Protect Your Wallet: Cybersecurity Tips That Matter

Jessica Quindlen: [00:00:00] Welcome back to the Sound Cents podcast. I'm Jessica Quindlen. Today we're celebrating Cybersecurity Month with two specialists from Ent. I have Caleb Cole, our Manager of Business Continuity and Enhanced Technology. Hello, Caleb.

Caleb Cole: Hi Jess.

Jessica Quindlen: And Mick Kopriva, our Information Security Analyst.

Mick Kopriva: Hey Jess.

Jessica Quindlen: What are the most common cybersecurity threats affecting personal finances today?

Mick Kopriva: I would say a really common one that we see for a lot of individuals is just phishing attacks via emails and BEC attacks. And BEC is business email compromise where people masquerade as someone else and pretend to be someone you're familiar with to get you to trust them more.

It's super easy for people. Everyone gets emails all day. Not everyone reads all the words or looks at the domain name too closely. And it's “Oh yeah, this is from my financial institution. Let me just click on this link and enter my email and password.” And then boom, the bad guy has your information and can log into your bank account. Bad guys like to take advantage of the human nature. Computers only do what they're told, but humans are very easy to be [00:01:00] persuaded or convinced one way or another.

Jessica Quindlen: I love that. Computers only do what they're told.

Mick Kopriva: Exactly.

Caleb Cole: That's correct.

Jessica Quindlen: So how do member, we'll call them mistakes, frankly, like sharing passwords or clicking these suspicious links create vulnerabilities both for themselves and financial institutions?

Caleb Cole: That's a really interesting area to explore. Even one small mistake can open up a door.

So something like sharing a password, think of it like giving away your house key. you wouldn't just give it to anyone. you lose control of who can enter once you do that. So clicking on a suspicious link can send you down.

To a fake website or install malware on your computer, that spies on your activity. that's why your simple habits like using unique passwords, making sure that you're using multi-factor or two-factor authentication when it's available,and really even just taking a moment to pause before you click on anything and just have that momentary.

Does this make sense? Should I be [00:02:00] clicking on this? Sometimes that moment can save you a world of headache.

Mick Kopriva: And when it comes to sharing passwords too, if someone has access to one of your passwords, they probably have access to 95% of your other passwords because a lot of people like to just reuse the same password, so it'll weaken your security on many of your other accounts.

Jessica Quindlen: I mean, counts you might not even think of.

it's interesting 'cause I do use two factor and all of those things and I get annoyed with it sometimes and I have to check myself where I'm like, Facebook, how do you not know who I am? And then I'm also like, so thank you.

Caleb Cole: I'm a security professional

Jessica Quindlen: See, there you go.

Caleb Cole: I put it on everything that I do and I know why I do it.

Jessica Quindlen: So what are the warning signs of potential financial fraud or scams.

Mick Kopriva: I would say if you start receiving a high number of spam emails or spam texts, it means someone probably got your information and you're on a list somewhere that you don't want to be on.

I would recommend if you notice an increase in spam texts or phone calls or emails to change your passwords. Maybe even set up a junk [00:03:00] email that you can use for giving to accounts or places that you don't care about as much. Have a primary email for personal use and a junk email that you can just use for the 10% discount at so and so store kind of thing.

Mick Kopriva: Because the more places that have your information, the more opportunities for vulnerabilities there.

Caleb Cole: Yeah, that's true. I think some important warning signs as well are the psychological tactics that a lot of these things utilize.

Especially the call to action that's an immediate response or immediate need. Or even things that are very frightening. For example, the IRS “Hey, you're back. If you don't respond to this, we're going to send the police and you're going to be arrested.” That kind of stuff.

And even the too good to be true types of offers are oftentimes, part and parcel with this. Scammers are going to try to pressure us into quick action. That's really the biggest thing so you don't have time to verify.

There’s psychological evidence that certain brain mechanisms like rational thought [00:04:00] get circumvented by fear. So, when you're put into a fight or flight response, you don't think rationally.

A lot of these tactics are meant to trigger that alternate pathway in your brain to get you to click, to get you to respond, to get you to do something immediately so that you don't actually think about what you're doing.

A real financial institution like Ent Credit Union will never demand personal details like your social security number or your online banking password, especially under pressure.

I actually had a situation like this about two weeks ago. I got a text message that looked almost legitimate, and it was, because it actually had come from Ent and it was a suspicious account activity sort of thing.

And rather than replying to that text message, I was like, wait a minute. This looks like it could be real, but I'm not really sure. So, I just got on my computer, [00:05:00] I went to Ent.com.

I looked up our contact number because I don't have it memorized, but I called in and I talked to an agent over in the call center and it turned out that there was a suspicious charge on my account.

