Best Practices to Prevent and Deal with Cybersecurity Breaches
The frequency of fraud and cybercrime stories is numbing – a week doesn’t pass without a major institution announcing a client data breach.
We have also noticed an uptick in conversations about fraud affecting friends or family. Often, the stories are jarring in their creativity and invasiveness.
Securing and keeping a watchful eye on the accounts you entrust to us is our foremost duty. In light of increasing threats, we want to remind everyone to stay informed and vigilant.
We have assembled a checklist of best practices to prevent and deal with cybersecurity breaches.
Tips to Avoid a Breach
Create unique, strong passwords (and do not reuse them)
Passwords should be long and strong, a minimum of 15 characters. Hackers often use software to crack passwords, and longer passwords are more impenetrable.
For example, “P@$$W0rd!”, at 9 characters, is less secure even with its special characters than “TurquoisePilotCharacterBuilder”.
Do not include anything that can be found online about you in your passwords.
Never share passwords or second factor authentication codes.
Here is a story of a scam to reveal a second factor text message code. The victim’s phone appeared as if Wells Fargo was calling (this is called “spoofing”).
Do not reuse the same password across multiple accounts.
Consider using a password manager, such as Bitwarden, to store your passwords.
Browse safely online:
In your browser, make sure you see https:// before the www.example.com web address. http:// is not secure.
Be careful using email:
Do not open suspicious emails.
Never open attachments unless they are from a safe sender.
If you are suspicious, review the sender’s email address. Hackers may impersonate a familiar email by imperceptibly altering a letter. For example, instead of Gmail.com, GmaiI.com uses a capital “I” and not a lowercase “l”.
Beware of hyperlinks. If you hover with your cursor over links, you can see the destination website. You may discover that a safe-seeming link really sends you to a malicious site.
General advice: be suspicious of the unexpected
Be suspicious of unsolicited or unexpected emails, phone calls, and text messages, even from trusted institutions, that ask for money or to login to an account. Hang up and call the company back or close the email and log in as you normally do.
Hackers often use urgency to force you into acting rashly.
Never transmit sensitive information (including logging into sensitive accounts) on public Wi-Fi networks, such as at an airport or Starbucks.
Limit what you post on social media. Personal details can facilitate impersonation or can make a fraudster’s story more believable.
Add two-factor authentication to sensitive accounts. These are the text message or authentication codes you must input after you enter your username and password. Financial accounts, health records, email, and social media should have two-factor.
Add a second layer of protection with your phone carrier. For example, AT&T will let you add a code that will prevent someone from “SIM-swapping” you – someone calls the carrier, impersonates you, and steals your phone number.
Transactions that involve gift cards, debit cards, or cryptocurrencies are likely scams.
Schwab
Extra security at Schwab (we can help you set this up):
Set up security alerts to receive notifications when any activity occurs in your accounts: https://client.schwab.com/clientapps/access/securityCenter#/main/epass
Enroll in advanced authentication to add a second layer of account protection. You will be prompted to enter a security code along with your password any time you sign in: https://client.schwab.com/clientapps/access/securityCenter#/main/epass
Sign up for Voice ID to add a passphrase to your account. You can enroll by calling 800-435-4000 or by signing up here: https://www.schwab.com/public/schwab/nn/m/voice_biometric.html
If you have a breach:
Contact us if you notice any suspicious activity on your account.
Contact us if the email, phone, or bank account connected to your Schwab accounts has been breached.
Note: Schwab’s Security Guarantee covers losses due to unauthorized activity.
What to Do After You Notice Suspicious Activity
If you a bank or credit card account is compromised:
Immediately call the institution.
You are not responsible for damages from fraudulent credit card transactions, but you are obligated to inform the company of fraudulent activity.
Check your transactions frequently to spot more fraud.
If fraudulent activity continues, close the account and open a new one. Remember to update the billing details on any subscriptions (e.g. Netflix, Amazon Prime, etc.).
If your e-mail address is hacked:
Reset your password immediately.
Review your “sent” mail to see if any messages were sent. Let those recipients know your account was compromised.
Assume that any account tied to that email address has been compromised as well. Reset passwords on those accounts.
If suspicious activity persists, your computer may have malware (a virus) that is logging your activity (watching your screen, reading your keystrokes, etc.). Contact a tech professional to “wipe” the computer or buy a new one.
If your phone number is hijacked:
Contact your phone carrier immediately. An in-person visit with multiple forms of identification and a recent paper phone bill may remedy the situation more reliably than calling customer support.
Contact your financial institutions and let them know your phone number was compromised.
If your identity is stolen:
Opening fraudulent accounts in your name is a major breach of your identity.
To report identity theft, go to IdentityTheft.gov or call (877) 438-4338.
Use this guide from IdentityTheft.gov on steps to take immediately after discovering identity theft: https://www.identitytheft.gov/Steps
Resources to Learn More about Cybersecurity and Fraud Prevention:
https://www.consumerfinance.gov/consumer-tools/fraud/
https://www.freecreditreport.com/
https://www.schwab.com/schwabsafe
https://www.identitytheft.gov/
https://www.schwab.com/schwabsafe/fraud-and-security-video-library