Ep. 247 – Cybersecurity Safety in Retirement

CLICK HERE TO SUBSCRIBE

In this Episode of the Secure Your Retirement Podcast, Radon and Murs have Joseph O’Donnell, a cybersecurity safety expert, talk about cybersecurity safety in retirement. Joe explains the nature of phishing emails and texts, how they’re used to trap you into giving out personal information, and the two powerful ways to avoid falling victim to phishing emails.

Listen in to learn the importance of staying informed and taking precautions when using the internet instead of avoiding it. You will also learn the importance of having strong passwords, changing passwords when you suspect maliciousness, setting up two-factor authentication, and more.

In this episode, find out:

• How phishing emails are used to trap you into giving out access to personal and/or financial information.
• Why you should step back from a suspicious email and verify the source to avoid falling victim to a phishing email.
• How to be informed and take precautions when using the internet instead of avoiding it altogether.
• The importance of having a strong password and changing your password when exposed to cyberattacks.
• How two-factor authentication works and the importance of setting it up to avoid cyberattacks.
• The importance of having a password manager from a reputable provider that encrypts information.

Tweetable Quotes:

• “The way email is today, you just cannot trust an email, so if you get a suspicious email, the number one thing to do is step back away from the email and don’t trust it.”– Joseph O’Donnell
• “A password manager is a fantastic way to help you have complex and unique passwords for the accounts that you log into.”– Joseph O’Donnell

Resources:

If you are in or nearing retirement and you want to gain clarity on what questions you should be asking, learn what the biggest retirement myths are, and identify what you can do to achieve peace of mind for your retirement, get started today by requesting our complimentary video course, Four Steps to Secure Your Retirement!

To access the course, simply visit POMWealth.net/podcast.

Here’s the full transcript:

Radon Stancil:

Welcome, everyone, to Secure Your Retirement Podcast. Today, it is all about security. We have a special guest with us, Joseph O’Donnell, but we call him Joe. He said we can call him Joe if we’re his friend, and we do feel like we’re his friend. So let me just say this before we go much further, Joe, thank you so much for coming on and talking with us today on a very, very important topic. I’m going to let everybody know what the topic is here in a minute, but first of all, just thank you very much.

Joe O’Donnell:

You’re welcome. Thanks for having me over.

Radon Stancil:

So here’s what we’re going to talk about today is in all essence, financial security, but through the avenue of what we’re going to talk about today is cybersecurity. And this is an ever-growing concern. I will tell you that in our world, the Securities and Exchange Commission requires us to do cybersecurity training for employees as well as for our firm because we have to put forth effort to make sure that our client’s information is safe. We’re doing a lot of things in our office when it comes to cybersecurity, a lot of training, a lot of avenues to protect, but what we find is that clients themselves need to do things to protect themselves. And I’m going to tell one quick story before we get into the interview here, but I’ll give you an example. We got an email from a supposed client and the email said, “I am out of town and I don’t have access to things and I need some money from my account.”

Everything looked legitimate about the email. I was able to look, it was in fact his email. It was not a spoof email, it was actually his email. So our protocol is, if anybody ever calls us and asks for us to move money, take money, do anything with it, we never do it off an email. I called the client and I just said, “Hey, I just received an email that appears to be your email asking for money.” And he said, “That is absolutely not me.” So what had occurred is his email had gotten hacked and they were sending it through his email account. So that’s just a little example, but I’ll tell you one of the topics that we just had a conversation with at a conference, Joe, was about what are called phishing emails. So I thought we could start this discussion off and could you just educate us a little bit on this because you agreed that this is a growing topic. What is a phishing email and why is it people are doing it? What are they trying to gain out of it?

