ALERT!! YOU MAY HAVE BEEN HACKED!

Security Alert!!!

Not to make you paranoid but you should consider yourself as constantly targeted for digital theft.  These scams are everywhere, looking for the weakest security and the juiciest score. 

We’ve all been there. You get complacent and click a link that you shouldn’t have, or you are so harried that you answer a call just to make the phone stop ringing. Then get caught up in the “emergency” on the other line.  So, how do you protect yourself from yourself?

We, at Ahara, don’t just try and grow your wealth through investing, tax minimization, and estate preservation (estate tax planning).  We are also concerned about your financial and digital security.

Recently, we were alerted by a client that their email (Gmail) was compromised on a Saturday.  Not long after, they realized that it was a theft attempt and they contacted their financial institution and locked down their accounts, limiting their own visibility to their accounts, which meant they were not able to access them until the fraud teams reviewed and reset their profile.  They reached out to us to assist, and we were able to view the account through our “advisor” portal.  What we found was a wake-up call. 

The perpetrators immediately attempted to open a Crypto account for the client, and set up a payment to their Crypto account, as well as making a few stock trades.  Luckily, these were cancelled as soon as the client called the financial institution.  And even luckier, this was during a weekend when these activities are queued up for Monday morning, so their cancellation was effective.

So, you might ask yourself; how was someone able to access the client’s financial institution with just their Gmail account?  Especially since we hound our clients to use authenticators for two-factor authentication (2FA) in lieu of emails or SMS (text) options.  What we learned is a bit shocking. 

Email Compromised

↓

Authenticator Compromised

↓

Password Vault Accessed

↓

Financial Accounts Exposed

If you use an authenticator provided by your email provider, you may be vulnerable.  Consider the case for the client.  They used Google Authenticator as their 2FA method for this institution and had a Google email address in their profile. Unfortunately, to simplify user experience, if you use the same provider for both email and authenticator, you may end up quite vulnerable, as your email profile can be used to access (or reset) your authenticator.  Even more disconcerting is that if you are using a password repository from the same provider as well, everything may be accessible if/when your email is hacked. 

Our conclusion and recommendation (see the illustration above) is to use separate providers for each of these services and avoid the “shortcut” of setting them all up on the same platform.  For example, if you use Gmail, then choose the Microsoft Authenticator and the Apple password repository.  I have been changing my access to use Gmail, Microsoft Authenticator, and LastPass (paid password repository) for my financial institution profiles, which should also be set to alert you when security settings are changed (email address, mobile number, etc.).

And, in case you are wondering, our client was fine after all - they may have endured a few sleepless nights, but that was truly a wake up call for all of us.  They’ll be OK, and much more vigilant, in the long run.