Although it was something that I did, it was for an app that had an annual subscription, and it had gone through, but it was unusual activity for me. So, I was able to verify, “Oh, yep. That's a good charge.” Everything's fine. We can move on with our lives.

Jessica Quindlen: That's great though. So, you're recommending, verifying the authenticity. I think another thing to know is we are never going to be mad at you. And no financial institution is going to yell at you because you're verifying that things are correct.

Caleb Cole: It's literally why we're here, to help our members.

Jessica Quindlen: Exactly. What are the essential cybersecurity practices individuals should follow to protect their data online?

Mick Kopriva: The most basic one is have long, complex passwords. That's one anyone can do. And there's a lot of techniques you can use to help you remember long passwords.

Jessica Quindlen: I was just going to ask,

Mick Kopriva: You know, a password you can't remember is [00:06:00] no good at all. A bad guy won't get in there, but you won't either.

Use pass phrases or acronyms. Taking the first letter of the chorus of your favorite song. And then using camel case mixing zeros with O's and e's with threes. Stuff like that.

And then it helps every, three to six months when you have to update your password, you can have complex iterations of the password that are very hard to guess or crack. And with the use of AI, cracking passwords is just so much easier for your bad guys.

Caleb Cole: Oh, it's scary easier now.

Mick Kopriva: That mixed with multifactor authentication, those are the best two ways. And I know we talked about it earlier and it's frustrating to have to, “Oh, I need my phone, I need my thumbprint, I need my email, I need my phone number,” but it helps you.

Jessica Quindlen: Less frustrating than your money being gone, right?

Caleb Cole: That's exactly right.

Jessica Quindlen: Your identity being stolen. So, let's say ideal scenario, right? I have a bunch of long, complex passwords and I'm not getting these spam texts or calls. Is there a certain amount of time that I should just be changing [00:07:00] my passwords?

Caleb Cole: You know, that's a really interesting question that a lot of security researchers have been looking at for several years.

Before I directly answer that, I want to piggyback on the idea of the long passwords. I highly recommend professionally or personally finding a good free, or even invest in a password manager because ultimately, it's great to have those long, complex passwords that no one can remember. Whether it's my bank account or my credit cards, social media accounts, your email stuff where your personal information is, you really want that protected.

And having a 25 or 30- or 40-character complex string that you will never remember is one of the most secure ways that you can actually do that. But you need a password manager for that. So, I would caveat all of this was saying have that long [00:08:00] passphrase that you can remember. Mine is like 46 characters long.

Jessica Quindlen: Oh goodness.

Caleb Cole: I know it sounds crazy, but I have it memorized because it is an obscure line from one of my favorite obscure movies, so you're not going to figure it out. And not only that, but I alter enough of it, the interior of it, that it's not just the text.

There's certain changes that I have made, and I also remember how I have made those changes. That is how I protect my master list, right? Which is my password manager. I probably have 120 accounts in that 30 or 40 of them are very sensitive and I use those very complex ones.

I'm trying to remember the original question…

Jessica Quindlen: In an ideal scenario, I'm not being scammed, but is there a certain amount of time that I should just change my password?

Caleb Cole: The leaning consensus these days is the most secure password is the one that you'll remember. So a lot of the very modern security guidance, and I'm a [00:09:00] proponent of this as well, is if you have a good solid, strong long pass phrase, you don't need to change it unless you believe that it's been compromised.

Jessica Quindlen: Okay.

Caleb Cole: Because it's easier to remember in the long run, especially if you're not having to change it every 90 days or every six months, or even every year. There is still some good practice around maybe doing an annual refresh.

However, a lot of studies in the last few years, and this is by like NIST, the National Institute of Standards and Technology. They basically write all the technology standards for the government, everything that we base our best practices on. Their leading research in the last…they've been pushing this for about two years now...is having long passwords that you can remember and don't enforce changing it unless you believe you've been compromised.

Jessica Quindlen: Well, that is helpful. I love that. How can multi-factor authentication and strong password strategies reduce the risk?

Mick Kopriva: Yeah, so multi-factor authentication is like [00:10:00] a second layer of security. So even if your password is stolen, they still shouldn't be able to access your account. I like to think about it as a password is like a key to your door to your house. You can lock the front door, but then multifactor authentication is like adding a second lock. As simple as that. You can have one key, but if you don't have both at the same time, you're not going to get in.

Caleb Cole: An important piece to that is how you're using these multi-factor authenicators is really important.

There are better ones than others. If possible, I would say with multi-factor, use some sort of secondary authentication app. There are several very good ones out there that are free. Google has an authenticator; Microsoft has an authenticator; Norton has an authenticator.

There are half a dozen really good ones on the market that are free. They are more secure than something like a text, like an SMS text-based two-factor. Those can [00:11:00] be valuable. However, there are certain types of attacks and compromises where the criminals can hijack your telephone number and it's called sim spoofing.