Joe O’Donnell:

That’s a great question. I get that all the time. Phishing, like it sounds, somebody is phishing for something. They hope you take the bait is basically what happens. Most commonly it’s an email message, but it could be a text message or even a voicemail that they leave for you. Whatever it is, they’re phishing for something. They’re wanting you to take the bait. And that could be where there’s some type of threat. There’s usually a threat involved and there’s urgency to that threat and they’re hoping you don’t pay attention to it so that you click on a link, you volunteer a password, you provide a PIN number to your credit card or some type of financial account because once they get that information, now they have access to money, finance is always behind it, money or possibly to other things that are behind or accessed with your email or your phone number or something like that.

And those things, like I said, there’s different ways they can get them, but email is one of the most common avenues that are used to get that information. And it doesn’t really matter who you are. They’re not pinpointing, “Hey, I’m going to target you today.” It’s a blanket casting out and they’re going to see who’s going to bite on that email that says, “Hey, your iCloud account is going to be canceled today. Your credit card is over the limit. Someone tried to purchase something, can you authorize this?” Those types of things, there’s an urgency and a fear factor to it to get us to respond.

Murs Tariq:

Yeah, I was going to ask if text is becoming more common because I got a text today actually, and I haven’t decided whether or not it’s phishing yet. So I’m going to go Google some of the words that are in the text, but it just so happens that I placed an order three days ago for a piece of furniture for our house and the text is not coming from the company that’s supposed to deliver. I’m on high alert always when I get a random text or a random email. So I guess we could go into how do I verify this, right? So what does someone do other than just stay… I guess you want to stay vigilant no matter what, but what are some of the things that someone can do to decide or decipher whether or not it’s a phishing email or a text?

Joe O’Donnell:

That’s the number one question. Because I work in technology, people will say, “Well, I have antivirus. Doesn’t that protect me against these types of emails and things that come in?” No, not really. Antivirus is for a very specific type of threat, and a phishing email does not really come under that umbrella. And one of the reasons that phishing emails are so effective is because it’s not a computer replying to another computer, that we can protect against. We can prevent computers from taking advantage of things. The harder part is the soft target, that’s you and I, we reply, we volunteer. So training like what we’re talking about today and being vigilant. Being aware of what the issues are and how to avoid them is the most important part.

The biggest things when you receive an email, when it has some type of threat, and when I say the threat can be different levels, it could be, “Oh, you’re over your balance. Did you make this charge? Did you charge this to your credit card? Your account is about to expire.” Those types of things. Unfortunately, the way email is today, you just cannot trust an email. So if you get an email like that, the number one thing to do, step back away from it and don’t trust the email. That’s number one. Because the minute you trust it, they’ve already got a foothold on you and now they can go to the next level, which is getting you to click on or to call a number or do something about it. So that’s the number one thing, don’t trust it. Just back off of your fear, the emotion of the situation.

And then the second most important thing you can do, verify. So just as an example, if I received an email that said my credit card received a charge for 5,000 some odd dollars, did I approve this charge? Well, that might be shocking. And I maybe go, “Whoa, whoa, whoa. Wait a minute. Yes, I was shopping on Amazon, but I didn’t purchase this $5,000 purchase,” or so on. What would you do? Well, you would do what you would need to through authorized channels. So for example, if I’m going to call my bank, I’m going to use the phone number on the back of my bank card, or I may use the website on the back of my bank card. I’m not going to use a link in the email because remember, we don’t trust that email where it came from. I don’t trust the phone number, I don’t trust the website.

So stepping back and then using a verified source for a phone number to check your account or go to the website that you know, don’t use the links in the email. Those two things right there can eliminate almost all of the risk when it comes to a potential phishing email no matter where it comes from.

Radon Stancil:

If you don’t mind, Joe, to talk about this because I know we just jumped into this whole thing, but a lot of times, I get clients, and by the way, I wouldn’t say that these are just older folks, this kind of goes across the board, and this is what they’ll say, “I fear all the problems of being online, so I’m just not going to be online. I don’t want to be a part of that.” So can you speak a little bit about, I guess two things. Number one, I always tell them, “You’re online, whether or not you think you’re online or not.” But either way, should these things that we’re talking about, all these phishing emails, the people trying to hack us, should it make us so scared we say, “I’m not going to participate with this online world,” or what should the mentality really be?

