How to Respond to a Financial Cybersecurity Breach
This week, Capital One announced a data security breach that exposed personal identifying information of approximately 100 million people in the U.S. We wanted to share our blog post on cybersecurity best practices to help you figure out next steps, whether you were personally affected by this breach, or not. It is always a good idea to brush up on cybersecurity habits.
Unfortunately, the frequency of security breaches and cybercrime seems to be increasing. According to the UN, digital theft impacts up to 17% of the global population (mostly due to security breaches at large companies), and McAfee estimates that the annual cost of cybercrime is $500 billion per year. The exact numbers are difficult to pin down because cybercrime evolves and changes constantly, which means it is critically important to make sure your cybersecurity habits stay up to date.
Our philosophy is to control what is within our control and take steps to prepare for what is out of our control. The good news is there are a number of protective steps to improve the security of your financial information. The best offense is a good defense when it comes to the safety of your financial and non-financial accounts.
What to Do if Your Information Has Been Compromised
Check your account immediately.
The sooner you act the better. Make sure there are no fraudulent transactions, and if so, make sure to cancel them and order a new card.
Change your password.
You do not want to continue using information that has already been compromised. Make sure to change your password for the account that was breached.
What to Do to Protect Your Financial Information in the Future
The best offense is a strong defense when it comes to cybersecurity. The best you can do is be vigilant and try to block future attacks on your credit score and identity. In the 21st century, monitoring your credit activity and guarding your private information is akin to previous generations guarding valuables in a safe deposit box at the bank.
Change Your Password, and Use Secure Passwords
Never reuse passwords, and be sure to use long, complex passwords that are tough to guess. The latest recommendation is to use “passphrases” like “MYTeam@HalpernFinancial1sTrulyAmazing” (for example) because these types of phrases are easier to remember and the length makes them tougher to crack.
Of course, if you have a lot of passwords (as most people do), it is almost impossible to remember them. Do not be tempted to reuse passwords. Instead, use one of the following solutions:
- Use a password manager software. A password manager means you only need to remember one password to unlock all of your passwords. There are a number of these programs, and each has different features, such as generating secure passwords, syncing across devices, and alerting users immediately to any password breaches.
- Never store passwords in a plain text document like a Word document or Excel. If you prefer not to use a password manager, you can use a locked note on an iPhone or iPad to store passwords.
- A plain old paper list is also a secure way to store passwords because it cannot be digitally hacked (as long as you do not leave the list lying around the house for anyone to see). However, keeping track of passwords this way is labor-intensive and can make it tempting to fall back on passwords that are too simple to be truly secure.
- Do not use the password saving feature in your Internet browser. Anyone who gains access to your computer or your phone will have access to everything!
- Use two-factor authentication wherever possible (especially for email and financial accounts). This is an extra layer of protection used to ensure the security of online accounts beyond just a username and password. Whenever you log into an account from a new device, two-factor authentication will confirm your identity by sending a code to your phone or other device.
- And of course, never use any password on the annual “100 Worst Passwords” list! (“123456” was the #1 worst password of 2018.)
Enable privacy features if you have not already.
Most banks offer security measures like two-factor authentication, but you may have to opt in. You may be able to set up email or text alerts based on certain triggers, like spending over a certain threshold.
Check your credit report annually
Every year, you are entitled to a free credit report from each bureau. In the past, the best practice was to check your annual report from just the big 3 credit bureaus: Experian, Transunion and Equifax. However, these are not the only credit bureaus—they’re just the biggest. Now, more and more experts are recommending that consumers keep tabs on the Innovis credit report as well. Companies you interact with may use the Innovis report for identity verification or fraud prevention. When you receive your credit reports, make sure all your personal and account information is correct.
Check your credit report for the 3 major bureaus annually here:
- AnnualCreditReport.com: The government-mandated source for credit reports from Transunion, Equifax and Experian
- Innovis Free Credit Report
Consider credit monitoring, but also take other security measures
Credit monitoring services will alert you to changes in your credit history so you do not need to pore through your credit reports with the major bureaus each year. If a security breach occurs at a major company, they may offer credit monitoring services to their customers for free.
Note that credit monitoring will not protect you from criminals opening fraudulent accounts. It will alert you to any activity on your credit report. The credit monitoring company will also help you to scrub fraudulent information from your credit reports. Freezing your credit is the only way to prevent access to your credit report, but of course freezing your credit means you need to take the extra step to "un-freeze" your report when you need it for a legitimate reason.
Freeze your credit report (and your children’s credit reports!)
Freezing your credit report means that no one can access it fraudulently—but when you do have a legitimate need to use your own credit history, you will have to unfreeze it (for example, when you get a new credit card or loan of any kind). You will have to find out which credit bureau your lender uses, and unfreeze your report with that bureau so they can access it to verify your creditworthiness.
Make sure not to lose your PIN—you will need it when you want to unfreeze your credit.
Freeze your credit at:
Unfortunately, criminals may target minors’ credit information because typically they are a fresh slate with no negative credit events. We highly recommend freezing your children’s credit reports as well. (Make sure not to lose the PIN!)
Here’s how to contact each credit bureau about children’s credit files:
Keep a list of services you have on autopay.
If your card is compromised, this makes it much easier to change your payment information. Waiting until cards expire can be a big pain if you have automatic payments withdrawn from the account on a regular basis. (Keep your login information separate from this list.)
Monitor financial accounts
Now technology makes it incredibly simple to check bank and credit card statements from any location. Make a habit of checking to make sure your account transactions are accurate on a regular basis. You may even decide to set up alerts with your credit card for purchases over a certain threshold. At a minimum, make sure your monthly statement does not have any fraudulent transactions at the end of each billing cycle. If you do find a fraudulent charge, let your credit card provider or bank know immediately, and order a new card.
Use a site like HaveIBeenPwned or a password manager software to determine if any of your accounts have been compromised. Use two-factor authentication where possible for an extra layer of security.
Do not give out your personal information from an unsolicited request.
You probably know about phishing, a common digital crime where fraudsters attempt to trick you into providing sensitive information via a link in your email. But did you know about vishing (voice phishing over the phone) and SMShing (phishing over text)? Whatever the medium, never give out your login information or financial information to someone who contacts you unsolicited.
Before you click a link in an email, be sure to hover over the link with your mouse to ensure it goes to the URL it claims.
You can even “hover” over links on mobile devices by holding down on the link (as opposed to tapping) but you need to be very cautious not to accidentally click! When in doubt, don’t click.
If you are not sure whether an email is legitimate or not, go directly to the company’s website (do not click anything in the questionable email) and contact customer service to confirm its legitimacy.
The unfortunate reality is that once your personal information is out there, it’s out there. The best you can do is be vigilant and try to block future attacks on your credit score and identity. In the 21stcentury, monitoring your credit activity and guarding your private information is akin to previous generations guarding valuables in a safe deposit box at the bank.
WANT EVEN MORE FINANCIAL CYBERSECURITY ADVICE?
Download the checklist from Retired FBI Special Agent Jeff Lanza