There are different ways of doing this. It’s a fairly sophisticated type of attack. But in doing it, they can get the text message before you do. Or you don't even see it and they get it and then they've got your second factor. But they can't get your authenticator app unless they have direct access to your device.

Jessica Quindlen: That's helpful. How can members safely use public Wi-Fi or shared devices without exposing personal information? I know ideal scenarios is not this, but sometimes you need to work in a public place or you're sharing a device with kiddos.

Mick Kopriva: Ideally, if you must connect to a public network, avoid accessing sensitive information also using a VPN – a virtual private network [00:12:00] to connect somewhere else. It'll encrypt your internet traffic.

Or you can connect through a hotspot on your phone. It's a lot more secure than connecting to a public network and almost everyone has a smartphone, so that's a great solution in a bind.

Caleb Cole: You would want to check with your carrier to make sure you have hotspot. Sometimes they charge you extra for it, but that is definitely a more secure way if you're out in public and you need to use a computer, or a tablet or something.

Rather than connecting to that public Wi-Fi., if you can hotspot to your phone, great. If you can do what you need to do from your phone or your phone's browser, that's also a really secure option because all phone traffic is encrypted.

Jessica Quindlen: Are VPNs easy? Is it an app? For the non-technology folks, talk to me about VPN.

Mick Kopriva: VPNs are very simple to use. They're very user-friendly. In this day and age, there's multiple different providers or services there are that you can download, and they walk you through the whole setup.

Caleb Cole: This is another check with your provider kind of a thing. For example, I know that [00:13:00] Comcast in their offerings has a free VPN service that you can download from your Comcast account.

I think other carriers and other service providers have these things. But even with Comcast – I was using it a few years ago – they had a way that you could bring in the profile onto your iPhone or an Android phone, and whenever you were on an unsecured network, it would turn on the VPN on your phone. So, there's lots of free options. There are other options as well that are subscription based.

Jessica Quindlen: But I would think you'd only need that if somehow you were always having to work in a public Wi-Fi setting which is probably rarer. I mean, most businesses have their own secure situations.

Caleb Cole: That's right. Exactly.

Mick Kopriva: And if you have to connect to a public network, turn off auto-connect on your device because it will automatically connect to the strongest network.

Bad guys can have that just plugged into their laptop. It clones the network, then it boosts the strength so that your device by default will [00:14:00] connect to their device. And then they perform what's called a man in the middle attack where they see all the network traffic that's coming in and out.

Because they're connected to the router. So, you go to them, they go to the router, and then it goes out to the world and vice versa coming in.

Caleb Cole: That’s right. That’s the reason why I just don't use public Wi-Fi.

Mick Kopriva: Yeah, because you never know who is really seeing what you're doing.

Jessica Quindlen: I'm not scared at all. So, which steps should someone take immediately if they suspect their account has been compromised?

Mick Kopriva: Change your passwords right away and time is on your side. The moment you know, you want to change as much as you can. Enable or reset multi-factor authentication. If you're not already using it, I'd recommend turning it on.

You can change your pass keys and stuff. If you believe your account is related to something sensitive, notify your financial institution. Reach out to Ent, call us, and we will help you get everything squared away. We’ll put a fraud alert on your account to keep you in our systems as a high-risk member.

Reach out, be open and [00:15:00] honest if you click on something you shouldn't have clicked on. But time is on your side, so definitely reach out and change your passwords.

Jessica Quindlen: Okay. Let's say that I know that my account with Ent has been compromised, or I'm pretty sure it's possible.

Should I reach out to my other financial institutions? I mean, I will obviously reach out to Ent, but should I just do my due diligence?

Mick Kopriva: Yeah. Bad guys have a whole network and they all communicate with each other and they sell this information to other bad guys.

So definitely reach out, change your passwords all over, even if it's different passwords or different variations of the password, because once one account's compromised, it does weaken your security for other accounts because then the bad guys think, “Oh look, this is an easy target. This person's pretty gullible. Let's start targeting this person.” And they sell all that. They trade that information around. So you definitely want to boost your security to help.

Jessica Quindlen: Alright, let's pivot to social media. How can members protect their personal information on social media to avoid being targeted?

I know you love social so much, Caleb.

Caleb Cole: Oh, I so much love social medias. [00:16:00]

Jessica Quindlen: But it's not going anywhere, so what can we do to protect ourselves?

Caleb Cole: It's a two-edged sword. But I think that the most important thing is just be aware of what you're sharing.

Oversharing makes people a target. I use the example frequently with people in my own circles, especially the ones that say “Oh, hey, we're going on this vacation to Cabo next week and we're going to be gone for two weeks.”

