On Tuesday, June 15^th First Long Island Investors held an online web seminar for clients and friends of the firm to discuss the very important topic of protecting yourself from pandemic scams and threats. Carrie Kerskie is the president of Kerskie Group LLC which offers identity theft prevention and restoration services through her VIP Managed Identity Membership program.

The session was structured as a conversation between Carrie and Brian Gamble who is a Vice President of Wealth Management at FLI and in addition to his investment work, heads our technology function. 

Q: Given the pandemic, can you share with us what you are seeing in terms of scams?

A:  The same way legitimate businesses came to a screeching halt early in 2020 due to the COVID-19 pandemic, so did the organizations the bad guys were using to launder money.  So, they had to pivot as well and used some of the things the Federal government had put in place as relief as places to hide.  The government put in place the CARES Act, expanded unemployment benefits, small business loans, and Payroll Protection Program (PPP), etc. For just $0.75 you can buy someone’s name, address, date of birth and social security number online.  With this information, the scammers started filing fraudulent unemployment, PPP and EIDL (economic injury disaster loans) claims.  This is happening even to people who are retired.  Someone can file a claim with your information and get money from the government.  The bad guys would go so far as to file business claims using the names of people who weren’t even business owners because they were able to manufacture fake business incorporation documents, bank documents, etc. 

In addition to these specific scams, overall there is an increase in email, phone and text scams.  Data breeches too.  Everything has seen an uptick.  I believe this is a result of bad guys taking advantage of a situation where there is a lot of fear, confusion, and misinformation. 

Q:  How has the landscape for fraudsters and scammers shifted?  What are bad guys doing to target individuals and businesses?

A:  Starting in 2019 we began to see an individual’s ID being used for money laundering.  This is done when a bad guy opens a bank or brokerage account with your information and then moves money in and then back out.  I have a client who got a letter from a bank and almost threw it out but decided to call the bank.  She found out there was both a checking and savings account with her name, and each account had roughly $30,000. We dug further and found 15-20 other accounts (PayPal, Venmo, Robinhood, banks, etc.) and then spent months closing them all with the client.  Having accounts open in your name that are fraudulent can cause issues with the IRS because banks have to file a SARs report for any activity that looks suspicious and that information goes to the FBI.  Imagine if they think you are involved with money laundering.

Q:  Following up on that, how did the client not know the accounts had been opened?  Were they not monitoring their credit reports? 

A:  Great question.  Credit monitoring is extremely useful, but it does not cover everything because not everyone pulls credit.  Banks use systems  such as EWS (Early Warning Services).  The individual referred to above had been monitoring her credit and her credit report was clean.  Virtual banking definitely does not check credit because those organizations are not under guidance of federal banking laws. 

It’s important to understand that unfortunately not all identity theft can be prevented.  No ID protection exists that would stop the PPP, unemployment, or EIDL fraud we discussed earlier.  But there are things you can do. 

New account fraud can be mitigated.  This is when someone uses your identity to apply for a new credit account (mobile phone, loan, or mortgage).  You can avoid this by putting a credit freeze in place.  A credit freeze is free for life, as mandated by federal law.  Basically a freeze says your credit report cannot be shown to a new creditor.  It doesn’t stop someone from trying, but stops them from being successful.  This can be set up online, phone, or mail.  (I don’t recommend mail.)  A credit lock is also offered by the credit bureaus and does the same as a freeze, however you are entering into an agreement with a bureau and could be giving up some of the rights afforded by a credit freeze.  I strongly recommend you do not use a credit lock or a fraud alert and stick with the credit freeze.  You have to set up a credit freeze with each bureau and there are many.  Equifax, Experian, TransUnion are the big three.  Innovis has become more popular recently and NCTUE is used heavily by the utility industry. 

Q:  Have you seen any uptick in property fraud?

A: No, except for the sale of insurance to protect yourself.  That’s a scam.  Ignore it if you see it.  There is a nationwide program that allows you to register your name and all variation (e.g., James, Jim, Jimmy) with the local courts office.  Once you are registered if there is a change to land records you can get alerted.  No need to pay money for this service.  Use the free version through your county courts office.  This program has different names in different states with the most common being a property alert, property fraud alert, or risk alert. 

