Last week we had an interesting chain of events involving a client, e-mail compromise and potential loss of funds, none took place but possibility was there. The scenario that took place played out as follows:
A tax partner for a client received an e-mail from the client requesting information on account balances for investments. This e-mail was part of an e-mail string where the client had been communicating with the tax partner regarding tax returns for the year. The tax partner responded to the client that he should contact his investment advisor, which also worked for MCM, and copied the investment advisor. The investment advisor found this odd and called the client regarding the request. The client responded that he had not made this request. In the meantime the tax partner got a second e-mail reinforcing the earlier e-mail. This e-mail was a bit more terse in the request, generating a sense of urgency.
At this point we determined that something was not correct and advised the client to immediately change the e-mail account password and other relevant passwords. MCM then looked at the meta-data with the e-mails and they appeared to be coming from the e-mail host. MCM then had one of our IT auditors that is also a CFE call the client and discuss how this may have happened and some additional precautions to take.
This scenario serves as reminder of how quickly and easily we can be compromised and that compromise can be turned into a full blown situation. In discussion with the client there were no apparent actions that led to the compromise. The only thing we discussed that could have contributed to the situation was a virus found about a month ago. This may or may not have contributed but it is current practice among some hackers to hold information for a period of time to allow the victim to relax and recover from initial activity.
With this we would like to remind everyone of a few tips to help avoid and minimize compromises.
Different Passwords – Do not use the same password for everything. In this scenario it sounds like the account had been compromised. If the same password is used everyplace, including financial, an innocuous account compromise could become catastrophic quickly.
Password Selection – Do not use passwords that can easily be guessed. Do not use children’s names or other things easily guessed. Try to add a few non-alpha items in such as numbers and special characters in order to reduce the “dictionary” attacks.
Password Safes – It is tempting to keep all your passwords in a spreadsheet or something similar. This can be dangerous as a compromised system could allow a hacker to access all you passwords. The recommendation is to use a password safe that encrypts the data so that it cannot be read without unencrypting with a password. One that I have used is Password Safe and it is available for various platforms including Android and iPhone. There are others that are web based and available for different platforms. It is best to use whatever makes you comfortable.
User Accounts – It is also important to use different usernames on accounts. If you use different usernames a hacker would have to get the user name before getting the password. If you use the same username everywhere a hacker is halfway there.
Limit Use of Public Terminals – In this area we do not have as many public terminals as some of the larger metropolitan cities. The use of these terminals can leave traces of information behind that the “public” could use to extract information.
Do Not Wait – If you THINK there may have been a compromise notify your bank and other relevant account holders. Change all your passwords immediately. Even if you have different accounts and passwords you may never know what information was compromised or how it was obtained.
This is a very brief lesson in security and things that you should be aware of. There are numerous things to consider when securing your online presence. This is not intended to make anyone nervous but just approach things with an awareness and healthy skepticism. We all try to keep things easy but in today’s environment it is not adequate. Anything that makes it easier for you also makes it easier for the hackers. A few minor inconveniences on your part can increase your security dramatically.