predators vs prey - h4fs.com€¦ · hackers, crackers and scammers on the wild, wild web predators...
TRANSCRIPT
PROTECTING YOURSELF FROM
HACKERS, CRACKERS AND
SCAMMERS ON THE WILD, WILD WEB
PREDATORS VS PREY
▪ Independent Registered Investment Advisor (RIA)
▪ Our clients: individuals and families who are looking for comprehensive
financial planning
▪ Fiduciary providing unbiased advice that has only our clients’ best interests in
mind; we do not work for a big company or bank – we work for our clients
▪ Our Financial Advisors have earned a variety of professional designations and
certifications including one of the highest standards in the industry, the
Certified Financial Planner®
▪ Over 80 years of combined financial planning experience and 30 years of
pension/DROP expertise
ABOUT HUGHES FINANCIAL SERVICES
INVESTMENTS
RETIREMENT
PLANNINGTAX
PLANNING
PROTECTION
ESTATE
PLANNING
5 KEY AREAS OF FINANCIAL PLANNING
HFS
All examples provided are hypothetical and meant for illustrative purposes only
▪ Identity Theft
▪ Cybersecurity and Your Brain
▪ Cybercrimes
▪ Strategies to Prevent & Protect Your Information
▪ Q & A
TODAY’S TOPICS
"I always tell people
what I did 50 years
ago as a teenager is
now 4,000 times
easier to do today
than when I did it.
Technology breeds
crime - it always has
and always will.”
FRANK ABAGNALE, JR.
FRAUD CONTINUES THREE-YEAR RISE
▪ Credit Card
▪ Internet Fraud/Data Breaches
▪ Mail Theft/Dumpster Diving
▪ Financial Identity
▪ Medical Identity
▪ Driver’s License/Passport/Social
Security Number Identity
▪ Child/Minor Identity Theft
▪ Taxpayer Identity Theft
▪ Senior/Elder Identity Theft
IDENTITY THEFT TYPES▪ Employment Identity Theft
▪ Estate Identity Theft
▪ Criminal Identity Theft
▪ Business Identity Theft
▪ Synthetic Identity Theft
ON THE RISE
▪ 3M reports to FTC in 2018
▪ 38% increase from 2017
▪ $1.48B total fraud losses
123,167 reports in Q1/2019
444,602 reports in
2018
Government Documents/Benefits
Credit Card
Phone/Utilities
Bank
Employment
Loan
Other
0% 5% 10% 15% 20% 25% 30% 35%
IDENTITY THEFT RATES 2018Other: 22.7%
Loan: 9.6%
Employment: 12.5%
Bank: 9.7%
Utilities: 11.8%
Credit card: 29.2%
Gov. Benefits: 4.6%
15% of
complaints to
FTC’s Consumer
Sentinel Network
in 2018 were
identity theft
related
IDENTITY THEFTWhat are the fastest growing types of fraud?
Account Takeover (ATO) Social Security Scam Synthetic Identity
IDENTITY THEFT: ACCOUNT TAKEOVER (ATO)When a criminal accesses a consumer’s online account, using his own
information to make himself another user on the account, lock out the
true owner and engage in malicious behavior
Starts with any
scrap of your
personal data
Connect account
info on dark web
with personal data+
▪ True owner
locked out of
account
▪ Security
questions and
passwords
changed
▪ Communications
rerouted
▪ Groups info with
other ATOs and
sells on black
market
▪ Scammers spoof caller ID to look like a call from SSA
▪ Asked to confirm SSN and/or told to withdraw money from
bank account under threat of freezing the bank account
▪ Told to use money to buy gift cards and call
scammer back with gift card and PIN number
or other unusual ways of “safekeeping”
▪ Impacts both land line and cell numbers
plus texting
“This call is regarding your Social Security number. We found
some fraudulent activities under your name. For more
information, just give us call back on +1 (516) 259-6468.
Thank you.”