Q:  How else can people protect themselves?

A:  First, the USPS.  If you set up an online account with the United States Postal Service you can sign up for informed delivery which every day will email with the images of the first-class mail coming to you. This allows you to monitor for mail theft. (Yes, this still happens.)  Additionally, it informs you of a change of address.  (It is easy to change address by just going to a post office).  With Informed Delivery activated in a USPS account, a letter goes to each of the new and the current address and if you see that someone fraudulently changed your address you can stop it. 

The IRS has a program which was started when there was a lot of tax fraud, called IP PIN (identity protection pin).  This program is now open to all taxpayers.  You sign up at IRS.gov and it provides you with a PIN number to include on your tax return.  Without the correct PIN the return is rejected.  The IRS sends a new PIN each year in November/December for the next tax year.

Q: Shifting to the online space, we are always hearing about data breeches and what not.  What are some tips?  Things to do/not to do?  How to limit exposure if there is a data breech? 

A:  There are so many things to talk about here, but let’s focus on some of the most important, including:

• Check out as a guest if the website is not a frequent place you shop.  One less account to worry about and then they do not store your credit card number. 
• For those sites where you do shop often (Amazon, EBay, etc.) you want to make sure the password is unique.  You can create an account, but I still recommend you do not store your card information and just type it in each time. (Some websites might require you to store a credit card on file.)   
• Passwords.  This could be the topic of a whole separate session, but here are the key things.  The longer the password, the stronger the password so try to make passwords a minimum of 12-14 characters.  One tip is to use a phrase instead of a word.  Maybe a line from a song.  Then add upper/lower, numbers and/or symbols within.  Swap some letters in the phrase out as necessary to meet the website’s requirements.    
  • Don’t recycle passwords and that means don’t use the same on multiple sites.  Recently 3.2 billion user names and passwords were discovered online.  The bad guys will do credential stuffing which means they will blast the userid/password combination at anything and see where they can get in.  Banks, Amazon, Venmo, etc.  Don’t make their lives easy.
  • Being realistic, people cannot have a different password for every website/app they use.  I recommend that you prioritize – bank, brokerage, credit card are sensitive – use unique passwords.  If you have some sites where you are doing less and they have no sensitive information of yours, you could recycle a password.  For most crucial – definitely have separate, unique passwords.
  • Change passwords 1x per year.  An easy way to remember is to change them all on your birthday.  Also, if you think a password has been compromised, change it.  When in doubt, change it.
  • This can all be a hassle, but if it’s easy for you then it’s easy for bad guys.  Privacy and convenience don’t live in same space.  More of one, less of other.  Bad guys will move on to an easier target if they are not getting anywhere with you. 

Q:  How do you recommend keeping track of passwords?  We all know a sticky note on the screen is bad, but what is good? 

A:  Yes, a sticky note is bad and so is a piece of paper under your keyboard or on the bulletin board.  If you want to use the pen and paper method, that is OK, it just needs to be in a locked cabinet where the key is nowhere near. You need to protect that document.  If it’s out for someone to take a picture of it, then it is definitely not secure.  I don’t recommend a spreadsheet or document, even if it is password protected. 

Online password managers are a good idea, if you do your research and use a good one (I use one).  You need to make sure there is both encryption at rest and encryption in transit.  Encryption at rest means that your information is encrypted when it is being stored on the server in the cloud.  Encryption in transit means that as the data is being pulled from the cloud to your device it is encrypted on the way and cannot be intercepted and stolen.  Regardless of which password manager you use, look for encryption at rest and encryption in transit.  Don’t fall for the hype of military grade encryption and don’t go with a free service. 

Additionally, you do not want to store your passwords in the browser because what happens if computer is compromised?  What happens if you fall for the IT support phone scam that has you go to a website and click on a link to remote access software?  Those things give bad guys complete control of your device from anywhere.  You go to bed, they go into your computer and log into everything you have – banks, paypal, venmo, etc.

