The United States Department of Justice recently issued a Fraud Alert notifying the public to “be aware that criminals are attempting to exploit COVID-19 worldwide through a variety of scams.” Many of the fraud schemes the department referenced involve healthcare and stimulus payments. However, one of our primary custodians, Charles Schwab, has also reported an increase in fraud attempts related to banking or brokerage accounts. It is therefore more important than ever to remain vigilant and take extra precautions to keep your sensitive information secure.
GHP Investment Advisors and our custodians have a variety of safeguards in place to monitor and protect your accounts. However, fraudsters frequently access personal information directly from individuals. But you can take simple steps to thwart scammers seeking to harvest your data.
Do Not Click Links in Phishing Emails.
Phishing emails may appear to be from a trusted source. They create a false sense of urgency to scare you into entering login credentials or clicking on a link. For example, the email may claim to be a notification of a fraudulent login attempt and ask for your credentials in order to validate your account. Never enter any secure information through an email link or click to open attachments. Instead, access your account via your browser using the website address you normally use.
Signs of fraudulent emails include (but are not limited to):
Spelling and grammatical errors
“from” or “reply-to” addresses that you don’t recognize or that don’t match the company’s domain name
Emails from companies for which you do not have accounts
Avoid Fake Websites.
Fraudsters often set up websites mimicking authentic sites that you visit frequently. These websites look convincing, and the URLs may be close to the authentic address (for example ghpia.com may be “spoofed” as gphia.com). They often contain links that may prompt you to enter usernames, passwords, or payment information. Once you enter them, the fraudster has access to your real credential and can use it to access to your account. To avoid being redirected to a fake website, you should access all websites directly by typing the URL address in your browser.
Establish Login Credentials Immediately.
Even if you prefer not to manage your account information online, by not setting up login credentials, you provide an opportunity for a fraudster to beat you to it. If you choose not to manage your account online, contact the provider to determine if you can disable online access.
Establish Two-Factor Authentication.
Many websites now use this security method, which involves a unique, one-time-only code (usually sent to your phone via text) along with your login credentials before granting access to your account. This extra layer of security makes it difficult for anyone to access your account even if they obtain your credentials. While it can be burdensome to add an extra step to logging on, experts agree that adding additional security steps can turn fraudsters’ attention away from your account to more easily accessible targets.
Use Longer Passphrases.
Technology has made it easier to crack the typical 8- to 10-character password. And scammers can crack commonly used passwords, such as pet names, children’s names, or even the word “password,” without the use of technology. A longer passphrase which includes punctuation, capitalization, and spaces adds complexity with the added benefit of being more easily remembered. “My favorite vacation spot is Disneyland!” used as a passphrase is easier to recall than “2Qa5aTFP!”, reducing the likelihood that you will write it down. The increased length, spaces, and punctuation also increases the complexity and may foil an algorithm trying to crack the passphrase.
Use Different Passphrases for Each Account.
People tend to use the same password for multiple accounts. Using the same password for your email, bank account, and gym membership may make your passwords easier to remember, but it also means that if someone hacks into your gym’s system and steals your username and password, you may have handed them the password to your bank account. The fraudster can take all the time they want testing various bank websites with your username and password from the gym, and if you use the same combination, they may access your account months or even years after the gym breach.
Keep Login Credentials Free of Personal Information.
Avoid using personal information, such as birthdays or Social Security numbers, when setting up usernames and passwords. A fraudster with access to pieces of your personal information has a better chance of accessing your accounts if the information is incorporated into your credentials.
Avoid Common Passwords.
According to the National Cyber Security Centre (a U.K.-based organization) the 20 most commonly used passwords of 2019 were:
If any of your account passwords is listed above, please change it today.
Charles Schwab and Fidelity Investments, the custodians of your investment accounts with GHPIA, send out real-time email alerts to notify you of any activity or changes made to your account. While most alerts result from day-to-day business, it is important to review these alerts to capture any unauthorized activity on your accounts. If you receive an alert notifying you of a change or money movement transaction you did not authorize, please contact our Client Relations team as soon as possible.
Regularly Update Your Security.
Be sure that all your mobile apps and web browsers are upgraded to the most recent updates. You should also run regular virus scans in order to detect any potential malware you may have installed unknowingly.
Avoid Public Wi-Fi.
Public internet connections are unsecured and have become another tool fraudsters use to try to obtain your information. Be sure you are connected to a private, secure Wi-Fi connection before accessing any sensitive accounts online.
If you believe you’ve received an email from a fraudster posing as a custodian of your accounts (such as Charles Schwab), please contact GHPIA immediately.
For more tips on how to combat identity theft and data breaches, read our July 2019 post here.
As always, please do not hesitate to reach out to us with questions.