Don’t let the scammers steal your information!

Photograph of a video camera in a doorbell, with Parmenion's Spotlight on Infosec logo sitting on top
For financial professionals only

If you’ve ever had your information stolen by an attacker, you were probably left wondering how it happened - and what you can do to stop it happening again.

In this article we look at the different ways attackers can steal your information and give some practical advice for good cyber security habits.

How can you tell you've been hacked?

Here are three tell-tale signs:

  • You can't login to your accounts
  • You notice attempted logins, and unusual notifications and messages
  • You notice unauthorised money transfers or purchases

How can attackers steal your information?

A lot of financial platforms and social media accounts provide SMS based authentication so if your sim is swapped, you may find money being transferred out of your bank account or your friends may notice that your social media profile is being used to post or message your contacts about scams.

In January, the US Securities and Exchange Commission (SEC) fell victim to a sim swap attack after their X (formerly Twitter) account was hacked and used to post that the SEC had approved bitcoin ETFs (exchange-traded funds), causing a momentary spike in the bitcoin price.

This type of attack can causes distress and disruption, so you must act quickly to regain control of your number and accounts.

How do attackers get your information?

There are 10 very common routes into your info:

1. Stealing your personal information or installing malicious software on your device whilst you’re using public/free wi-fi hotspots (e.g., at coffee shops, airports, hotels)

Attackers can see all the activity and data passing through the wi-fi connection, so if you log into your email account, attackers will be able to see this login information too.  

2. Using card skimmers or ATMs

These devices are placed on chip and pin terminals or ATMs and they let the card skimmer clone cards. Attackers often attempt this with legitimate businesses that aren’t aware they’re installed.

3. Sim swapping

Attackers trick your phone provider into porting your phone number to a device under their control, so they can intercept all the phone calls and messages going to your number. 

4. Placing malicious software (malware) on legitimate websites

If there are vulnerabilities on legitimate websites, attackers can install malware on pages (like payment pages) to steal information. 

5. Hacking internet connected devices (e.g., doorbell cameras, children’s toys) or routers.

Anything connected to the internet can be accessed by scammers if the devices are using default passwords or out of date software. Once they’ve gained access, attackers can install software like key loggers to send all the information typed into them back to the attacker.

6. Through data breaches or common password lists

Attackers trade information like card details and login information stolen in data breaches in the hope that this information can be reused.

7. Fake applications disguised as genuine businesses

Attackers can create fake apps on app stores appearing to be legitimate providers.

8. Physically intercepting the information

This could be through stolen wallets, lost cards, intercepting post, shoulder surfing, and card skimmers.

9. Phishing emails, texts, or calls            

Attackers use sophisticated methods like impersonating legitimate companies, fraud departments or IT assistance, designed to trick you into handing over information.

10. Through social media profiles, competitions, and quizzes

Attackers can collect a lot of information on you from open social media profiles (e.g., mobile numbers on LinkedIn) and quizzes.

What good cyber safe habits should you practice?

Cyber criminals are becoming more and more sophisticated in their methods to gain access to valuable online accounts or to trick victims into sharing their personal details.

Here’s our 10 top tips on how to stay cyber secure: 

  • ·         Don’t save your card details on websites – if the website is hacked, your information could end up in the hands of attackers.

    ·         Avoid using open or public wi-fi – if you must connect, make sure you never log into anything sensitive like your emails or bank account or use a Virtual Private Network (VPN) to encrypt your data.

    ·         Avoid paying for anything over the phone. You can’t be sure how the data’s being handled it could be written down and not disposed of correctly which could breach your security. Never enter personal data into a website that begins with ‘HTTP’, as the website is not secure.  Remember, ‘HTTPS’ means the connection is secure, not that the website is safe – so it’s good to be cautious. Hackers can create websites with HTTPS too. 

    ·         Get notified when your data is sold online - Visit https://haveibeenpwned.com/ and click on ‘Notify Me’ in the top panel to add your email address(s) so you’ll get a notification if your information is being used.

    ·         Be suspicious of emails, phone calls and text messages – this is the most common way attackers will try to trick you into providing your information or downloading malicious software.

    ·         Lock down your social media profiles. Attackers use sites like LinkedIn to find information like your mobile number which they’ll use to phish you.

    ·         Keep your laptop, mobile and devices up to date with the latest software.

    ·         Use a password manager to set unique strong passwords for all of your accounts. If you reuse a password, you’re likely to have multiple accounts breached at once.

    ·      Set up app based multi-factor authentication (MFA) on high-risk accounts (especially iCloud and email, where all password reset links go to), and avoid using SMS based MFA – where possible (SMS MFA is still better than no MFA).

    ·      Change default passwords on devices connected to the internet, and your router.

Read Sarah Coles' monthly infosec updates here.

This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.

Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.