Joe O’Donnell:

No, that’s a fair question because a lot of times the unknown, and all you hear is the bad stuff. It can put a fear into you where you don’t even want to do it. But using the internet is a lot like driving my car. Do I let the fear of, “I might get in an accident, I might get in a head-on collision, I might be hit by somebody who runs a light or a stop sign,” stop me from driving. No, I’m just careful. I pay attention before I cross an intersection. I’m a little bit more diligent than I was when I was 18 and driving. You take necessary precautions. I have insurance on my car in case something does happen. So it doesn’t prevent me from being able to get around. Sure, I can get around without having a car. It would just take me four times as long to do everything, which isn’t really practical.

So using the internet is a lot like that. Almost everything uses it. And if you don’t, and say, “Well, I’ll just avoid using it,” you’re probably already using it and didn’t even know, your bank. If you go to the post office, the UPS store to ship something, there’s going to be a small footprint of yourself as part of what they’re capturing for you and what they’re doing. So there’s really no getting around it. So the best way is just to be informed. Just like you would be when you’re going to be driving, you take a safe driving course. We take precautions. Even with my children, I train them on, “Here is what you need to look out for when using the internet.” I just don’t hand them a computer and say, “Okay, there you go, have fun.” We give them training and precautions so they know what to look for, know when to raise an alarm, what to stay away from, and so forth.

So that helps in having that type of precaution because when it comes down to it, we talk about emails because that is one of the biggest things that will come. Our utility bills can come that way. If I have a mobile phone, they’re like, “Hey, we’ll give you a $5 discount if you get your invoices or your bills via email versus paper.” That’s very common where you’ll get those type of discounts. Even your insurance company will even do that. But there’s other reasons you have to be vigilant too, not just email, like you mentioned, I’ve gotten voicemails. People will call me. And on your phone, you’ll see the number and you’re like, “I don’t know that phone number. I’m not going to answer it.” And then later you listen to the voicemail and there’ll usually be like this long pause and then all of a sudden you’ll hear what sounds like a busy call center in the background with someone with an accent that is definitely not local.

And they’re telling you, “We’ve been monitoring your computer. This is Microsoft and we found a virus on your computer,” or something like that. Microsoft doesn’t monitor your computer, neither does Apple or HP or Dell or anybody else. But what they’re playing on is that we all have a fear that there might be something wrong and we want to take care of it, we want to fix it. So the voicemail thing or the text messaging, “Hey, there’s this fraudulent charge from your bank.” And they’ll even give the name of the bank and they’ll put a, please call this number and reference this account number, this code to authorize that it’s you. And we’re like, “Oh, yeah, I better call them.” So you click on that number. It’s not your bank. They’ll pretend. They’ll ask for your account number, “Owen, can you verify yourself with the last four digits of your social?” This is everything they need so they can call your bank and get access to your account.

So just because we talk about the internet, there are different avenues they use to be able to do fraud because it’s really what it is, they’re taking advantage of you. Email is one way, voicemail is another, or your phone, text messaging is another. So the principles you learn when it comes to that, they travel or traverse across all the different types of mediums that you might come across, not just the internet. It’s good to think about and be prepared about.

Murs Tariq:

Yeah, while we’re talking about fear in the internet space, if you go back a few years, one of the biggest data breaches that happened that put the idea of data breaches on the map was, I think it was TransUnion or one of the largest crediting reporting agencies in the world, TransUnion, Equifax, one of those two. And people were talking about that more and more. And since then, you kind of hear about some type of breach here and there almost every month it seems like of large companies, credit card companies, banks, and anyone that carries significant amount of data, typically personal and financial type of data about you. So in this world, I think that part is inevitable. It’s not like you can protect Discover Bank from releasing your information. These things are going to happen. But when they do happen, what is someone to do and how does someone kind of navigate, they get that letter in the mail of you may have been exposed, right?

