Prior to the pandemic, the risks of cyber fraud and identity theft were already a significant worry for many. As life retreated indoors during the quarantine and subsequent slow reopening, most shifted even more of their purchasing activity to online platforms. As a result, U.S. consumers are now grappling with record amounts of cyber fraud.
According to CNBC, identity fraud affected approximately 49 million Americans in 2020, to the tune of $56 billion in losses. Perhaps most alarming, “only” $13 billion of that was tied to traditional cyber fraud aimed at large databases, where information is stolen in a data breach, and then used for criminal gains. The majority of the losses ($43 billion) came from instances where the criminals directly targeted individual victims, via email phishing scams or robocalls to cell phones.
We’ve seen instances of this in our practice recently, via sophisticated email spoofing scams. We have received emails, which appear to be from our clients verified email address, and which often reference a prior email conversation. The message will present the typical sob story of a need for a wire to a third party to help a cousin in need or to buy a piece of art they “just have to have.” What is particularly alarming is that these are not like the old “Nigerian prince” or “Russian uncle” email phishing scams of years past, where a grammatically suspect template was clearly sent out to thousands, hoping for a bite.
In these cases, there is a real person responding in real time. We have a company policy to confirm any wires out of a client’s account via phone. When we reply that we’ll give them a call to confirm, we have gotten responses back from the “client” saying that they’ve lost their phone, and please call this other number, or some other misdirection.
Of course, our radar went up long before we get to this point. We spend years, decades even, developing relationships with our clients and understanding their lives. Typically, even in a sophisticated attempt, there are small clues that we see that seem out of character or raise a red flag.
We regularly devote time and training to staying up to date on the latest advancements in cyber fraud and identity theft. We’ve developed internal procedures with layers of review and verification to help prevent these attempts from succeeding. But technology advances rapidly. The fact that these attempts have become this sophisticated and interactive is alarming.
In our client newsletter last month, my colleague Chaunté Stallworth detailed some best practices that will help keep your personal information secure.
One of the easiest things to implement is suspicion about any links sent to you via email or text. While the link address may look legit, these addresses can easily be mimicked. Fortunately, you can preview the true destination of any link by hovering your mouse over the link (on a computer) or pressing and holding your finger on the link (on a phone or tablet). It is a good idea to preview any link, even one sent from friends and family, before opening.
In a similar vein, any request to call or email back and verify your identity should be treated with a healthy amount of skepticism. Never call back the number provided, or respond to the email. Instead, independently verify the phone number of the company and call them directly. If there truly is an issue to be resolved, they will have it in their records and will be able to route you to the appropriate department.
It takes a more concerted effort to be vigilant about login and password security. Passwords should be regularly changed and should be formatted to make it difficult for hacking programs to crack with simple “brute force.”
The first line of defense is the length and composition of your password. According to a 2019 Scientific American article, a 6-character password consisting entirely of lowercase letters would contain 308 million possible passwords. Current computing power can run through all 308 million possibilities in under an hour. By contrast, a 12-character password, which also includes upper case letters, numbers and symbols, contains 62 trillion times as many possible passwords. Even with current computing power it would take thousands of years to try every possible password.
However, even these longer passwords are usually not chosen at random. Hackers have developed tools to target common iterations like “Letmein!” or 1P@ssword1.” It is near impossible for anyone to maintain and memorize 12-character random passwords for each individual website they visit. In our practice we use a password manager to do this for us, though even this is not foolproof. Still, an encrypted password manager generating random, complex passwords is almost certainly safer than any system you or I can cobble together on our own.
The ever-changing landscape of cybercrime and information security will be a challenge we deal with from now on, with so much of our lives online. On December 2nd AFM is hosting a virtual presentation with former FBI agent Jeff Lanza, who will speak in detail about identify theft and cybercrime. We’ll send an invitation out in the coming weeks, and we welcome any friends or family members that you think would benefit from the presentation.