IDENTITY THEFT: SOCIAL SECURITY SCAMA warning call or text from “Social Security Administration” that your SSN
and/or benefits have been suspended because of suspicious activity
▪ Scammers spoof caller ID to look like a call from SSA
▪ Asked to confirm SSN and/or told to withdraw money from
bank account under threat of freezing the bank account
▪ Told to use money to buy gift cards and call
scammer back with gift card and PIN number
or other unusual ways of “safekeeping”
▪ Impacts both land line and cell numbers
plus texting
IDENTITY THEFT: SOCIAL SECURITY SCAMA warning call or text from “Social Security Administration” that your SSN
and/or benefits have been suspended because of suspicious activity
IRS Scam Vs. Social Security Administration Scam
IDENTITY THEFT
SSA scam reports
surpassed the
dollars reported
lost in the peak
year of the IRS
scam
76,000
reports in
2018
IDENTITY THEFT: SYNTHETIC IDENTITY THEFTFabricated credentials where the combination of identifying information
are not associated with each other in reality
$355M outstanding credit
card balances for people
who DON’T EXIST
Most at risk: children born
on or after June 25, 2011
SSN123-45-6789
NameJohn Doe
DOB01-02-1980
Address100 N. 1st St.
Phone #555-555-5555
IDENTITY THEFT: SYNTHETIC IDENTITY THEFT80-85% of all identity fraud stems from Synthetic Identity Theft (SIT)
▪ Major Key: Social Security Number
▪ Synthetic identity becomes a subfile of YOUR main credit file
▪ SIT used to commit criminal, medical, financial fraud
▪ Apply for loans, lines of credit, jobs, get medical services, obtain cellphone services,
use information if arrested
▪ Currently: banks, credit card companies and credit bureaus use advanced analytics,
device intelligence and monitoring of underground websites to fight SIT
▪ Congress passed legislation to make it easier for creditors to verify ownership of a
SSN with the SSA to help verify a credit applicant really exists
IDENTITY THEFT: BIGGEST TARGETS
Minors (0-18 Years)
▪ 18 year “void” for credit checks
▪ Big users of social media and sharers
of PINs and passwords with friends
▪ 60% victimized by someone they know
Seniors (Age 60+)
▪ Largest FTC complaint demographic
▪ Prime target; own half of all financial
assets in U.S.
▪ Unlikely to open new lines of credit
Minors
▪ Losing $2.6B annually
▪ Predicted 25% of Americans will be
impacted before age 18
▪ Average age of occurrence: 12
Seniors
▪ Losing $3B annually
▪ Predicted 1 in 10 Americans age 65 and
older will be impacted
▪ 2017: 4 in 10 FTC complaints came
from people age 50 and older
IDENTITY THEFT: BIGGEST TARGETS
IDENTITY THEFTCompounded risks of ID theft vulnerability
“A financial planner can provide you
with the tools to help you get
organized.”
| Scott Hughes, CFP®, MBA
Kiplinger’s Personal Finance (Nov ’17)
Providing financial help to aging relatives can be a helpful strategy
IDENTITY THEFT
IDENTITY THEFTHow to minimize your risk to these types of fraud
Account Takeover (ATO)
▪ Protect every piece of your Personal Identifying
Information (PII)
▪ Have unique passwords for each account
▪ Change passwords frequently
▪ Limit public access to personal info on social media
▪ Balance bank and credit accounts regularly; report
any discrepancies
▪ Use a password manager
IDENTITY THEFT
Social Security Scam
How to minimize your risk to these types of fraud
▪ Recognize the warning signs: unsolicited phone calls
from SSA; asks for SSN or confirmation of; threatens
consequences for not complying with their request(s)
▪ Hang up and don’t ever call a number left on voicemail
or in email/text from the “SSA”
▪ Be skeptical of “too official” sounding government titles
▪ SSA will never contact you by email; don’t reply back
with personal information included
▪ Set up a My Social Security account online and check
monthly for irregularities
IDENTITY THEFT
Synthetic Identity
How to minimize your risk to these types of fraud
▪ Shred credit card offers that come in the mail
▪ Freeze your credit now
▪ Freeze your child’s credit now
▪ Keep your child's personal identifying
information hidden; often, ID thief may be
someone you know
Red flags that your child may be an ID
theft victim: credit card offers in the mail
or receiving collection calls in their name;
check their credit status ASAP
Monitor credit score and credit reports
FIGHTING IDENTITY THEFT
▪ Monitor annually for free
▪ Order a different credit
report every four months
▪ Annualcreditreport.com
▪ Look for fraudulent
accounts and errors and
correct ASAP
Freeze and Restrict
FIGHTING IDENTITY THEFT
▪ REQUEST FREEZE: contact three major credit reporting
agencies
▪ NO FEE TO FREEZE: as of September 2018
▪ MINORS: Parents/guardians may freeze accounts for children
under age 16 for free
▪ ONLINE/PHONE: 1 business day to freeze, 1 hour to unfreeze
▪ MAIL: will take 3 business days; and need to contact all credit
agencies to unfreeze
▪ FREEZE OR LOCK: Freeze BETTER than credit lock because
consumer protection is better and placing a freeze is free
▪ WHAT’S NEXT: Provided PIN and/or password; will need this
information to unfreeze accounts
HFS Client Portal Aggregates ALL of your transactions
Monitor ALL Bank and Credit Card Activity
HOW TO FIGHT IDENTITY THEFT
CYBERSECURITY AND YOUR BRAIN
“Assessing and reacting to risk is
one of the most important things a
living creature has to deal with.”
