankfully, the industry is rapidly moving toward solutions that are both secure and easy to use, so in the future you may not have to put in the extra effort to “eat your broccoli.”
Second, you can sign up for a password manager. These sites auto-generate complex passwords for every site. This combines the security of unique strong passwords with the convenience of never having to remember them all.
All you’ll need to do is remember the master password to log in, something you should never reuse or keep online. And this isn’t even always true, since many of these password managers have apps, so you can use your phone’s biometric tools to serve as a master password as well.
Whatever you do, don’t wait until you hear about another breach to change your passwords. Go do it now and seriously consider using some of the tools mentioned above.
At this point, you know the telephone number with the strangely robotic voice at the other end isn’t really from the IRS or the person at the other end of that email isn’t really an overseas prince. But scammers have gotten much more sophisticated over the years.
You’ve probably heard of the ways they do this. Over email, it’s typically called “phishing,” and it involves sending an email that looks official and tricks you into sending information you wouldn’t otherwise send over email.
Phone scams run the same way. Scammers will call posing as someone else and ask you sensitive information to get into your accounts – or generate PINs to bypass multifactor authentication – and then call you and ask for the PINs that were just sent your way. Without any way of verifying who’s called, many people blindly do as told.
Unfortunately, like in the case above, scammers prey on our negligence or naivete. Slaugh says it’s much more likely that “an unsuspecting consumer might get duped into participating into fraudulent activities while the fraudster keeps their hands completely clean.”
For instance, if someone calls you pretending to be your employer or a police officer who arrested your child, they might be able to get you to do things the scammer would typically have to dig for themselves — like willingly give up confidential information. When this happens, the fraudster’s hands are technically clean, as they use the defense, “How can I be at fault if the information was sent to me?”
There are red flags, of course. If you’re madly in love with someone who can’t meet in person and they ask you for money, that’s a red flag. If you get hired to work from home and it involves sending money to and from unknown people, that’s a red flag. If someone calls and says they’re from your bank and want to talk about fraudulent charges and then asks you to confirm your identity, that’s a big red flag.
In general? “Don’t trust anybody,” says Slaugh. He’s kidding, but it contains a nugget of truth: Unless you can verify someone’s identity, don’t trust them with sensitive information.
USAA, as well as most banks and financial institutions, will never call you and ask for authentication information; quite the opposite, actually. The institution will call and authenticate themselves to you, either with your member number or some other piece of information only they would know.
If anyone ever calls and asks for PINs, passwords, one-time codes or anything like that, hang up and call the institution immediately. If it was actually them on the call, they’ll be able to help you and you know you’ve reached the right number. If it wasn’t them and was actually a scammer? You’ve beat them at their own game, at least this time.
Most people have seen their credit reports at some point. If you have, you’re aware of how complex they are and how far back they go. Keeping an eye on this is another key step in staying secure online, albeit typically more of a reactive step than a proactive one.
“If you’re diligent in monitoring transactions on your credit reports, you’re more likely to detect signs of compromise and act earlier,” Slaugh says. This is important, since it’s much more difficult to clean up credit with accounts that are years old versus those that are recently established.
You start to establish your identity and your credit when you establish your identifying documents – such as a Social Security card or birth certificate. That gives fraudsters plenty of time to mess with your accounts if you don’t keep an eye on them.
Along those lines, something people don’t usually think about is monitoring their children’s credit reports.
“Fraudsters create synthetic identities – these can be a made-up identity, but they often pick an existing Social Security number or randomly generate one and add different birthdays, etc.,” Slaugh says. “If that happens to match your child’s, it becomes a part of the fake identity.”
Since first establishment of identity within the credit bureaus is considered the true identity, you don’t want to be second to the game when it comes to your kids’ info. Otherwise, you have to prove you own the identity, which is an onerous process.
Why does this happen? These bad actors know kids don’t check their credit reports, so they have longer to work with this fake identity before being caught. And unfortunately, these bad actors are often someone the kids know, who gets the identifying documents from the home. It may seem obvious, but make sure any identifying documents are locked up or removed from your house.
There’s a relatively easy way to protect against this: freeze your kids’ accounts. After all, it’s not like they’re going out and getting car loans or applying for credit cards. Once you’ve done this, the credit bureaus won’t allow any line of credits to be opened under that identity.
There’s no hard and fast timeline here, according to Slaugh: “You can freeze it when they’re very young and then unfreeze once they’re going out to start their own credit history.”
For additional help defending yourself against cybercrime, visit USAA’s Security Center.
NC - 1120