At Mana, our work is centered around the idea of financial security. Our company mission is to help our clients achieve their goals and live their dreams. We often think about financial security as a state of mind, or a state of wealth where more money is being earned, saved and invested than is owed. Financial security can mean having a well-padded emergency fund, a great career, and enough money to cover daily expenses and take vacations. Getting to this peaceful place often takes people years of hard work, and as financial life planners, we help people get and stay on a path to achieve it. We talk a lot about what you can do to earn wealth, but in this week’s blog we want to share what you can do to protect yourself against bad actors who might compromise your financial security. CPAs and Financial Life Planners aren’t trained in cybersecurity…but Mana has Madison, our resident web and data consultant, who works full time for Google’s Privacy, Safety and Security team. Today’s post is a quick rundown of how to keep your financial information and identity safe online. Especially as tax season approaches, during which you could face security challenges. We’ll briefly cover some of the biggest risks out there at the moment, and ways to protect yourself from them.

Hacking isn’t what it used to be

The early internet days painted a picture of what it looks like to get hacked. Many of you might picture a shadowy figure sitting at a desktop computer, typing furiously into a command line as they connect and gain access to someone else’s machine and data. While this type of thing certainly still happens, it’s unlikely to be the way you get targeted. In 2022, you’re much more likely to be phished or the victim of a data breach (like when a website’s data gets hacked or shared, compromising their users’ passwords and usernames).

What is phishing? 

No, we’re not talking about seeing some hippie jam band. In the world of cybersecurity, phishing refers to the practice of social engineering attacks on user data. This happens when the attacker pretends to be a trusted entity in the victim’s life, which tricks them into sharing information, often by clicking on a dangerous link, entering login credentials (password and username), giving out their phone number or address, or sharing financial information. Chances are, if you have a mobile phone and/or a computer (so…if you’re reading this article), you have experienced many phishing attempts in your life already. Maybe you’ve even had your identity stolen or data compromised. Social engineering attacks are nearly unavoidable day to day, so it’s important to take a number of steps to avoid falling victim to them.

Be less phishable

Google’s Jigsaw team made a fantastic Phishing Quiz, to help users evaluate whether they can recognize when they are being phished. We recommend taking it to see how you fare. We also wanted to lay out a few things to remember as you use the internet.

1. Check URLs before you click: hovering your mouse over a URL, or tapping to highlight the URL in your phone browser are great ways to inspect a link to make sure it’s legitimate. Get to know the URLs of your financial institutions. It’s a great idea to navigate to your banking and investment tools’ sign-in pages in a browser (especially if you typically use their app) and take a screenshot of the URL. You can use this to cross-reference when you get a suspicious email pointing to a login page. 

2. Be cautious about urgency: this one is tricky, because web services are very proactive about notifying their users when a data breach or account compromise occurs. You’ll probably get a pretty urgent-sounding/scary email, text or phone call if your information has been compromised.  Nevertheless, phishing attackers know that a good story and emotional manipulation can lead to users sharing information quickly, so they will mimic these messages in their attempts. You can combat this by keeping your cool and doing some thoughtful investigation before sharing any information. If you get a phone call or text about fraudulent credit card purchases, log into your account and check that they occurred before giving information to the caller/texter. If you get an email saying your password has been compromised, check the URL and sender email before clicking anything. Navigate directly to the service site by typing in the URL to see if you still have access, and update your password through a legitimate portal rather than a quick shortcut out of the email body. 

3. Don’t be afraid to say no or get a second opinion: there are very few online issues that require urgent action. Even worst case scenarios, like having your credit card stolen, are not especially time sensitive. Most credit card companies and banks are good at detecting fraud and will eventually refund all bad purchases. It’s always worth getting a second opinion if you are unsure, and you can easily do this by contacting customer support directly, asking a tech savvy friend or family member to help, or doing a bit of internet sleuthing yourself. In the world of phishing and social engineering, slow is smooth and smooth is safe!

What else can you do?

We’ve covered some of the ways to stop phishing and hacking in its tracks, but there are additional steps you can take to protect yourself. Trying out some of the following strategies will make your online identity more secure overall, and the more of these you can do, the safer you will be:

1. Use different passwords for every site. We used to think that long, complicated passwords were the best account protection, but we now know that it’s even more important to use unique, strong passwords. This is because data breaches happen all of the time, and if you recycle passwords (or use variations of the same password) on multiple sites, it’s easy for hackers to get widespread access to your data.

2. Use a password manager and recommended strong passwords for logins. Most browsers (Chrome, Safari, etc.) now have built-in password managers that will automatically save your information. This is super helpful because it allows you to use strong, unique, recommended passwords for every site that you don’t have to remember. Just make sure that your Google account or iTunes account (the accounts you use to access those password managers) have strong, unique passwords as well. Other services like LastPass or Keeper are also great options!

3. Set up two-step verification (2SV) whenever you’re asked to. This means adding a recovery phone, a recovery email, or whatever other recommendation your trusted web services might ask for. Always do this from within your account portal, and avoid doing this by following external links (could be a phishing scam!). Most financial institutions suggest 2SV to use their online services, so if you haven’t yet opted in, now is the time! 2SV ensures that you have a second layer of protection if, for instance, your password gets shared in a data breach.

4. Embrace device-based and local authentication. This means that you should set up tools like Face ID or Apple/Android Touch to log into applications. These biometric-based methods of identity verification can’t be easily phished.

5. Protect your credit card information, but don’t be afraid of saving it in Chrome or Safari - these services will never allow you to use it without asking first or verifying the card CSV. There is a caveat to that advice if you share your logged in device with other people; in this case, it might be better not to store credit card data at all. Importantly, it’s not a great idea to store your credit card information on individual business websites. Many online retailers or services providers will ask to keep a card on file, but this can be a risky proposition in a world where data breaches are common. The smaller the company, the higher the risk. 

6. Get intimate with your financial data: this technique is practically analog, but it’s a tried and true way to stay safe. Check your account balances on a regular basis. Review your credit statements every few days, or set a weekly time to go through them. Get your credit report each quarter and look at the contributing elements to see if they make sense. The more you know about your own spending habits, the easier it is to detect malicious anomalies. 

There are many more online security steps that you can take, including encrypting messages or using virtual private networks. However, a lot of these advanced techniques are more complicated than most people want to deal with, and go far beyond protecting just your financial data. The best thing you can do is take it slow online and set up extra layers of protection like 2SV. And last but not least, don’t ever be afraid to call or even physically visit your bank if you have a concern. Achieving financial security is hard enough with the barriers and challenges that life and work throw at us, so the more we can do to protect from online attackers on the path to success, the easier it will be to reach your goals and best life possible.

Madison Elliott is a UX Researcher at Google. Madison leads data engineering and usability at Mana Financial Life Design (FLD). Mana FLD provides comprehensive financial planning and investment management services to help clients grow and protect their wealth throughout life’s journey. Mana FLD specializes in advising ambitious professionals who seek financial knowledge and want to implement creative budgeting, savings, proactive planning and powerful investment strategies. Madison brings her combined background in cognitive science, computer science and clinical psychology with her professional UX design and engineering experience to optimize workflows at Mana FLD and improve people’s lives.