The following is a true story about a client I had who was almost the victim of a very clever fraud. Please read this and forward it on to anybody you think might be at risk.
My client was alerted to the fact she had a problem by a call from her financial adviser, telling her that "the check was ready and would be mailed that afternoon". What check? Well, the one for $85,000.00 to the contractor for home repairs. The financial adviser had received an email from my client's real email address, addressed specifically to her, instructing her to send a check to a name and address to finance a remodeling project. The only problem is, of course, my client hadn't authorized any such thing.
The first thing I did was review my client's email history. Fortunately she uses Gmail, which has a very nice feature - the ability to check where the ten most recent logins to the account have occurred, and what devices are currently connected. I checked her account activity and saw that "she" was connected in three locations - Massachusetts (her home), New Jersey, and Malaysia.
A quick scan made it clear to me that my client didn't have a virus infection on her computer. instead, her email credentials had most likely been stolen during a trip the previous week, when she used the public WiFi in her hotel to check her email. The criminals were very smart - they read though her emails to identify her financial adviser, used her account to send an email to the exact right person, and asked for a "reasonable" amount for a legitimate sounding purpose. They almost got away with it - their approach is very scary.
Almost immediately after helping her, I started writing this email, to try to keep any of you from being in the same situation. Here are my recommendations to all of you.
Don't Trust Public Wifi
Public WiFi includes the wireless connections in your hotel room, at Starbucks or Panera Bread, at the airport - really any place that is not your home. For a number of reasons it is inherently insecure. You can certainly use those connections to surf the web, check the news, or watch a video. But don't use them to log into your email, your financial institutions, or any other site that you wouldn't want hacked.
So how do you check your email or your finances on the road? The easiest and safest thing to do is to use your phone's data connection, which uses a totally different type of network. If you are more comfortable using your computer, see if you can set your phone up as a wireless hotspot, which provides your own private WiFi network, using your phone's data plan. Remember, it's not the phone itself that's safe - it's using the phone's data. If your phone is connected to a public WiFi network it's just as vulnerable as your computer.
Enable Two-Factor Authentication
I have written about this in the past, but I will bring it up again. If your email provider offers it this is the best defense you have against your account being misused.
Two-Factor Authentication means that, each time someone connects to your email account from a new device, they must provide TWO means of proving they are you. Typically those two means are 1. Your password, and 2. A code either texted to your cell phone or given to you via an automated phone call.
At this point the only email providers I know of which offer this are Gmail, Yahoo Mail, and Microsoft Mail (Hotmail and Outlook.com). And I'm not going to sugarcoat this - it's a pain in the neck to use, as many devices and programs aren't designed to enter a code, so they must use a workaround. However, if my client had had this enabled on her Gmail account the criminals could never have logged into her email to begin with, even after stealing her password.
I feel strongly enough about this level of protection to advise people who don't have accounts that offer it to create a Gmail or Outlook.com account specifically for financial communications, and let your financial advisers know that is the only account you will communicate with. If you need any help with this, please give me a call and we can set it up - it's worth it for the peace of mind, especially if you are a frequent traveler!
Set up transaction alerts for your financial accounts
Most banks and financial institutions offer this feature, but you have to set it up. Log into your accounts and look for account options. You should find a section where you can request either daily email or text transaction alerts, or alerts for any transaction over a certain dollar amount. I check my financial accounts daily but also use alerts to let me know if there is any unusual activity.
Don't Rely on Luck - Be Proactive!
My client was very lucky that her financial adviser chose to call her before mailing out the check. We changed her Gmail password, which disconnected the criminals from her account, and set up two factor authentication. We checked her other financial accounts, changed all of those passwords as well, and initiated a system of alerts. All of this took a little over an hour to accomplish, and gave her great peace of mind as she headed off overseas. If you are concerned that you may be at risk, please call me and we can put the same types of safeguards in place for you.