| Bruce SchneierBerkman Center for Internet and Society, Harvard University
CYBERSECURITY AND YOUR BRAINWhat does clicking have to do with it?
▪ Technology’s first dopamine delivery service: the TV remote (1950)
▪ Dopamine is:
▪ Critical to brain function
▪ Causes us to want, desire,
seek out, search
▪ Makes us curious about ideas
and fuels our search for info
CYBERSECURITY AND YOUR BRAIN
“… dopamine can lead us to irrational wants, excessive wants we’d
be better off without.
So we find ourselves letting one Google
search lead to another … as long as you sit
there, the consumption renews the appetite.”
| Kent BerridgeProfessor of Psychology, University of Michigan
What does clicking have to do with it?
CYBERSECURITY AND YOUR BRAINMore devices, more clicking, more points of entry for cybercriminals
▪ 1970: Zero
▪ 1993: 2M devices
▪ 2013: 1.15B devices
▪ 2020: 50B devices
CYBER CRIMINALSWho are they and what’s their deal?
HACKTIVISTS
▪ Use of technology to promote a political
agenda or promote social change
▪ Term coined in 1994
▪ Often decentralized and not organized
CYBER CRIMINALSWho are they and what’s their deal?
STATE-SPONSORED HACKERS
▪ Government-funded and guided attacks
that include operations of cyber
espionage/warfare to intellectual
property theft
▪ Largest bankroll, hires the best and
fastest talent to create most advanced,
nefarious and stealthy threats
▪ First state-sponsored episode during
Cold War in 1986
CYBER CRIMINALSWho are they and what’s their deal?
ORGANIZED CRIMINALS
▪ Real world opportunistic thieves that
range from lone bad actors, small
groups of petty criminals to larger crime
organizations, sometimes financed and
guided by traditional criminal groups
▪ Money is only motivation
▪ Cybercrime is their industry; seen by law
enforcement as “businessmen”
Fastest Cyber Criminals Globally
RUSSIA18 min
NORTH KOREA2 hrs 20 min
CHINA4 hrs
IRAN5 hrs
Time it took to compromise a
network
CYBER CRIMINALSChanging Attacker Profiles
Biggest DATA
BREACHES of the
21st century
2018
Marriott 500M
2017
Equifax 143M
2016
Adult Friend Finder 412.2M
2015
Anthem 78.8M
2014
eBay 145M
2013
Yahoo 3B
I am not Equifax, Target, Yahoo, Marriott,
Twitter or Facebook. Why would anyone take
the time and care about stealing my data?
“”
Cybercrime is
a lucrative,
changing, and
scary
landscape Crime ecosystem is distributed, cheap,
beginner-friendly. We no longer see
large cybercrime organizations
designing and carrying out attacks
from beginning to end.