Q: What about two-factor authentication?   

A:  Two-factor authentication (often written as 2fa) is great.  It requires at log in that you have two things:  something you know and something you have.  What you know is your user id and password.  What you have is a code that comes via email or text.  The default for many is text because when this started people felt it was safer, but not anymore.  If you have an option, get it emailed.  If not, then the code over text is ok. 

The bad guys have started to try and get around this by calling your mobile phone company and giving them your info (that they bought for 75 cents).  Then, they tell the phone company that they have a new SIM card and ask for everything to be switched over.  This includes incoming and outgoing calls and texts.  Now bad guys initiate a password reset and the code gets sent to them because they have access. This is called SIM swapping.  We are not seeing tons of it now, but it is still happening.  To protect yourself you can call your mobile company and add extra security like a PIN and/or extra security questions. 

Speaking of that, when you create a PIN, don’t use a number related to you.  Birthday, anniversary, street address, social security number, etc.  They are all a bad idea.  Use random numbers.  And, for security questions I’ll share a trick I got from a client. It’s called one-off method – answer as if you are one of your kids, or someone else. Use them as your answer key.  E.g. hospital born in – not yours, but the person who is your answer key.  It is enough of variation that bad guys cannot look online and find it.  Often people put inadvertently provide their security questions on social media by participating in polls, surveys, and “let’s get to know each other” posts.

Q:  You mentioned phone scams, text scams, and remote software scam.  (We know remote software was set up for good reasons, but now it is being taken advantage of.)  What else are you seeing?   

A:  For years we have talked about phishing emails and how to look out for them.  Now we are seeing a few things.  COVID-19 has people home, using personal devices for work, and nervous.  The bad guys are preying on all of this.  When it comes to text scams things are changing.  Until recently texting was seen as only for your inner circle – friends, family, etc.  So, bad guys shifted to areas of trust which was text messages or what is called smishing.  The bad guys want you to click on a link or call a number.  If you were not expecting it, delete it.  Don’t respond.  Be careful. Validate or eliminate.  If you can’t validate, then delete.  If legit, they will find another way to contact you.

Phone scams have been around as long as phones have been around.  A few years back there was the fake IRS phone scam from India which before busted was taking in $100,000 per day.  They can be a huge cash cow and that’s why they will continue to do it.

We no longer tell people to watch for a specific scam, but rather to focus on trends.  There are three red flags that all scams have.  (1) Sense of urgency- do this right now.  Pay a bill, etc. (2) Severe consequence – fines, jail, family sent away, etc. (3) Demand a specific action – e.g. Amazon support scam is go to a website and download software.  Most are buy gift cards.  Businesses and federal agencies do not ask you to buy gift cards.  If you hear gift cards – hang up.  There is no need to be nice, because they will not be nice to you. 

If you want to confirm legitimacy, go to company’s website and get the customer service number and call to validate.  Don’t do a quick Google search.  Go to the main website to find the phone number.  Most of time they will say they don’t know what you are talking about because it was a scam.  Validate or eliminate. 

Another thing is to never believe caller ID.  They can make it say whatever they want.  Often the bad guys will use your local area code or a number 1-2 digits away from your number.    

Q:  Carrie, you have given us a lot to consider.  What is the one thing you want people to walk away from today with?

A:  I probably have 30, but if I had to pick one it would be to question everything.  You can’t trust anyone in the digital age.  Too easy to hide real identity.  Think of motive. If I do this, what could happen?  Then move to validate or eliminate. 

At the end of the session, there was time for participants to send in questions.  Many of those were requests to elaborate on something above and therefore responses have been incorporated above, but those that were different are summarized below. 

Q:  What is your impression of authenticator apps?

A:  They are a great tool, but be careful.  Try them on non-crucial accounts first.  Most are tied to your device so if your device breaks and you get a new one, it may not move over.  Make sure you know how to use it the right way.  Have a backup, always good to have a backup but keep that under lock and key. 

