Technology is more accessible and affordable than ever, levelling the playing field in everything from education to eCommerce. One of the latest innovations is in the field of finance and investing. One sector of the fintech industry employs machine learning algorithms that can predict stock performance and make recommendations.
The fact that many of these treading apps are mobile puts your financial future squarely into your own hands. However, it also makes your information accessible to others if you don't protect yourself from phishing exploits. From an IT manager’s perspective, any employee using such a mobile app on a phone they also use for business opens up risks to the corporate network.
Particularly worrisome is spear phishing directed at a specific person. According to a study conducted by Iron Scales, 77 percent of these attempts are launched at 10 or fewer inboxes. The subject line and message mention you by name and include details that they've found on social media or professional profiles. Often, the message purports to be from a colleague or someone within your organization. They may want you to check out a work- or travel-related website or ask you to wire money to cover an emergency.
These emails can be very sophisticated, often using the real company logo and a similar URL or email address. The first red flag should wave if you don't have an account with the company that's supposedly sending the message, but there are other signs of a scam:
- Your name is misspelled
- The name of the company or work colleague is incorrect or misspelled
- The message is badly written, using improper grammar or seeming to be in broken English
- They ask for personal or account information and passwords; no company or government agency asks for such info.
According to research conducted by a security expert from IOActive, almost all of the 40 trading platforms investigated had some sort of vulnerability that could make you a target. These included mobile trading apps, desktop apps, and websites. The problems range from lack of or weak encryption to sessions that didn’t time out or log the user out when the account holder closed their browser. Issues were found with big names like Schwab or E-Trade and smaller, independent investment platforms like Robinhood and Kraken.
Whether you're an investor or you own an investment platform, you can protect yourself and others by designing apps and website with security in mind. To do this, install and properly configure firewalls on routers and other access points. Also, installing a VPN on all networks and connected devices to mask your IP address, identity, and activity, protects your network from vulnerabilities. Many use multi-factor authentication to control account access as well.
Along with these steps to stay protected, it is always recommended to backup all data and store it offline. This protects you in the event your account is compromised.
One of the best ways to keep your data safe is to change passwords frequently and using a different secure password for each account.
Phishing and Spear Phishing in Action
Hackers can launch phishing attempts at individuals or businesses. You may have even experienced an attack or attempt and not realized it. These criminals stalk financial platforms and try to infiltrate apps hoping to hit paydirt. It is important to understand how to avoid and prevent these attacks from happening in the first place. These are a few examples of phishing/spear phishing attacks and how they work in action.
Phishing Attempts Against Companies
Usually, phishing attempts are launched against individuals or groups of individuals, but there have been several high-dollar attacks against businesses as well.
In 2008, 19 employees of the Alcoa company were targeted by Chinese hackers impersonating a board member. The objective was to steal trade secrets, and it was perpetrated through a malicious code inserted into the company emailing system when the emails were opened. it resulted in theft of 800 attachments and nearly 3,000 emails.
More recently, Ubiquiti Networks, Inc. willingly handed over more than $40 million to someone impersonating the C-Suite executives. The fraudulent emails asked recipients to transfer funds from their Hong Kong office to third-party accounts that were actually set up by the hackers.
Scams Targeting Individuals
One of the most common types of phishing attempts for individuals and groups targets the very common payment platform, PayPal. I have even experienced this one twice myself but had the presence of mind to call the company directly when the link I was sent redirected me to a Twitter account login. You could also find one that has a similar typeface and logo as your trading platform or bank, making it seem official.
The emails are typically addressed to account holders by name and state a problem with a payment. Then, there is a link to discuss the matter further, which either leads to a fake login page or website, as what happened with me. Once there, the hacker records your keystrokes or inserts tracking code into your browser.
Be on the lookout for government imposters
Since the primary purpose of a phishing scam is identity theft, there have been cases of hackers stealing credentials and using that information to hurt the person's credit or scam others.
It's common for users to automatically trust a government entity, and the bad guys take advantage of that reality. Something as simple and safe as investing in government bonds can take a swift turn onto the road to ruin when you consider the numerous historical scams that have been perpetrated and realize how simple it is for a dedicated phisher to get between you and your money. The bottom line is that no government-related transactional activity should be deemed entirely safe when it’s done online.
A popular common method is the "You've got money" scam. There's also a variation that claims to have IRS sanction and threatens the recipient with legal action over a government debt. In these exploits, the hacker pretends to be from a government agency. They'll either contact you via email with a warning about tax problems or convince you that you have a refund coming.
Usually, there's a link for you to follow to sign into an account, but this is just a way for them to grab your sign in information and access your accounts. Many ask you to wire money or provide them with account information.
This is a lie. No government agency ever requires a wire transfer to get winnings, obtain a refund, or pay a debt, nor do they need your bank account or credit card information. You may receive an email from the IRS or another agency that instructs you to call a toll-free number, but such interactions with the government are still usually conducted by US mail.
If you get such a solicitation via email, don't click on any links or provide identifying information. Instead, report the spear phishing attempt to the FTC.
Final Thoughts
Mobile trading takes investment from Wall Street to Main Street. Following the above suggestions means you can trade any time, from any location, with more peace of mind and confidence.