Sharing Information with Third-Party Users
Addressing the human element of cybersecurity.
When it comes to protecting your assets and financial information, you must consider the potential exposure created by two-way communication. The security protocol used and followed by your asset managers, assistants, attorneys and others you’ve authorized to help manage your assets is just as important as the security of the technical systems they use.
The term social engineering refers to the use of human manipulation to convince someone to give up confidential information. For example, a cybercriminal could impersonate you via email or telephone and request that your assistant perform a money transfer. If the cybercriminal is successful, that trusted personal assistant may be tricked into depositing funds into the thief’s account.
The more information available to a cybercriminal as a result of corporate data breaches or other information leaks, the more sophisticated social engineering scams can become. The data exposed by the 2017 Equifax breach, which affected over 142 million Americans, is just one example of information that could easily help a cybercriminal conduct such a scam. Following are a few tips to help you prevent information shared with third parties from falling into the wrong hands.
Make sure you have established protocols for dealing with money transfers and other sensitive communications:
- Require oral confirmation and the use of a code word or phrase before processing money transfers.
- Implement additional protections with your phone provider, like a verbal code word or multifactor authentication, to prevent someone from forwarding or stealing your phone number in order to intercept the call-back from your bank.
- Set up a different, hard-to-identify email address used solely for your financial accounts.
- Encrypt USB devices, hard drives and other methods of transporting or transmitting personally identifiable information.
- Ask your financial institution about their policy regarding stolen funds. All institutions have their own policies in place for this; if you are not satisfied with their response, consider another institution.
- Request additional layers of security (such as multifactor authentication) be satisfied before any transactions can take place.
Real Estate and Other High-Value Transactions
Buying or selling real estate, whether it is your primary residence or an investment property, presents a unique set of fraud and cybersecurity risks. These are high-value transactions, and in most cases, a substantial amount of information about the transaction is publicly available. Cybercriminals can monitor online listing sites to learn when a transaction is likely to occur and identify the listing agent. That can lead them to the identity of other key parties who will be involved in the transaction, such as legal and escrow teams. They can then impersonate these individuals (usually through phishing campaigns) in an attempt to trick you into sending them money.
In addition, when you buy a home, you will likely engage with the seller’s legal and/or escrow firms. However, you may not be familiar with these firms or the individuals who work for them. Common cybersecurity precautions, such as conducting a “call back” to confirm the details of a wire transfer, could be difficult to verify since all relationships are new.
- If you receive an email regarding the transaction, especially if that email instructs you to transfer funds, be on the lookout for red flags that the sender is not who they say they are. Check their email address, not just their display name, to be sure that every character is correct. (For example, is the email from email@example.com or firstname.lastname@example.org?) Also check the signature line, images and language in the email for anything that seems out of place.
- Before any funds change hands, always pick up the phone to double-check the information associated with the transaction. Be relentless in asking for verification of all account details.
- Always call to get verbal confirmation regarding any changes to the deal. When you receive a request for payment, do not call the number provided within the request itself; instead, call the main office of the company you know you are dealing with. Speak with two separate people associated with the deal with whom you have spoken before.