Q:  With respect to the credit freeze discussed earlier, how do you turn it off?  And should everyone do that or only once you have been compromised? 

A:  Everyone should put a credit freeze in place.  The only exception would be if you know you need to apply for credit in the immediate future (e.g. car lease is up) then wait and do it after that.  Once you have a freeze in place you can lift it online or by calling the credit bureau.  It can be done quickly, even instantaneously in many cases.  If you know you are going to be applying for credit, lift it 24 hours before and set it to be lifted for 7-10 days in case back office operations needs something.  Then, when those 7-10 days are up, it will go right back in place.  If you lift the freeze by using the bureau’s online sites it is instant. But by giving yourself a day or two will help in the event the website is down. You can ask the creditor who they work with and only lift that one. 

Q:  What about VPN connections.  When should those be used and are they needed? 

A:  In my opinion, a VPN is not needed at home for regular home use if you have a secure router.  Obviously, with more people working remotely they are using a company defined VPN to log into their office systems.  Many of the free VPNs were created out of Russia and China and now all your info is bouncing off their server.  Look at the reviews and look where company is based before you use.  If you are at hotel or whatnot and on free Wi-Fi, then use VPN.  But, better to use data plan and not free Wi-Fi. Or go buy a hotspot and use that. 

Q:  Is it recommended to pay an identity-theft protection service that offers to audit and fix your credit profile or your online presence, etc.?

A:  No, most of the victims I have helped came to me after their identity theft protection service wouldn’t or couldn’t help them. These services CANNOT protect you. They can only tell you AFTER something has already happened. Being proactive as opposed to reactive is a better approach. With clients, we take a proactive approach by implementing a proven prevention process I have developed after working with victims for 15 years.  

Q:  How do you auditing or fixing your online presence?

A:  It depends on what you expect. In my experience, it is impossible to remove something from the internet forever. It might disappear for a short time only to reappear later. Now if you are looking for a service to evaluate your digital footprint, I have a strategic partner that does this and does it well.

Q:  What was the website for getting notified about home title changes?

A:  It depends on your county. In most counties, the free service is offered through the Clerk of Courts office or the office responsible for managing official land records.

Q:  What about phone app permissions?

A:  Both app permissions AND phone privacy settings should be reviewed and adjusted regularly. I offer private online classes on how to adjust privacy (permission) settings AND app settings on iphones. I do not use other types of mobile phones for security purposes. However, there are numerous online videos on adjusting phone app permissions for Android and other phones.

Before wrapping up, Brian Gamble shared what FLI does to protect data for our clients.  He shared that we have an information security program that is designed to protect user information, which includes secure email and our document portal, as well as regular user training.  We also follow best practices for network security that utilizes two-factor authentication and strong passwords.  In addition, since your assets are custodied at independent third party custodians, you get the additional security protections that those firms have in place as well as checks and balances between FLI and the custodians.

Carrie’s presentation was quite informative.  If you would like additional insight you can visit kerskie.com and/or subscribe to Carrie’s podcast –Privacy Mentor.  You can also reach her at ck@kerskie.com.

About our speaker:

Carrie Kerskie is the president of Kerskie Group LLC, founded in 2001 in Naples, Florida. Kerskie Group is the leading private investigation agency focused on identity theft prevention, restoration, consulting, and corporate training. She is also the host of the Privacy Mentor podcast.

Through her private investigation agency Carrie worked with thousands of victims for more than fifteen years. These cases enabled her to view identity theft, fraud, and cyber threats from all angles.

Being a highly sought-after national lecturer, author, and consultant on the topics of identity theft, fraud and cyber threats, Carrie is the author of two books, Your Public Identity; Because Nothing is Private Anymore and Protect Your Identity. She is a media favorite and was featured in numerous publications such as Consumer Reports, Huffington Post, KrebsOnSecurity.com, and MarketWatch. She appears regularly on NBC, ABC, and FOX.

The views expressed by Carrie Kerskie are hers and not those of First Long Island Investors, LLC.