Are You Vulnerable to Financial Cybercrime?

Financial cybercrime is a global crisis, costing hundreds of billions of dollars a year. In the U.S. alone, 13 million consumers fell victim to identity fraud in 2019. While that total has fallen recently, the price tag ($16.9 billion in losses last year) has been rising.¹ Experts say the COVID-19 pandemic has opened the door even wider for cybercriminals.² And their tactics grow more sophisticated every day.

It's no wonder, given the number of "fraud delivery systems" the average American uses: mobile phones, tablets, laptops, banking and payment apps, electronic health records, social media platforms, and even smart speakers and home devices.

If you think financial cybercrime isn't something that happens to people like you, think again. You've probably never even considered all the novel ways you're vulnerable to financial fraud. Here are just a few:

Smishing

First there was phishing, with criminals sending emails that appear to be from reputable businesses — often ones you already have a relationship with — to get you to reveal sensitive personal information. (Bad guys also set up phishing websites — often, these days, with a coronavirus theme — that can send dangerous malware into your computer.³)

But another threat is smishing, an evolved cousin of phishing. Instead of emails, the fraudsters send SMS text messages to your phone, typically in the form of an urgent alert from your bank or credit card company. One of the most common (and ironic) smishing attacks informs you that your credit card is locked due to suspected fraudulent activity — and asks you to reset your PIN or passcode. Once you click the link to do so, the criminal steals your account information.

What you can do:

Delete and block any text messages that come from numbers that aren't in your address book. Use your financial institution's app to manage your account and configure it to accept notifications. Although it's not 100% foolproof, notifications through your bank's mobile app are significantly more secure and reliable than SMS texts.

Skimming

How often do you pay for gas at the pump or withdraw cash from an ATM? Every time you do, you're potentially in the crosshairs of a skimming attack.

Skimming involves attaching a device to the card reader at the pump that captures your credit card data. ATM skimming devices usually include a pinhole camera or touchscreen overlay that captures your PIN, as well.

The FBI estimates Opens in new window that skimming costs consumers over $1 billion a year.

What you can do:

Aside from checking your bank and credit card accounts on a regular basis, it's very difficult to prevent criminals from skimming your information. Although it's not as convenient, pre-paying inside the gas station significantly decreases your risk. Avoid ATMs that aren't in well-trafficked, well-lit areas. Criminals avoid detection by placing skimming devices on ATMs in out-of-the-way places.

Child identity theft

People like to think of identity theft as an adult problem, but thieves tend to target children more. A 2018 study found that 39% of notified identity fraud victims were minors, vs.19% of adults. Worse, six in 10 child victims knew their identity thief personally (think family friend or preschool teacher). And kids who were bullied online were nine times likelier to become victims than those who weren’t.³

What you can do:

Don't hand out your child's Social Security number without good reason; not every entity that asks for it actually needs the information or has a right to it — even the pediatrician's office and summer camp registrar.

You may also be able to “freeze" or “lock” your child's credit reports (not to mention your own) so that no one can inquire or open accounts in his or her name until after you lift the freeze/unlock the reports. Check with your state attorney general's office or any of the major credit bureaus (Equifax, Experian and TransUnion) to learn more.

WiFi "evil twins"

Evil twin attacks are particularly pernicious because they're impossible to recognize. Here's how they work:

A cybercriminal goes to a place with free public WiFi (coffee shops are common sites for evil twin attacks) and sets up a WiFi access point with the same network name and service set identifier (SSID) as the free business network.

Next, he waits for you to drop in for your morning latte, connect to WiFi, shop, pay your bills, or do anything else that allows him to collect your personal data. He can even redirect your browser to a malware site without your knowledge.

What you can do:

Unfortunately, not even wireless encryption can protect you against this type of attack. A virtual private network (VPN) is the only sure-fire way to protect yourself against evil twin and other types of public WiFi attacks.

Social spear-phishing

Social spear-phishing takes email phishing up a notch or two, faking out even the savviest of Internet users. Hackers no longer ask you to send your information over a social platform. Instead, they create bots or ghost accounts that post content similar to the type you typically engage with on social media, and then steal your information when you “like" or “share" a post.

The hackers even comb your friends list and newsfeed to identify accounts you trust and then post the content using those names. Security experts suggest that social spear-phishing has a 66% success rate⁴; after all, who wouldn't “like" a Facebook post or a Twitter retweet from her mom or best friend?⁵

What you can do:

Aside from leaving social media entirely, there's very little you can do to prevent an attack if you're targeted by a determined cybercriminal. At a minimum, avoid clicking on links in posts from people or businesses you don't recognize.

Smart speaker eavesdropping

You may have heard about a little girl who inadvertently ordered an expensive dollhouse and mountains of cookies using her family's Amazon Echo device — and the local TV host who triggered dozens of similar orders by repeating her words on air.

Neither part of that story has been proven.⁵ But activating smart speaker devices remotely does have real security implications: Clever hackers can use audio files to unlock doors of a connected home, make fraudulent purchases or even transfer money.

What you can do:

For maximum privacy and security, experts suggest disconnecting the device when you're not using it. It might seem inconvenient to wait 10 or 20 seconds for the device to power up each time you need it, but the extra security may be worth it.

Sheila Olson is a Charlotte-based financial writer specializing in investing, personal finance, technology, and retirement and estate planning. She is a regular contributor at Investopedia and writes frequently for the banking and consumer credit industry.

Footnotes

1. ¹Javelin Strategy and Research, “2020 Identity Fraud Study”
2. ²Cybersecurity Ventures, “Cybercrime damage costs may double due to Coronavirus (COVID-19) outbreak,” March 19, 2020
3. ³The SSL Store, “Coronavirus Scams: Phishing Websites & Emails Target Unsuspecting Users,” March 12, 2020
4. ⁴Javelin Strategy and Research, “2018 Child Identity Fraud Study”
5. ⁵John Seymour and Philip Tully, “Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter,” 2016
6. ⁶Snopes.com, “Did Amazon’s Alexa Order Unwanted Dollhouses for a Little Girl and TV Viewers?,” Feb. 7, 2017

For Compliance Use Only:1038297-00001-00