And you're now just advertising to anybody and everybody, especially if your account is public and you haven't gone into your privacy settings to restrict it to only your friends or only friends of friends. Now the whole world knows that your house is going to be available for compromise for the next two weeks.

Other things like birthdays, pets, names, your hometown. They may seem harmless but think of how often you might be using that information to create the answers to your security questions. It's a very viable form of second-factor authentication, which we already said is good. [00:17:00] But if you're using information that is publicly available about you to answer your own security questions, you're creating a potential vulnerability.

A really good way around that, and this is something I frequently do, is just use false answers to the security questions, but something that you're going to remember.

Make your hometown the place you always wanted to be from. Or just something that's so obscure that it's not something you're going to post out on social media. And it's not going to be easy for other people to know.

Also, being cautious about friend requests from people you don't know is huge. And I get that's like the core of what social media is all about, but just think about it. If you were out in the middle of Colorado Springs at two o'clock in the morning and somebody approaches you and they want to be your friend, what's your response? And why is that not your response when you're on your Facebook page or on your Instagram? It just, [00:18:00] sometimes it baffles me.

Also, avoid fun quizzes, especially stuff like that. They're designed to collect personal details and can be used against you. It’s really just a matter of being aware of what you're putting out there and who sees it.

One of the best things you can do is go into your privacy settings and just restrict who can see your information. You don't have to be visible to the whole world.

Jessica Quindlen: What resources or tools are available for members to stay informed and respond quickly to cybersecurity threats?

Mick Kopriva: Ent has a lot of resources on the website. First and foremost, we have a great contact center. If you have any questions you can't find on the website, just give us a call.

And if you go through the website, there are a lot of resources about keeping your information secure and keeping your account secure.

But also, turning on account alerts and notifications, so that you get notified there was suspicious activity on your bank account.

And then like Caleb mentioned earlier, verifying through confirmed external sources, like logging into your bank account and see instead of clicking on the link [00:19:00] in the text message.

But then also staying up to date on current cybersecurity threats and how that stuff's evolving. With the use of AI, it's really easy to clone voices. I had a friend who actually got attacked with this type of cybersecurity attack where on your voicemail she had just, “Hi, my name's blah, blah, blah. Please leave your name and number,” and the bad guys were able to clone her voice and then call her grandmother and say, “Hey, I'm in jail. I need bond money.” And it sounded like her, there's a sense of urgency. It's a scare tactic.

So just staying up to date on the capabilities and the ways bad guys are using AI and the use of technology. There's some great resources for that, like the Federal Trade Commission and CISA, which is a Cybersecurity and Infrastructure Security Agency.

Jessica Quindlen: That's great.

I know those are some big words, but they will keep you up to date just to be aware because bad guys will try and target [00:20:00] unsuspecting individuals. And then security tools like password managers, like we talked about before, maybe having antivirus or anti-malware software installed on your computer, and keeping your devices up to date.

There are a lot of security patches that operating systems, like Windows will add to the devices as the technology increases for bad guys. So that's what I would recommend.

Caleb Cole: Yeah. And if you don't know where to go, just go to Ent.com/Security. We have a lot of information. Ent’s really big on member education, and there's a lot of great information on emerging security threats, how members can secure themselves, fraud prevention, etc. all right there on our website. It’s a really easy resource to get to and a lot of great information goes into that.

Jessica Quindlen: Thank you. Anything else to add?

Caleb Cole: For me, I think awareness is the most important thing. It’s like Jason Bourne, right? It's situational awareness. It's being aware of your surroundings. It's being aware of what you're doing and why you're doing it, and that there are bad people in the [00:21:00] world as much as we love to be able to trust any and everyone that we meet. Unfortunately, there is a small subset of the population who have very nefarious intentions and motivations. And it's our responsibility as individuals to do our part, to keep them from being able to take advantage of us.

Jessica Quindlen: Well, that brings us to the end of our show. Caleb, Mick, thanks so much for being here. It was wonderful having you.

Mick Kopriva: Thank you, Jess. We appreciate it.

Jessica Quindlen: And now for our new segment brought to you by Dave Logan, the iconic voice of the Denver Broncos.

Dave Logan: Hi, this is Dave Logan, and it's time for your 2 Minute Money Drill. A quick tip to help you make smart money moves fast. Whether you're planning to save or looking for ways to get ahead, here's a financial play you can put into action right now.

Tackling debt can feel overwhelming but try the snowball method. Pay off your smallest debt first, then roll that payment into the next one. With each win, your momentum grows. That's how you tackle debt, one play at a time.

Jess Quindlen: Thank [00:22:00] you for listening to Sound Cents from Ent Credit Union. Be sure to follow our podcast as well as rate and review us. I'm Jessica Quindlen. I will see you next month, same time, same place.