On January 23, 2024 it was revealed that there was a very large data dump of 26 billion records of consumer information onto the web. This is being referred to as the “Mother of All Breaches” and is a full and searchable database. You can easily check to see if your data has been leaked. From stopping fraudulent transactions to preventing identity theft, securing online accounts is a hot topic in financial planning discussions in today’s cyber-connected world. There are some things you can do to protect yourself. Just like how locking your doors and installing a security alarm and security cameras can protect your physical assets, similar approaches can protect your online accounts. 

We continue to strongly suggest that everyone use a password manager. A password manager is one secure location for all your login information for all the sites you access. If you use a password manager, you only need to remember one password (which should be 15+ characters, including letters, numbers, and special characters). It is often much more secure than other methods of storing sensitive data. Password managers encrypt their data to further protect you from hacks. In addition, if your account is protected by two-factor authentication and password best practices, your data is much less likely to be compromised. 

Most password managers will autogenerate a long, complicated password and autofill it for you, eliminating login errors due to typos and strengthening your security on all your online accounts. You should still change your passwords for your most vulnerable sites regularly. 

 Examples of password managers are: 

1. 1Password  
2. NordPass 
3. Roboform 
4. Many others  

This single action will have the biggest impact on your online security. Other security tips: 

1. Do not keep your passwords in Word, Excel, Google Docs, etc.! A hacker can easily gain access to ALL your passwords if he or she gets access to your computer. 
2. If you already use a password manager, change the master password annually. 
3. Make sure your master password is a longer phrase, including special characters, and memorize it. 
4. Edit the settings/security features of the password manager to make the security tighter (restrict logins to US IP addresses only and set up an authenticator app for your two-factor authentication, for example). Password managers reduce errors due to phishing, as they autofill password information in valid website addresses. If you went to an invalid address as a result of a scam, the information would not autofill. You should never have to manually enter a password other than your master password. 
5. DO NOT use the same password for multiple sites. When a website is hacked (and many are, every year) and bad guys access user and password information, they sell it on the dark web. Then other bad guys use that information to try to log in to many other sites in your name. (See above data dump.) 
6. Set up two-factor authentication using facial recognition (if available) and/or an authenticator app such as Authy or Duo. SMS (text) as an authentication method is not as secure and can also be intercepted by the bad guys. 
7. DO NOT CLICK LINKS IN EMAILS or give any personal information to anyone who calls you. Go directly to the website in question to log in to your account, or call the phone number associated with the vendor in question. 
8. Bad guys are constantly attacking many password managers and financial institutions. Good security practices can protect you even if your institution is successfully breached. 
9. Don’t include information in your passwords that is easy for a hacker to obtain or guess, like dates of birth for you or your family members, addresses, phone numbers, etc. You are better off using random words and numbers to compose a phrase or letting your password manager autogenerate a password that is long and complicated. 
10. Edit the settings/security section of every piece of software you use. 
    • Just about every program has a settings/security section where you can turn on additional layers of security. The default setting is often the least secure because with increased security comes some additional work for the user. The first thing I do when installing new software is tighten up the default security. 
    • Turn on two-factor authentication, also known as multifactor authentication. This is a base level of protection these days. Always opt for the authenticator app approach, not the SMS text message approach. This protects against hackers intercepting your texts.   
    • Add as many layers of security as the software allows. 
11. Prevent phone number porting.   
    • A would-be thief can hack into your email account and port your cell phone to their device while you are sleeping, thereby gaining control of your two-factor authentication.   
    • Protect your email password. Use long passwords, NEVER reuse a password that is also used for another site you visit, and turn on “prevent multidevice access” if available. 
    • If someone is able to hack the email account associated with your cell phone account (most commonly due to a weak password, duplicate password, or inadequately stored password), then he or she has access to your text message two-factor authentication. To protect against this, most carriers allow “account locks” to be put on your number, preventing your account from being ported to a new device unless you complete additional steps.   
12. Do not click links in emails. 
13. Do not click links in emails. 
14. And do not click links in emails. 
    • One of the most common ways hackers can access user accounts is through “phishing” – sending an email pretending to be a trusted vendor and tricking you into “logging in” to review something. They will often make it seem like an emergency. When this happens, WAIT, THINK, and ASK others if the request seems reasonable.   
    • Go to the website using the URL in your password manager – not a link in an email message – to review your bill, log in to your account, etc.   
    • Question any emergency email request, even if it is supposedly from someone you know. Email addresses are hacked and spoofed all the time! WAIT, THINK, and ASK before responding. Call your contact and ask them if they sent a message! 
    • Hackers are getting much more sophisticated in cloning websites to steal your login information. Do not let them in! 
15. Do not email documents. 
    • ESPECIALLY do not email documents with personally identifiable information like your Social Security number or date of birth. Train yourself to send documents by a more secure method. Almost every business offers a way to securely upload files these days. Use it.  
16. Don’t answer your phone if the caller is not in your contacts. 
    • Most cell phones have an “add to contacts” feature. As trusted people call you (doctors, vendors, friends), add them to your contacts.  
    • Many scammers will call and scare you into thinking there is some emergency. 
    • Some even leave scary voice mail messages. 
    • WAIT, THINK, and ASK before responding. 
17. Make sure you are using antivirus software such as Avast, Defender, or Webroot. 
18. You may want to avoid using software that is constantly trying to sell you extra, unneeded features. 
19. Make sure you are always updating your phone and computer. 
    • Updates are released to combat online threats all the time. Not installing the update can leave you vulnerable.   
    • NEVER use an old, non-updated computer to access the internet. This is like leaving your doors open when you leave your house.   
20. Do not post personal information on social media. ESPECIALLY: 
    • Do not reply to those posts asking for places you have visited, favorite anything, or personally identifiable information. This can all be used to guess your passwords.  
    • Do not accept friend requests from people immediately. Some people’s social media profiles are copied, allowing for second friend requests to be sent and giving the hacker access to friends’ profiles. Or worse, your friend’s social media account may be hacked, meaning you are now communicating with a hacker. 
    • WAIT, THINK, and ASK! 

Wrap-up    

Overall, your security does not have to be perfect; it just needs to be strong enough to prompt hackers to move on. When would-be thieves run into tight security, they are likely to move on to other, easier targets. 

Although there is a lot to consider, you don’t have to do it alone. If you need assistance with your investments, tax planning or retirement planning in general, please reach out to our team.