Trust Your Instincts

Today’s most dangerous cyber threats don’t come from hackers breaking into systems- they come from someone convincing you to open the door for them.

When most people think of cybercriminals, it conjures up the notion of dimly lit rooms full of nefarious characters feverishly typing computer code, attempting to access your sensitive personal data. But in today’s cybersecurity landscape it’s almost always much simpler; the criminals ask for information directly, and many people unknowingly provide it. These scams, referred to as “social engineering schemes,” manipulate your trust, sense of urgency, or make you afraid. The perpetrators use these tactics to manipulate you into sending money, clicking a link, or handing over access. These attacks don’t require technical sophistication; they rely on something much more powerful, your willingness to act- quickly, emotionally, and often without verifying critical details.

It doesn’t matter if the email looks official or the caller seems trustworthy. What matters is what they’re asking you to do:

These actions are the red flags. Attackers don’t need to write perfect emails—they just need you to comply.

You receive a text message that you have unpaid tolls, and if they aren’t dealt with immediately, you will be sent to collections.  Or maybe you receive a message that you have an unpaid parking violation and if you don’t take care of it immediately, your driving privileges will be suspended. You click the link and are brought to a page where you can log in to an official-looking website and enter your credit card information. The unpaid toll or traffic ticket isn’t substantial, so you log in, enter your details, and don’t think about it any further.

What has actually just happened is that you were sent to a page mimicking your Department of Transportation/Police website; the login and credit card sections were all just there to capture your data. The bad actors now have your state DOT/Police login information so they can go to the real version of those respective sites, log in as you, and access even more data like your license plate, Social Security number, and bank account numbers. Beyond that, they now have your mailing address, cell phone number, email address, and credit card information. This list of items is enough to allow the bad actors to run up a huge credit card bill, open accounts in your name, or, since most people use the same login for multiple websites, the bad actors can now access your bank and financial accounts.

This is a common tactic cybercriminals use, known as phishing. Phishing relies on deceptive emails, texts, or messages to trick you into clicking malicious links or providing sensitive information. These often create a sense of urgency or appear to come from trusted sources.¹ Other tactics include:

These tactics all exploit human psychology—trust, fear, urgency, curiosity, loneliness, or helpfulness—rather than technical vulnerabilities.

You don’t need a cybersecurity degree to protect yourself. You need a simple process and a moment of pause.

1. STOP:  Am I being rushed, pressured, or emotionally triggered?

2. VERIFY:  Is this a change to what I’ve done before? Call the person directly—on a known number—to confirm.

3. PROTECT:  Only take action after you’ve independently confirmed the request. Never trust instructions sent over email or text alone, or from a phone call made to you.

Think about what they’re asking you to do; if it’s an urgent request to click a link, make a change, log in to an account or transfer money, then it may very well be nefarious. The easiest way to avoid this type of scam is to navigate to the website directly (or via your own bookmark) and never click a link that was sent to you unless it is an expected link from a known sender. An example of this would be an email from Schwab stating that your account has been compromised and instructing you to click the link provided to change your password.  Instead of using the link in the email to change your password, open a web browser where you can navigate to the Schwab website independently and log in to your account to change your password there.

In talking about passwords, we highly recommend using a different password for every account—especially email, banking, investment platforms, and cloud storage. A password manager, which creates a strong, unique password for every account streamlines this process. We trust these password manager tools so much that we provide one to all MCM employees. Popular password managers are Dashlane, Bitwarden, 1Password, and NordPass.

We also highly recommend the use of multi-factor authentication (“MFA”) on all accounts that support this tool. MFA will either send a text message to your cellphone or require you to use an app to verify that you are actually trying to access your own data. These tools mean that a bad actor having your username and password will not have enough to access your sensitive information.

Your willingness to stop, verify, and protect is your best defense against social engineering scams. By staying vigilant and following these simple steps, you can protect you and your family’s sensitive information from cybercriminals.

Disclosures:

For this month’s Insight, we partnered with our third-party cybersecurity firm, Agio, to provide some simple ideas about how to protect you and your family’s sensitive information.

This material is provided solely for informational purposes. The opinions expressed herein represent the current, good faith views of the authors at the time of publication and are provided for limited purposes. The information presented herein has been developed internally and/or obtained from sources believed to be reliable; however, neither the author nor Manchester Capital Management guarantee the accuracy, adequacy or completeness of such information. Predictions, opinions, and other information contained in this article are subject to change continually and without notice of any kind and may no longer be true after the date of publication.