Protecting Our Information
I try to be an optimist but it’s scary out there. Pick your category and you’ll find more than enough detail to keep you up at night.
Among the variety of things I worry about, fraud risk is high on the list. It just seems so easy these days. Maybe because on the one hand it can be so basic, like a crook dumpster diving for documents, while on the other hand it can be highly technical, like someone somewhere breaking into your computer and tracking every keystroke you make to get at your passwords and who knows what else.
For all the convenience that comes with computers and the internet, and now AI, in some ways we seem more vulnerable than ever. What are we supposed to do about it?
I’ve discussed this topic several times over the years, but it has bubbled up in the past week, so I figured it was a good time to bring it up again. This time I’d like to share a bit about current threats and some of what I do to protect my (and by extension, your) information. Maybe this can help as you navigate these issues yourself.
First, I heard from Schwab and NAPFA (the “fee-only” fiduciary organization I’m a member of) about recent scams targeting advisory firms like mine.
There are “vishing” (voice phishing) scams that go something like this… a fraudster calls impersonating an employee or maybe a tech vendor. They say there was a data breach and they need to update your login credentials. You provide the credentials and, voila, you’re compromised. That might sound basic, but it’s backed up by quick access to information via the internet and AI.
Here’s another… Search Engine Poisoning. This is where fraudsters create a fake website and use search engine optimization to get it to show up high on a Google search list, for example. You click the link and log into the website as normal… now you’ve inadvertently given your login credentials to the third party, but they can’t log in without a two-factor code. So they show you a phone number to reset your password. You call in, give them the code sent to your phone and now they have all they need to access the real website.
Reading this, you might think that you’d never be so careless as to give your credentials to a random person, but it happens. What if they had a caller ID that matched your employer’s line, or the line of a vendor? What if they had some information about you and directed you to a website that looked legitimate? None of this is getting easier to defend against.
And here’s one more. Apparently NAPFA’s “Find and Advisor” search tool was being used to send people like me fraudulent emails from prospective clients that included a Zoom link to set up an introductory appointment. Clicking the link would download a remote access tool allowing the crooks access to our computers and, well, you can imagine the rest. NAPFA has added additional security features to reduce the risk from automated attacks like this, and fortunately I wasn’t actually impacted, but I can imagine how easy it would have been to click that email link if someone wasn’t paying attention.
Apparently old-fashioned dumpster diving for documents is still in play for fraudsters but much of the fraud has moved online. AI amps this up. Schwab reports that fraud leveraging AI spiked over 1200% in 2025 and was used most in real-time conversations, presumably to quickly find publicly available information about targets as crooks engage them in conversation, and perhaps while using AI voice cloning.
Okay, so what are some practical approaches to dealing with this?
First, use a password manager like LastPass. That’s the one I’ve used for years. These subscription services have you create a master password for their system and then allow you to store your user credentials for the various websites you access regularly. This accomplishes a few things.
One, you can create your own passwords or have LastPass generate random long and strong passwords for every website you regularly access, and you only need to remember the one master password. Then LastPass prefills your login credentials the next time you go to the website. You won’t need to type as much, which is nice, but this also keeps your passwords from someone who might be remotely monitoring your keystrokes.
Two, this helps you avoid using the same password repeatedly.
Three, the password manager saves your user credentials to a specific website URL, so it won’t prefill your password on a fraudulent website.
Again, there are multiple providers, but LastPass is a good one. https://www.lastpass.com/
Next, I suggest using two-factor authentication wherever possible. We’re all familiar with the codes sent to our cell phone, but using a physical device like a YubiKey is even better. I’ve used these for years as well. You insert this into your computer or rub it against your cell phone and press a small button that activates its own password. You can link the YubiKey to your password manager so that it needs both your master password and your YubiKey to function. That might sound like overkill, but it’s pretty simple once you get the hang of it, and a remote actor would need your master password and your physical YubiKey to access your passwords.
Here’s Yubico’s website if you’re interested. You can also buy these on Amazon. https://www.yubico.com/
Other practical (but admittedly annoying) tips include…
Be especially wary of clicking anything in an email. Is the sender’s email address accurate? If there’s any doubt, just go to the website yourself. This can take extra time but “accidental” link clicking is the #1 way we let fraudsters into our computers.
Log out of websites instead of just closing the screen. Do this on your phone as well. Even close the tab after logging out. If someone is tagging along, don’t let them continue after you’ve moved on.
Run updates on your operating system. These can be especially annoying because of the time they take and the changes they can make to the usability of our systems, but updates often contain helpful security patches.
Beyond that, remember that I follow processes here at Ridgeview, and Schwab follows more, to help ensure that it remains extremely difficult for someone to steal from you. But we all have to do our part, and password managers paired with a physical two-factor device can really help.
Have questions? Ask us. We can help.
