As much of the world transitions to working remotely, it is important to make sure that you are doing so safely and securely. This is especially true for professions that regularly deal with sensitive information. Financial services professionals are tasked with sending and receiving personally identifying information about investor clients, which now must be done outside of the security framework built into a physical office.
Rise of Cybersecurity Threats
Due to the rise in media coverage about the coronavirus and people working from home, there has been an increase in cybersecurity threats to companies worldwide. The cumulative volume of coronavirus-related email lures and other threats is the largest collection of attack types exploiting a single theme for years, possibly ever.
Since mid-February, there has been a significant increase in the number of phishing campaigns tied to the coronavirus. 90% of cybersecurity incidents begin with phishing, due to the authentic appearance of the phishing materials whether it is from trusted brands, or events such as coronavirus.
The phishing attacks that are increasingly popular exploit public fears about the virus by sending emails that claim to be from legitimate organizations, such as the CDC, with information about the coronavirus. The emails may include an attachment or embedded link, which download malicious software onto your device once it is clicked. These attacks may be designed to get at specific data or to compromise your address book, leading to even more phishing emails sent from your address.
Tips for Recognizing and Avoiding Phishing Emails
Phishing email messages usually try to lure you into clicking on a link or providing personal information that can be used to commit fraud or identity theft. Here’s some tips to avoid getting tricked.
- Beware of online requests for personal information - A coronavirus-themed email that seeks personal information like your Social Security number or login information is a phishing scam. Legitimate government agencies won’t ask for that information. Never respond to the email with your personal data.
- Check the email address or link - You can inspect a link by hovering your mouse button over the URL to see where it leads. Sometimes, it’s obvious the web address is not legitimate. But keep in mind phishers can create links that closely resemble legitimate addresses. Delete the email.
- Watch for spelling and grammatical mistakes - If an email includes spelling, punctuation, and grammar errors, it’s likely a sign you’ve received a phishing email. Delete it. But as phishers get more and more sophisticated this is becoming less common. The “mistakes” may be more subtle, like a misspelling in an email address designed to look correct at first glance. For example, reversing two letters or using a combination of letters that look like another letter, like “rn” instead of “m”.
- Look for generic greetings - Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam” signal an email is not legitimate.
- Avoid emails that insist you act now - Phishing emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information—right now. Instead, delete the message.
Examples of Coronavirus Phishing Emails
Coronavirus-themed phishing emails can take different forms, such as these:
Cybercriminals have sent phishing emails designed to look like they’re from the U.S. Centers for Disease Control. The email might falsely claim to link to a list of coronavirus cases in your area. “You are immediately advised to go through the cases above for safety hazard,” the text of one phishing email reads.
What do the emails look like? Here’s an example of a fake CDC email.
Health advice emails
Phishers have sent emails that offer purported medical advice to help protect you against the coronavirus. The emails might claim to be from medical experts near Wuhan, China, where the coronavirus outbreak began. “This little measure can save you,” one phishing email says. “Use the link below to download Safety Measures.”
Here’s what a fake health-advice email looks like.
Workplace policy emails
Cybercriminals have targeted employees’ workplace email accounts. One phishing email begins, “All, Due to the coronavirus outbreak, [company name] is actively taking safety precautions by instituting a Communicable Disease Management Policy.” If you click on the fake company policy, you’ll download malicious software.
Here’s an example:
Safety and Security Measures
Here are a few steps you can take in order to continue to work safely when out of the office.
Set up Multi-factor Authentication
Trusting a password alone to guard against unauthorized access to protected networks and data just doesn’t cut it anymore. In its 2019 Data Breach Investigations Report examining over 100,000 incidents, Verizon identified the use of stolen credentials as the leading method of successful cyber attack in the financial industry. Multi-factor authentication is a security control that requires a user to verify his or her identity by providing multiple pieces of information before allowing access to an account. While passwords may be compromised with relative ease, it’s unlikely that a bad actor could get a user’s password and physically obtain that same user’s mobile device. The likelihood of the attacker acquiring the user’s fingerprints is even more remote. Incorporating several different layers of information to verify a user’s identity makes multi-factor authentication an effective and essential step in preventing cybersecurity attacks.
Use a VPN
Using a virtual private network (VPN) can provide a secure connection to your firm’s services while working remotely. A VPN creates an encrypted tunnel between you and a remote server operated by a trusted VPN service—internet traffic is routed through it, which masks your IP address, identity and location. This secures data belonging to you, your firm, and your investors. This is especially important if you are connecting to a public wifi network, or a network owned by anyone other than yourself, as you don’t know who may be monitoring the network and harvesting data. Learn more about why you need a VPN here.
Double Encrypt PII and Other Sensitive Data
Even when using a VPN, sensitive data can still be accessed if your email account is compromised. Email alone is not secure enough to send personally identifiable information. Having an encrypted system with which to transmit investor data, financial information, and more will keep that data secure. This could be an electronic signature solution or a fully-built out transaction processing system, like WealthForge’s own Altigo platform.
DIGITAL PROCESSING FOR ALTERNATIVE INVESTMENTS
Altigo is a straight through processing platform that helps shorten cycle time and reduces errors, resulting in time and cost savings for financial professionals.
Disclaimer: WealthForge provides this information for educational purposes only. It should not be construed or relied upon as legal or tax advice.