Cybersecurity expert Paul Benda relays a story about the time that hackers tried to break into his bank account and steal his money. “They found out my login, but didn’t know my password,” says the senior vice president of risk and cybersecurity policy at American Bankers Association.
Fortunately, the cyber thieves were foiled. “I called up my bank and locked down my account,” Benda says.
Such incidents are likely to increase as hackers take advantage of Americans’ accelerated embrace of mobile banking due to the coronavirus crisis. The FBI recently reported a 50 percent rise in mobile banking since the start of 2020, and warned that the increase will likely result in consumers’ inadvertently downloading fake banking apps and app-based banking Trojans designed to take possession of their account information.
These are not new threats consumers face, but a new theme has emerged, Benda says. Hackers are going after stimulus checks and Paycheck Protection Program (PPP) loans that Americans and small businesses have received from the federal government to survive the pandemic’s economic downturn.
Tips to avoid getting hacked
Bankrate picked the brains of four cybersecurity experts to learn the best ways consumers can protect their banking and financial accounts. Here are their suggestions.
From Paul Benda, senior vice president of risk and cybersecurity policy of the American Bankers Association:
- The number one way to protect yourself is to make sure you’re really on your bank or financial institution’s website or app when you’re transacting business — and not an imposter site set up by hackers. “Check on your statement or the back of your bank card for the right website, bookmark that, and use that,” Benda says.
- Only download verified apps from reputable websites, such as the App Store or Google Play. “Trojans are really pernicious,” says Benda. “People need to be careful about what apps they install and where they install them from.” A high incidence of fraudulent activity can occur through so-called ‘sideload’ apps, or those downloaded from unofficial sources, he adds.
- Pay attention to privacy policies. Apps often say they need to access your photos, your microphone, and your camera. “Banking apps will need access to those things,” says Benda. “People should make sure they’re comfortable with that.”
From Teresa Walsh, global intelligence officer at Financial Services Information Sharing and Analysis Center, or FS-ISAC, a consortium focused on reducing cyber-risk in the global financial system:
- Stick to trusted app stores when downloading apps. “Users shouldn’t download applications found on open forums,” Walsh says. “For banking applications, many banks feature links to the app stores from their websites to ensure you pick the correct one.”
- Beware of phishing emails from fraudsters trying to get your personal information. Phishing emails will often have wrong numbers or bad links. Don’t respond to those. “Phishing awareness still holds true for mobile threat mitigation as many people use their mobile for email and text messages from their banks,” Walsh says.
- Not sure what kind of app experience to expect from your bank? Check with your bank to see what features it contains and how to access it safely. “If you are confused at all, you should talk to your bank,” Walsh says.
From Donald Korinchak of CyberExperts.com:
- If you want to avoid getting ripped off, don’t make it easy for hackers to guess your PIN and password. “The biggest problem with passwords is that people tend to reuse passwords and choose weak passwords,” Korinchak says. “This is because weak passwords are easier to remember. Strong passwords are difficult to remember, especially if you have dozens of different strong passwords.” But you’ll be better able to thwart cyber criminals if you use longer passwords with a combination of upper and lower case letters, numbers and symbols.
- Use two-factor or multi-factor authentication to reduce your risk of exposure. This security measure forces you to provide at least two different factors to verify your identity. The extra layer of security required to access your account will offer greater protection. “There are three categories of authentication,” Korinchak says. “One, something you know, like a password. Two, something you have, like your cell phone – this is validated when you receive the text code. And three, something you are – biometrics.” This last example, such as a fingerprint or iris scan, is not currently in widespread use. “Banks are beginning to use biometrics by implementing voice print technology during phone calls,” he says.
- Set up alerts via email, text or the financial institution’s app to monitor fraudulent activity. “In the old days, customers often were unaware of fraud until they got their monthly bank statements,” he says. “Because of this delay, the fraudulent activity could continue for up to four weeks. With alerts, the customer is notified very quickly and can work with the bank to swiftly rectify the issue.”
- Avoid sending financial or sensitive information via email since it’s not encrypted and can be intercepted by hackers and used to raid your account.
- Use the security functions that are built into your device software to protect data. “Be sure to set up the ability to track your stolen device, disable it and wipe it remotely,” says Korinchak.
- Using strong passwords is easier if you use a reputable password manager, or app that helps you generate, store and manage your personal passwords. Korinchak says password manager software is recommended by most cyber security experts.
From Eric Kraus, vice president of fraud, risk and compliance solutions at FIS, a provider of payment and financial technology solutions to merchants, banks and capital markets worldwide:
- In addition to downloading only verified apps from the App Store or Google Play app store, double-check reviews about apps before downloading them. “If a couple of consumers downloaded an app and had a malicious experience, they write about it in the review,” Kraus says.
- Scrutinize the email address of the app company. “Does it look legitimate? If there are weird spellings or the email address looks off or if something doesn’t look right, avoid it,” he says.
- Just as Norton or McAfee antivirus and malware tracking software help to protect your desktop computer, there are versions of mobile security software designed to protect your device and help you identify before you get tripped up by a hacker.
- A hint that something may be amiss is if you run through data more quickly than usual or your battery is draining. “That can indicate something is silently running in the background,” says Kraus. “Be actively involved in monitoring data and battery usage.”
- Avoid clicking on adware popups. “That’s a popular way that fraudsters love to embed malware,” Kraus says. “Don’t be overly zealous clicking into less than scrupulous apps and ads that are being pushed to you and popping up.”
- Refrain from sharing too much of your personal information on social media. “Everyone wants to tell everyone in the world about every little personal thing in their life,” he says. “Be cognizant of not oversharing.” The more pieces of personal data a hacker has of yours, the greater likelihood they can use that information to find their way into your account.
- Consider using a reputable Virtual Private Network, or VPN, on your computer to shield you from password pickpockets. But avoid any that are “free” as they may not protect you at all. “VPNs can be very effective,” says Kraus. “They’re not expensive, and not hard to set up at your home.”
A study by the University of Maryland’s Clark School of Engineering found that hackers attempt to attack computers with internet access every 39 seconds on average. That puts the onus on you to be alert to sinister tactics used by cyber thieves, such as phishing and website spoofing designed to trick you into revealing confidential information.
“Hackers are constantly improving their game, and it is up to all of us to be vigilant,” says Korinchak of CyberExperts.com.
Featured image by 10’000 Hours of Getty Images.