Financial Security

Financial scams are getting worse and most people aren't prepared to deal with a targeted attack made against them. Now with AI generated voice and video, this problem has got worse and is manifesting itself in other ways; one of them being many tech companies are unknowingly hiring North Korean state sponsored hackers.

There are several major problems as it relates to the financial industry and what you deal with as a home user. Most bank employees are training to spot potential scams but aren't tech experts; many don't know the ins and outs of spotting a highly targeted attack. Also, in order for the system to work smoothly, there has to be some tradeoff in security measures to make everything flow. Let's use Windows as an example; I commonly recommend using a hardening utility to change options that are normally lax. The reason they aren't maxed out by default is it drops the usability of Windows and it would cause mass complaints from non tech savvy home users who don't know the finer details of the OS and how to bypass these issues. Banking is aware of the scamming issues getting worse, but the solution isn't as simple as it seems on the surface.

Let's cover security tactics. All the common methods apply - use 2FA, keep security patches up to date, don't click on random links, etc. As it relates to finances, there are specific measures that have to be taken for better account security.

Always use transaction and activity notifications. This includes bank transfers, credit/debit transactions, deposits, account logins, investment accounts, crypto accounts, etc. All account activity should have real time notifications sent directly to you, whether through SMS or email. You'll want to know as soon as possible if there's an issue that needs to be corrected. Login to your accounts weekly and review all transactions and look for anything suspicious. If you're in a higher risk profession (public figure, tech exec, etc), watch your accounts like a hawk. If a fraud transaction shows on your account, you need to call your bank/credit card provider ASAP to get it reversed. Keep in mind this is in context of doing business in the US; it will vary depending on your country of residence.

Many financial institutions require 2FA but will only give the option to use a phone number. The main issue with this is SIM hijacking and it's happened to many people and caused major messes that victims had to clean up. Until these institutions change their practices, you'll have to adapt. One of the best methods to protect against this is to use a SIM PIN if your carrier supports it, since it'll lock transferring your number to a different device.

Talk to your bank and ask them about what can be done to increase security on your account. This method will depend on the bank's specific policies. Big banks may not be as flexible on this, but you might be able to work something out if you have a good relationship with your local branch. The current issue with banking is phone call vulnerability. If an attacker knew some basic info about you from a Google search and spoofed your number when calling the bank, they'd have a high chance of being able to tamper with your funds.

Always verify payment requests before sending money. This applies not just banks and cards, but also to crypto, wires, etc. If you have any suspicion that a request might be fake, always talk to the other person to make sure they sent the request. This is more of a problem in business than the home environment but double checking is still a good practice to have.

Change how you do business with others. Use credit instead of debit due to the increased fraud protection. Use a card masking service such as Privacy.com so merchants never have your real payment info and you can shutoff payments to anyone you suspect is abusing your info (keep in mind Privacy has KYC requirements for their service).

Freeze your credit. This is one of the most effective ways to stop fraud accounts being opened in your name. If you need credit for anything, a short term unfreeze can be done just long enough for the credit check to be done. There are so many sensitive info data leaks these days, there's no sense in not having a credit freeze; otherwise fraud accounts in your name will pop up eventually.

Watch out for all the investment scam garbage that floats around. Scammers will try to lure people in with "guaranteed" high returns, they'll pressure others to make quick investment decisions, and will generally give unsolicited offers. There is no such thing as guarantees in investing. I've seen enough people lose their bankroll to bad investments and have to start over in life because of bad decision making. Keep in mind this Richard Heart quote: "Day trading is like picking up pennies in front of freight trains." He said this about crypto, but it applies to all day trading. When some random "friend" messages you on Facebook, they aren't doing it to help you, they're just looking for a quick payout.

The security of your email account(s) and phone number(s) linked to your financial institutions are critical. If an attacker got access to either one or both, it could cause catastrophic damage and take months to clean up. Make sure you follow good security practices across all your devices.

Scammers are using reverse psychology with new scams. For example, you might get a 2FA code for a login request with a message saying to call the account provider if you weren't trying to login and there'll be a phone number or an email included. These are scams and should be avoided and it's yet another example of the hazards of relying on SMS for 2FA.

Accept that you have to be proactive about having better security protocols. I still see links to login being sent by the vast majority of apps and services, despite the fact that we've for years been told it's a bad practice to click links in emails. It can be an annoyance to have to be the one to take the initiative about everything related to your privacy/security, but doing so will make your life easier in the long run.