DIRECT
Get Money
▪ Drain bank account
▪ Ransom users
▪ Credit card purchases
▪ Social scam/fraud
INDIRECT
Sell in Ecosystem
▪ Exploit kits
▪ Spambots
▪ Infections as a service
▪ Carding forums
▪ Fraud as a service
HOW CYBERCRIMINALS MAKE MONEY
Typical Ransom $300
Criminal Investment
$140 for 2,000
infections
2.9% Payout Rate** 58 ransoms
Gross Revenue $17,400
Net Revenue $15,520
Profit Margin 11,086%
Cost of Spamming*
Per 10k
contacts
E-Mail US $1-3
Text Message (SMS) US $40-100
Cost of Malware
Installation*
Avg. per 1k
Installations US $70
Avg. per Installation US $0.07
CYBERCRIMEA small investment to make a HUGE profit
Battle Ground Cinema
$81,000 stolen
Delray Beach Public Library
$160,000 stolen
Brookeland Fresh Water Supply District
$35,000 stolen
Spring Hill Independent School District
$30,687 stolen
Crystal Lake Elem. School District 47
$350,000 stolen
DKG Enterprises
$100,000 stolen
Downeast Energy & Building Supply
$150,000 stolen
Little & King LLC
$164,000 stolen
SMB BREACHESBig impact on small businesses and organizations
CYBERSECURITYRansomware Attacks (RWA) in 2019
▪ Shift in targets: businesses, government agencies and non-profit organizations are
preferred victims over individual consumers
▪ Ransomware Attacks are FBI’s top cybercriminal threat
▪ Since 2016, there are more than 4,000 RWA daily or 1.5M a year
EVENTS FROM 2018
Taiwan Semiconductor
Manufacturing Company
Virus spread to 10,000
machines and temporarily
shut down factories
Damage: $255M
City of Atlanta
Attack on city’s
infrastructure and essential
municipal functions; ransom
for $51k (unpaid)
Damage: $22M
Jackson County, GA
Access to government
agencies’ data frozen;
ransom paid
Damage: $400k
How Do Hackers Do It?
Manipulating innocent people into
divulging confidential or personal
information to be used for fraudulent
purposes, by creating trust and
appealing to apparent or insinuated
authority and a sense of urgency
SOCIAL ENGINEERINGMost powerful method cybercriminals
perpetrate against victims
Is the sender’s email address
from a suspicious domain (like
microsoft-support.com)?
Is the email message a
reply to something I never
sent or requested?
Did I receive an email that I normally would
get during regular business hours, but it was
sent at an unusual time like 2 am?
EMAIL PHISHING RED FLAGS
Is the sender asking me to
click on a link or open an
attachment to avoid a
negative consequence, or to
gain something of value?
Is there urgency for action to
be taken?
Is the email out of the
ordinary, or does it have bad
grammar or spelling errors?
EMAIL PHISHING RED FLAGS
Hover mouse over hyperlink that’s
displayed in the email message, but
the link to address is for a different
website (This is a big red flag)
The hyperlink that is a misspelling of
a known web site. For instance,
www.bankofarnerica.com - the “m” is
really two characters – “r” & “n”
EMAIL PHISHING RED FLAGS
▪ Collect information and access your accounts
▪ Capture keystrokes (including passwords)
▪ Send itself to your list of contacts
▪ Sell or rent other’s ability to infect your computer
▪ Control web cam
TACTIC
91% of successful
data breaches
started with a
phishing email
EMAIL PHISHING ATTACKSWhat can a hacker do once they’re in?
1.Bad actor runs fake ad on legitimate website like Yahoo, AOL,
New York Times using real life advertising images
2.User visits website and clicks on the
malvertising ad (or pop-up)
3. User is redirected to the bad actor’s site
4.Malware is downloaded and installed on the
user’s device and user becomes a victim
TACTIC
Fake
advertising on
legitimate
websites
92% malware still delivered by email
MALVERTISING/MALWARE
1. Infect machine malware via
▪ Malvertising
▪ Free software
▪ Fake software updates
2. Phone home to Command
and Control server to get
encryption key
3. Encrypt machine data
▪ May take hours to
days to fully encrypt
▪ Makes finding a clean
restore difficult
4. Ransom user
Establish deadline and
threaten permanent data
loss
TACTIC
Ransom user for
encrypted data
$25M
Paid by U.S.
victims since
2015
Growth industry
for criminals
Ransomware
TACTIC
Set-up fake free
Wi-Fi hotspot at
public places to
collect victim
information
Coffee shop’s
free wi-fi InternetYour device
► Use devices small enough to fit in a backpack
► Read/collect information transmitted from/to a victim’s device
► Passwords, emails, credit card and bank information
FIVE STAR TIP
Free Public Wi-Fi
Don’t use public Wi-
Fi to shop online, log
into to your bank
accounts, or access
other sensitive sites -
EVER!