Joe O’Donnell:

Yeah, this is a great question. One of the biggest problems that we as users, I’m just grouping myself in with this, we already have a lot of stuff to remember. We’re parents, maybe we’re single, we have a lot of things going on our plate, we’re at school, maybe we’re retired and there’s just a lot of moving parts to our lives. And having to remember passwords is a pain where a pill can’t reach. It’s a bane of our existence of having to remember passwords after passwords. And then we hear the advice, “Oh, you should have a separate password for everything you have.” Even I know this, but my inclination is, “Another password?”

I’ll use the same one across multiple things. And that’s where the danger lies because at some point, it’s inevitable where that password is going to be used by another person on this planet and end up on a password database or list that some hacker buys off the black web. And on the dark web, everything goes across and then they start using it to try to hack different sites. It’s going to happen at some point. So you mentioned a good one about TransUnion was one. One that’s more recent that happened, 23andMe. A lot of people have used 23andMe, they bought it for their grandparents, “Hey, let’s run this and let’s find out our ancestry.” Lots of people did this. And there is risk when you do anything. So what happened? Well, somebody with a weak password, their account was hacked.

And because in 23andMe, you can find out who your relatives are and say, “Oh yeah, other people that are related to me can see me.” It kind of domino effect into it being able to see information and they could garner information for other people. Now, it was limited in what they’re able to see, but you see, how did that hack happen? Was it 23andMe? Well, they do have some responsibility towards it, but ultimately, the person who used the rinky-dink password, password 123, or their kid’s birthday or something, that’s what allowed the hacker to get in. So first and foremost is making sure that you have a secure password. If you get a notice from 23andMe, “Hey, we think your account information may have been included in one of these hacks,” or Home Depot or Union, these are all companies that we have used and have had breaches in the past, when you get a notice, change your password.

And that’s the number one thing that you can do. I got an email last week, and this was through my work email. All of a sudden I got this email that said, and it was from a legit user, the email address, I had never corresponded with this person before, but the company is one of our clients. And I got an email from them that said they had a SharePoint file to share with us. Now, SharePoint, I won’t get too technical here, AKA, OneDrive like Dropbox. But then I was like, “Well, that’s unusual.” Ding, ding, ding. I wasn’t expecting anything from this person. And then number two, when we talked to security about this before, when I hovered my mouse over the link, it was not a SharePoint or OneDrive link. It was pointing to Dropbox. So already things were a little off. What happened? The person had fallen for a similar type of tactic. They had entered in their information thinking they needed to log in to get it, and nothing happened and like, “Well, maybe I typed it in wrong.”

It was garnering that information. It was put into a database. The threat vector, that person, then logged into their email address and sent out this blanket email to all of their contacts. And that was why I got one of the emails. It’s not a malicious type of thing, but when you discover something like that first and foremost thing that you do, change your password. Absolutely. You’ll see that a lot with Facebook. People will get hacked and you’ll see their accounts get hacked. Change your password if you can get back into your account. That is the number one thing to do, immediately. Second thing to do, if your account, whether it is your Facebook account or your email account or your internet account, your wireless bill account, will allow you to use two-factor authentication, do it. Yes, it’s a pain in the butt, but it’s far less of a pain in the butt than having someone breach your account or take on your identity, gain access to your social security account with the government. These types of things. Do that. Make sure you set that up with everything you can.

Radon Stancil:

Yeah. Just in case we’ve got a listener who maybe doesn’t understand that terminology, could you briefly explain what two-factor or sometimes called multi-factor, could you just explain what that is and how that works and why that is such a protection?

