“You need to be educated that there are individuals out there that are going after very vulnerable targets,” Winterberg told a roomful of advisors at the TD Ameritrade National Conference Wednesday. “If I’m an attacker, I’m going to devise some mechanism to trick you to divulge information.”
Winterberg offered the following steps, ranging from longstanding basic measures to newer ones.
1. Do not email sensitive information in the body of an email.
If you send attachments with password protection, keep those passwords long and difficult to decode.
Better yet, Winterberg suggested transfer files using a vault service such as ShareFile, SpiderOak, SecureDrawer or Wuala. Winterberg said that he prefers ShareFile because the service is optimized for the financial planning profession and FINRA compliance
2. Remember: Many phishing attacks, which send a seemingly legitimate email to collect information, involve a sense of urgency.
A client emails from London to say she has lost her passport and needs money wired to an account. Another client claims he just purchased a Lexus but wrote a check off the wrong account and needs money wired to cover the purchase. To make sure you are really communicating with a client, take the obvious precautions,
Winterberg says: Call them back directly or text them back. When you reach them ask them to answer pre-determined security questions.
3. When setting security questions, make the answers opaque
Winterberg says, to the question, “What was your first car,” the answer might be “taupe,” referring to the color of the car and not the make.
4. Beware of cold calls
Cold calls are a form of “social engineering” by hackers in which imposters try to change your perception to gain access, Winterberg said.
For example, a hacker will call a planning firm posing as someone from Microsoft tech support. The hacker will ask the planner to open a file on his computer that shows a series of error messages. Feigning concern at hearing this, the interloper will then instruct the planner to download a new file onto his computer that purports to address the problem. Instead, Winterberg says, it contains malware. And now the hacker has full access to your system. Rather than take such a cold call, instead call the main support line at Microsoft to verify the issue is a legitimate one.
5. Ramdom hacker techniques are designed to exploit everyday human curiosity
Hackers have been known to leave hundreds of thumb drives in parking lots with something compelling written on it, such as the name of a celebrity combined with, for example, “taxes 2012.”
The gambit is that some percentage of people who find those drives will go ahead and plug them in and, in so doing, surrender access to their accounts to hackers. “Wouldn’t you love to see Kid Rock’s 2012 tax return?” Winterberg asked.
Winterberg cautioned advisors to be suspicious of every foreign USB drive.
6. Protect Your Devices
To protect yourself and your firm in case a device such as an iPad goes missing, learn how to wipe the content from it remotely.
Planning firms need to hire a technology expert to stress-test your firm’s hardware and software systems for leaks, Winterberg said. Leaks are possible areas of vulnerability to hacking attempts.
“When you find [leaks], please document them for compliance,” he said. “If you are documenting this for compliance purposes, I think you are in pretty good shape.”
7. Padlock Your WiFi
For your WiFi, use a high-level of encryption and, if nobody will be using it over the weekend, shut it off. “Why give someone all day on a Saturday to leisurely try to break in?” Winterberg asked.