Some recent high profile hacks have made it a good time to double-check your cyber hygiene. Financial accounts are doubly important to manage as the risks of being hacked include identity theft, loss of your investments, and missing time in the market while recovering compromised funds.
I spent a couple years of my career auditing companies to cybersecurity standards such as ISO 27001, PCI compliance, and reviewing cryptographic erasure and recovery controls (such as those used to unlock and recover “wiped” iPhones for FBI cases).
Part of one audit required me to carry over two dozen smartphones through airport security in my luggage. While not illegal, I was definitely stopped and questioned by TSA as they swabbed my bags for explosive residue:
Aside from remembering to limit the number of smartphones in my carry-on when I go on vacation, my main takeaways from that position are:
- cyber risk is never zero
- bad actors will never stop
- most hacks are automated and won’t single you out on purpose
- there will always be more that you don’t know than you do know
With that in mind, I’d like to share some easy tips to lower your chances of having your financial accounts breached (or all of your online accounts for that matter). Here are 9 cybersecurity tips for managing your financial accounts online:
1. Use a strong password that you don’t use for other sites (duh)
This has got to be the oldest tip in the book. BUT PEOPLE STILL DON’T DO IT!
Preferably use a password manager such as LastPass. This helps ensure you don’t share passwords between accounts.
The Firefox browser has a high reputation for security and will “generate” complex passwords and remember them for you.
The longer the password, the better. In fact, most hackers will run automated scripts that try all of the most commonly used passwords automatically such as passw0rd, 12345, and qwerty.
Thankfully, many companies today have requirements in place that force you to use a more complicated password containing numbers, letters, and symbols.
2. Two-factor authentication (2FA)
Once you’ve got a secure password, double the security of your login process by adding two-factor authentication (also known as multi-factor authentication or 2FA). This is the system that texts or emails you a code to use to login to a website or app.
The idea is that even if a hacker gets your password, it is unlikely they could also get a second factor, such as the one-time code texted to your phone. It’s not impossible to get around this though.
Most sites will not require it turned on by default, so check your “Profile” or “Security settings” on your accounts to turn this on.
A note about (text or phone) two-factor authentication: this can be hacked, too! There are programs and vulnerabilities that allow a hacker to phish your second factor code from SMS (text message). Another vulnerability is sim-swapping where a hacker literally takes your phone number and runs it on another phone.
It’s still better than nothing!
3. Lock down your email
Because your email can often be used to reset your password and can also be used as your “second factor” for login, you’ll want to ensure you’ve locked it down well. A strong password, two-factor authentication, and reading your emails carefully will help guard against losing access to your email account and your main way to manage password resets.
When in doubt, delete the email and go straight to the site.
4. Never click on email links
It’s a good habit to not click on links in your email. Even if your financial institution is emailing you to tell you about a new offer, an account statement, or an alert on your account, simply go to your bookmark of the website instead of clicking on the link in the email.
Phishing and spear-phishing emails rely on people not paying attention. There may be small errors in the name of the emailer, the company logos, etc. that you might not notice. This is why it’s safest to just delete the email, and head to the website directly yourself.
5. Never give your password to anyone that claims to work in “customer service”
Customer service will never call you and ask for your password. Hackers may try to do this to get around the two-factor authentication you’ve added to your phone. Don’t fall for it!
6. Use a VPN (Virtual Private Network) such as ExpressVPN or Nord VPN
VPNs (Virtual Private Networks) “mask” your internet activity from would-be snoopers. It’s like a secure “tunnel” between your device and the destination address you are going to (such as Robinhood’s or Ameritrade’s servers).
Without a VPN, third parties can literally see your internet traffic. Especially if you ever need to login to your accounts on hotel or coffee shop WiFi, a VPN will mask your IP address and activity.
When you’re connected to a VPN, criminals can’t see which computer is yours.
7. Sign up for haveibeenpwned.com
The website haveibeenpwned.com let’s you know if your email address is associated with any known information security breaches. The term “pwned” refers to slang that hackers use to indicate an account has been hacked. This can let you know where you may need to change your passwords or watch out for incoming security risks.
As a bonus for reading this far, here’s two friendly reminders not specifically related to cyber security, but still relevant to your financial accounts:
Limit the number of accounts you have in general
A greater number of accounts to manage and money to transfer around means a bigger range of attack vectors. Limit your accounts.
If you’re constantly moving money around in a search for higher yield, it’s likely not worth it.
This one is a bit morbid but it’s a fact of life.
My second bonus tip is to ensure you have a beneficiary (and contingent beneficiary) set up for all of your financial accounts. In the unfortunate event of your passing, you DO NOT want your dollars getting lost in the wind when your family could do so much with your hard earned money to improve their lives.
Once you’ve added your beneficiaries, tell them and give them the account numbers. They will need to present a certificate of death to the institution with the information.
As a parting thought, remember to trust no one.
There’s a sucker born every minute. Don’t be one of ’em, capeesh?
View my latest Instagram post here and sign up for my newsletter here:
Consider this a compass, not a map. (6 min read)
If some or all of these hit a nerve, it might be time to make some adjustments. (4 min read)
The past few years have been pretty wild. But don’t take my word for it. Don’t even take your memory for it. Here’s the data. (4 min read)