Joe O’Donnell:

Yeah. No, that’s a great question. So you’ll hear abbreviation such as MFA or the number 2FA for two-factor authentication or multi-factor authentication. Basically what that means is you have to sign in twice. So think of it like, “Okay, well, I’m going to sign into my,” let’s say I have a Verizon account, “I’m going to log into my Verizon account.” I have an email address. I have a password. So that password is my first factor. And then it will then use the two-factor authentication, which means it’s going to send you possibly a text message to your mobile phone or it will call your mobile phone, or it may have some other little app that it might use to authenticate who you are that’s separate from the email address and password.

And that will usually thwart a lot of the issues with passwords. So if your password did get hacked somehow and a person tries to log in with your email address and password, well, they don’t have your phone and your phone number, or they don’t have the other authentication app that you might’ve set up like Google Authenticator or Microsoft Authenticator to get the two-factor popup or the text message. So that stops them cold in their tracks. They’re not able to go any further. So that’s what two-factor authentication is. First factor is my password, and then that prompts a text message to my phone, which is now going to be my two-factor or my second-factor authentication. And I take that code from my phone and I enter it in, and now I have access to my account.

Murs Tariq:

So what are your thoughts while we’re talking passwords around password managers, like Google’s got one, Microsoft, LastPass, all these different products out there. Do they work? Is there anything to be cautious about with them?

Joe O’Donnell:

No, that’s another really, really good question. So that kind of goes along to my thought earlier about how passwords are a little bit of the bane of our existence because having to remember a separate unique password and then your bank or your insurance or your medical carrier is like, “Okay, we need this to be a complex password.” You’re like, “Great, now it has to be something that I’m never going to remember.” So a password manager is a fantastic way to help you have complex passwords and unique passwords for the accounts that you log into. And then the only password that you have to really remember, and of course, it needs to be a good password, is to get into that program.

So yes, that’s a great way to do it though you want to make sure that you use something that has a good reputation and encrypts that information so if that information is garnered or accessed in some way, it appears as googly garb, they’re not going to be able to understand it without your key code to get it. A lot of people will ask me, “Well, what about my browser? It will memorize passwords for me.” That’s true. It’s very convenient. I would say that’s better. So if you were to level things, if I write my password on a sticky note and put it on my monitor, not real secure, someone could walk in and see it. Putting it under your keyboard, yes, that’s more secure than having the sticky note on your monitor, but it’s not as secure. If I were to store that password in my browser and it does have a level of encryption or protection to it, that’s better than having it on a sticky note. Having it in a password application such as LastPass or 1Password, I think we’ve talked about that, I use that one myself personally, that’s better.

You’re stepping up the game even better in those regards. So for browser-based ones, we usually recommend that people don’t store them in the browser-based ones maybe for the more sensitive and confidential ones. If it’s for your New York Times account or to log into your favorite news account or something like that, some things that are inconvenient if they get lost or hacked, but not the end of the world, it’s not going to be a problem. But for your more confidential things, because the browser-based password lists are a little bit of a target, whether it’s on a Mac or a PC for, we call them threat vectors or hackers, we tend not to recommend those because they do have a little bit of a big bullseye on them, but instead, use a program like LastPass or 1Password or a couple that I know a lot of people use.

Radon Stancil:

Well, Joe, I know as a company, we’re required to have ongoing cybersecurity training and we want to provide that for our clients as well. So while we’re not going to try to cover everything today, we try to keep these episodes at around the 20 to 30-minute mark. You’ve shared a lot with us, but we would love to have you come back and we’ll just try to keep up to date as to what’s going on in the cyber world of things and try to keep everyone who is listening to this podcast up to date because we feel it’s extremely important.

So we appreciate very much, I know there’s probably a lot more things to share, but instead of trying to cover it all today, we’ll try to continue to chip away at this idea of being safe on the internet. But we would love to say thank you very much for coming on and sharing some of these tidbits for us to make sure we keep ourselves safe. So thank you. We appreciate it.

Joe O’Donnell:

Thank you very much for having me.