Solicits personal information through scare tactics
▪ Warns of credit card fraud, instructs victim to provide account
details to prove identity
▪ IRS “agent” claims you are overdue on taxes and will be arrested
in minutes if you don’t deposit money
Callers often imitate legitimate call centers
Target/victim-specific, critical details
▪ Financial information, social security numbers, etc.
FIVE STAR TIPSaying NO and hanging up is perfectly acceptable. When in doubt, DO NOT
give out personal details and only validate the information directly with the
source (i.e., bank/credit card company, IRS).
TACTIC
Phone scams to
lure a victim into
providing
sensitive,
personal
information
VISHING (VOICE PHISHING)
THIS SEEMS REALLY HARD TO PREVENT –HOW DO I DO IT?
It’s all about letting the good guys in, keeping the bad guys out
and selectively controlling access to your networks, accounts,
and data through layers of security tools
CYBERSECURITY IS LIKE HOME SECURITY
REMEMBER …
If you make it hard enough for them to get your information, they
are more likely to move on to the next target
► You will never be 100% protected but you can
take steps to minimize risk
► Ask yourself:
-- What am I protecting?
-- How much is securing it worth?
What can a hacker do once they’re in?
MINIMIZE YOUR RISK
ONLINE
SAFETY
Avoid public WIFI as much as possible
Never use public WIFI to send or receive personal information
Purchase a portable hot spot from your mobile carrier, especially
when traveling
Don’t click through on ads on websites – MALWARE!
Browse with a VPN
Clean up social media accounts: remove/secure personal identifying information and review privacy settings
Be on the look out for suspicious emails and follow Email Phishing Red Flags protocol discussed earlier
MINIMIZE YOUR RISK
PROTECT
YOUR
DEVICES
Password protection on ALL devices especially when traveling
Two-factor authorization (2FA): serves as a secondary firewall
Stealthy and long passwords (12 or more characters): phrases
mixed with symbols, numbers and upper/lower case letters
Don’t use obvious password or same one for different accounts
Change every so often especially after a data breach
Keep operating and virus software updated on all devices and backup data regularly; set to automatic updates
Don’t email or text passwords; share over phone instead
Don’t answer authentication security questions (what city were you born in) honestly
MINIMIZE YOUR RISK
MONITOR
AND
FREEZE
Check credit reports regularly; stagger requests throughout year
Place freeze on credit file
Freezes better than locks: free (as of September 2018) and
provide better consumer protections
Monitor bank and credit card accounts as well as medical Explanation of Benefits (EOBs) for fraudulent activities
Don’t forget to freeze credit files of minors, also free
Write down PIN and keep somewhere safe; PIN will be needed to unfreeze credit file
MINIMIZE YOUR RISK
Internet Anti-virus/malware software
Keep software up-to-date
and secure your devices
Strong passwords, 2-factor
authentication, password
managers
Browse internet carefully
Stay alert for phishing scams
Back up your data
Keeping the bad guys out one layer at a time
LAYERS, LAYERS, LAYERS
CYBERSECURITY AND YOUR BRAINProblem: You can feel secure even though you are not
“Our feeling of security diverges
from the reality of security, and
we get things wrong.”
| Bruce SchneierBerkman Center for Internet and Society, Harvard University
▪ Assist you in making decisions that are solely in your best interest – we
work for you
▪ Provide you with a clear understanding of your various retirement and
financial planning choices and their risks
▪ Regular reviews with you before retirement to plan and prepare, and
after your retirement to manage changes and mitigate risks
▪ Consistent reviews of and communications about economic, tax and
investment issues
OUR ROLE AS ADVISORS
▪ Trusted Contact Form
▪ “5 Programs for Student Loan Forgiveness” – MOAA website
▪ Economic Update, Q2/2019
▪ Webinar / Predators vs Prey: May 29 @ 4:00 pm
▪ Next Workshop: September 19, 2019
AVAILABLE NOW & COMING SOON
BECOME A RAVING HFS FAN!
