August 13, 2018, 5:56 AM

Don’t End up a Boated Tuna

By Kevin P. Sweeney, JD, CFP®

While the waters in and off of Citrus County are widely known as prime fishing grounds, we  should be alert to a malicious kind of “phishing” also going on around us.  “Phishing” is a form of electronic fraud where a fraudster masquerades as a reputable company or person to induce the recipient of an e-mail message to unknowingly disclose personal, non-public information such as investment account or credit card numbers, social security numbers and passwords.  The attacker can use a phishing e-mail to distribute a link directing the user to a malicious web site to provide personal information or include an attachment which when opened contains malware to infect the recipient’s computer.  In some cases even clicking on the link could take you to a web site where malware could infect your computer.  Cybercriminals have determined that if they ask a large number of people to provide personal information, a small number will do so.

The most common and effective phishing e-mails are those that look like they’re actually from reputable, well-known companies.  That’s the bait.  Phishing e-mails are often disguised as messages supposedly sent by companies like Bank of America, FedEx, PayPal or a government entity like the IRS.  The authentic-looking nature of the message is designed to lure a user into getting hooked.  

While phishing messages look genuine and have become sophisticated, they require the recipient’s participation to succeed.  Thus, they can be defeated by an alert, educated recipient.  The trained and appropriately skeptical user is the first and best line of defense against phishing.

As Modera’s Chief Compliance Officer and a member of its Information Security Committee, an important part of my job is to help oversee the firm’s defenses against phishing and other forms of cyberattacks.  Modera works to safeguard its network from cyberattacks by putting in place a number of technology-based defenses like firewalls and anti-malware software.  But cybercriminals have concluded that using social engineering to trick a user into falling prey to a phishing e-mail is easier and more likely to succeed than trying to penetrate a company’s technology defenses.  We, like many companies, recognize that our staff is both our greatest area of potential exposure and the most important defense against these attacks. 

Modera trains its staff, beginning with information security training for new employees, to be on the look-out for and defend against phishing attacks.  That training continues throughout an employee’s tenure with the firm.  We have contracted with an outside company to provide a series of on-line training videos for our staff on cybersecurity defense awareness.  We also occasionally conduct phishing testing with staff designed to uncover areas of weakness where additional training may be helpful.  The goal is to educate our staff to keep our clients’, our employees’, and the firm’s personal information safe.

We have extended cybersecurity education to our clients.  We have an eight-page brochure to provide tips to help protect our clients from various forms of cybercrime.  Earlier this year we hosted a webinar for clients presented by our outside IT firm that addressed cybersecurity issues such as creating strong passwords, keeping computer software up-to-date and not using public Wi-Fi. 

Here are some tips to help you stay safe when using e-mail:

  • When you receive an e-mail message, hover over the address to check the e-mail’s header but don’t click on it.  Check whether it matches the displayed e-mail.
  • Look to see whether you are the designated recipient (whether you’ve been “cc’d” or “bcc’d”).  This can indicate fraud.
  • Look for poor spelling or grammar in the message.  Phishing has gotten more and more sophisticated, but spelling or grammar errors can indicate a fraudulent message.
  • Never click a link or open an attachment in an e-mail message you weren’t expecting or where you don’t know the sender.  Go directly to the company’s web site or call the company to confirm whether the message is legitimate.
  • If there is an @ symbol under the URL address, it likely is fraudulent. 
  • Turn off the “preview pane” because this can allow some viruses to execute even if you never actually open the message.
  • Be suspicious of “account suspension” or similar notices.  These are especially successful because they create a sense of fear or urgency in the recipient.  And they’ve become quite real looking.  If you have an account with the company named in the e-mail, go to its web site without using the link embedded in the message or call that company.

Be particularly careful of “spear phishing,” a more directed attack where the cybercriminal first gains information about the recipient.  That allows the attacker to personalize the message to create a greater sense of trust.  Because targets are more focused and messages more personalized, these can be more difficult to detect.  Don’t get lulled into a false sense of security.  Again, the best practice to confirm the message's legitimacy is to call or send a separate e-mail message rather than replying to the one received.

In reviewing and responding to e-mail messages, you should have a healthy dose of skepticism.  While it can take longer to call or go directly to the company’s web site, it only takes one bad click to end up hooked and to have given the attacker access to your information.

Modera Wealth Management, LLC is an SEC registered investment adviser.  SEC registration does not imply any level of skill or training.  Modera may only transact business in those states in which it is notice filed or qualifies for an exemption or exclusion from notice filing requirements. 

For information pertaining to Modera’s registration status, its fees and services and/or a copy of our Form ADV disclosure statement, please contact Modera or refer to the Investment Adviser Public Disclosure web site (www.adviserinfo.sec.gov).  A full description of the firm’s business operations and service offerings is contained in our Disclosure Brochure which appears as Part 2A of Form ADV.  Please read the Disclosure Brochure carefully before you invest or send money.

 

Share this article