Help investors with cybersecurity best practices

August 23, 2023

female employee using computer at work

Cyberattacks are more prevalent than ever. The most recent report from the FBI’s Internet Crime Complaint Center (IC3) Report calls the increase in cyberattacks in 2021 “unprecedented.”1 What’s more, the IRS claims COVID-19 pandemic-related scams, such as Economic Impact Payment and tax refund scams, are still a concern for taxpayers.2

The goal of many cybercrimes is to steal money, and with that in mind, investors need to pay special attention to their retirement nest egg and all of their investments. It’s not unheard of for people to be scammed out of their entire savings or have their credit ruined and suffer devastating consequences. With so many of today’s activities taking place online, it’s crucial to consider cybersecurity measures to protect their assets.

So, how can financial professionals and plan sponsors help participants protect themselves with cybersecurity best practices?

Common cybersecurity tactics and defenses

The internet is an ever-evolving beast, so today’s best practices may well need further tweaks in the future. But financial professionals can educate clients and employees on these tips, which are some of the most fundamental ways investors can protect their finances, to get them started on the right foot.

Begin with strong passwords

A strong password can do wonders. These days, however, just about everything online requires one, and it’s sometimes tricky to come up with something original that’s also hard for a would-be hacker to guess. But it’s a necessary aspect of modern living, so encourage clients and plan participants to follow these tips for generating a strong password:

  • Don’t use easily accessible personal information
  • Don’t repeat passwords on multiple sites
  • Combine letters, numbers and symbols (at least 10 characters — but the more, the better)
  • Use uncommon or unpredictable words or phrases
  • Store passwords out of sight
  • Consider using a reliable and reputable password manager app
  • Change passwords on a regular schedule

Set up two-factor / multi-factor authentication

A close relative of a strong password is two-factor or multi-factor authentication. With this tactic, a user enters their password and is then required to take another step, usually involving entering another PIN or having a code sent to their phone or another device, which should be in their possession, to confirm it’s really them logging in. It’s one more quick layer of security.

Avoid unsecured Wi-Fi

It may be tempting to use the convenience of free Wi-Fi in a restaurant or hotel, but the security on those networks is often lacking. Photos, emails, banking and credit card information is sent and accessed over the internet, and doing so over an unsecured network puts all that information in a vulnerable spot. Malicious actors could intercept it and use that information to steal identities or steal money outright.

Tips for staying on secure networks:

  • Use only secure Wi-Fi networks or a phone’s data network for mobile app transactions
  • Turn off automatic connectivity and avoid networks that aren’t needed
  • Don’t assume Wi-Fi hotspots are secure
  • Sign out of accounts when finished using them
  • Monitor Bluetooth connectivity and watch out for unfamiliar pairing attempts
  • Look for “https” at the start of the URL of any web page, where “S” stands for “Secure”
  • Consider a VPN (Virtual Private Network), which can add a level of security

Don’t fall for phishing scams

Phishing is one of the most common cybercrimes, taking the dubious number-one spot of the top five types of internet crimes in 2021.1 These emails, which try to get a recipient to click on a malicious link or otherwise give up sensitive information, can often look legitimate. Scammers are getting better at disguising themselves as real companies or real people — even people the recipient may know.

Investors should look out for:

  • Suspicious prompts to log into an account
  • Email addresses that don’t match the apparent sender
  • Alleged problems with an account or payment information
  • Unsolicited prompts to register for a government payment or refund
  • Threats or a sense of urgency
  • An award or prize despite not entering a contest
  • Unexpected attachments or invoices (which should >not be clicked)
  • Poor grammar, spelling errors and impersonal or awkward messages

Use security and antivirus software

Every personal computer needs to have protective measures in place with solid security and antivirus software from a trusted company. Your clients or employees should also update that software whenever possible, and the same goes for the operating systems themselves. Encourage them not to always close out of the “System Update” popups, as annoying as they may be.

It’s also a good idea to upgrade the computer itself every four years or so. Technology makes quantum leaps every day, and investors need to keep pace — cybercriminals certainly do.

Set up credit card and bank account alerts

Many banks and credit card companies offer certain alerts for when the accounts or cards are used. Financial professionals can enlighten clients about such features and encourage them to activate these alerts on their accounts. 

If someone gets hold of a person’s credit card number and tries to use it for an online purchase, the real cardholder can receive an email saying that a transaction was made without the card present. The cardholder will get a message whenever they make an online purchase as well, but it’s worth an extra email for one more level of security.

Don’t overshare on social media

The minutiae of everyday living are the bread and butter of social media, but investors should be encouraged to lock down their accounts and adjust their privacy settings to a point where not just anyone in the world can see everything about them. 

Posting pictures that demonstrate a perceived wealth, advertising a long vacation and that the house is unoccupied and ripe for burglarizing and other types of online oversharing can get investors into sticky situations.

Personal details that can be posted on social media and used against someone include:

  • Date of birth, phone number, and address
  • Pet names
  • Important locations
  • Family members and maiden names

Help plan participants help themselves

Share these tips and encourage investors to remain vigilant in general with their finances. They’ve worked hard for their future retirements, and it would be tragic to lose it all from a lack of cybersecurity awareness.

1Federal Bureau of Investigation, Internet Crime Report 2021, Undated
2Internal Revenue Service, An overview of the IRS’s 2022 Dirty Dozen tax scams, June 29, 2022