YOU BECOME AN HFS CLIENT ADVOCATE WHEN YOU:
▪ Bring a guest to a workshop
▪ Add people’s contact info to receive our reports, articles and newsletters
▪ Refer someone to come see us for a complimentary financial review
Don’t keep us a secret … help us help others! Our growth happens through referrals to people just like you – friends, family members and colleagues – who could benefit from using our comprehensive financial planning services.
Client Advocates will receive a special invite to one of our Thank You events in 2019
EXPERIAN
888-397-3742
www.experian.com/freeze
Credit Reporting Agencies
CONTACT INFORMATION
EQUIFAX
866-349-5191
www.freeze.equifax.com
TRANSUNION
888-909-8872
www.transunion.com/credit-freeze/place-credit-freeze
IDENTITY THEFT RESOURCE CENTER
Helps victims resolve ID theft
888-400-5530
www.idtheftcenter.org
AARP FRAUD WATCH NETWORK
Offers victim assistance
877-908-3360
FEDERAL TRADE COMMISSION’S
IDENTITYTHEFT.GOV
Offers victim assistance and sample letters
to send to credit agencies etc.
www.IdentityTheft.gov
WHERE TO GET HELP
TO STAY UP-TO-DATE ON LATEST SCAMS, SIGN UP
FOR ALERTS AT:
www.fraud.org
www.consumer.ftc.gov/features/scam-alerts
www.aarp.org/money/scams-fraud
TO SEE IF YOUR EMAIL ADDRESS OR ACCOUNTS
HAVE TURNED UP IN A DATA BREACH, GO TO:
HaveIBeenPwned.com
SUSPICIOUS EMAIL? GO TO:
http://transparencyreport.google.com/safe-
browsing/search
Hughes Financial Services, LLC, is an independent Registered Investment Advisor (RIA) that works closely with individuals and
families, helping them to accomplish their unique financial goals through the allocation of their assets. We are a fee-based firm
that seeks to adhere to the highest fiduciary standards and provide clients with advice that is truly unbiased and has only our
clients’ best interests in mind.
We offer our clients an impressive wealth of expertise in retirement and estate planning, investment and risk management,
insurance, and education planning. Our advisors hold a variety of professional designations and certifications and are well
versed in a number of financial disciplines. Our combined education and experience allows us to proudly offer you independent
financial advice that you can trust.
Information in this presentation is based on sources believed to be reliable; however their accuracy or completeness cannot be guaranteed. This information is
not intended to be a substitute for specific individualized tax, legal, or investment planning advice. Please note that (i) any discussion of U.S. tax matters
contained in this communication cannot be used by you for the purpose of avoiding tax penalties; (ii) this communication was written to support the education of
the matters addressed herein; and (iii) you should seek advice based on your particular circumstances from an independent tax advisor.
Investing involves risk including the potential loss of principal. No investment strategy, such as asset allocation and rebalancing, can guarantee a profit or protect
against loss in periods of declining values. Please note that rebalancing investments may cause investors to incur transaction costs and, when rebalancing a
non-retirement account, taxable events will be created that may increase your tax liability.
Sources: Horsesmouth.com; Consumer Sentinel Network; FTC; Comparitech.com; Javelin Security; U.S. Justice Department; Kiplinger’s;
bleepingcomputer.com; AARP; Forbes; identitytheftsecurity.com; 2018 End of Year Data Breach Report; varonis.com; phoenixmag.com; Forrester 2018 Report;
Kaspersky Security Bulletin 2018; National Small Business Association; WCSH6; https://www.wired.com/2010/03/tjx-sentencing/; krebsonsecurity.com; BBC UK;
The Guardian; HackRead; EngadgetSource: Wall Street Journal; Wired; Data from Trend Micro Report: “Russian Underground 2.0”; ** Symantec Report:
“Ransomware: A Growing Menace”; Trend Micro; Google Study; Retirement Advisor.
2201 Cooperative Way ▪ Suite 150 ▪ Herndon, VA 20171
(703) 669-3660 ▪ FAX (703) 880-4905 ▪ www.h4fs.com