Cybersecurity After Equifax

(Because our cybersecurity environment is constantly changing, the article below may not reflect the most current risks and control strategies since its original publication. Some principles and general guidance may still apply, however there may be additional considerations and risk mitigation approaches not reflected here.)

In recent years, we’ve all unfortunately become accustomed to seeing the scary headlines about cybercrime — 80 million client accounts hacked at health insurer Anthem, 70 million records stolen at Target, 3 billion email addresses compromised at Yahoo! — and so on and so on.

But even those blockbuster data breaches pale in comparison to the severity of the Equifax data breach last summer. Nearly 148 million records were hacked, including 2.4 million more victims identified by Equifax today. Stolen data include very sensitive personal information such as names, Social Security numbers, addresses, driver license numbers and birthdates.

This one’s a game changer, and it presents particular risks to wealthy families that require a more vigilant effort to identity protection.

The evolution of the identity thief

It used to be that email messages from would-be identity thieves were so hapless, they were almost funny — the misspellings, poor grammar and awkward use of colloquialisms were huge red flags. Those days are gone. Identity theft is now a big, professionally run business, complete with forums for buying and selling consumer data, professional copywriters and graphic designers to develop convincing phishing schemes, and an army of hackers testing for vulnerabilities.

And perhaps most ominous for wealthy families, identity thieves are increasingly using the tools of “big data” — powerful databases and sophisticated analytical software — to target specific individuals for exploitation. The Equifax data breach, with its comprehensive data set, feeds this machine. The information will likely be sorted by ZIP code and paired with publicly available data, allowing thieves to systematically target the wealthiest families with customized and sustained campaigns to access their financial accounts.

We believe that the minor hassle associated with securing your credit reports should be standard “financial hygiene.”

For example, with knowledge of a person’s credit card or mortgage providers (gleaned from their credit report), hackers can mount a sophisticated phishing campaign, luring people into clicking on a link that installs malicious software, opening up access to their email address and sensitive financial accounts.

Identity fraud is big business, and like any good business, it evolves as it discovers new, fertile sources of profit. At Aspiriant, we’re particularly concerned about four areas of fraud: credit, financial accounts, tax return and medical.

Credit fraud

The large majority of credit fraud currently involves the theft of existing credit card numbers rather than thieves stealing one’s identity and opening entirely new credit accounts. However, the comprehensiveness of the Equifax data breach significantly increases the risk of identity fraud, which, unlike simple credit card fraud, is both hard to detect and can take a lot of time and grief to correct. In fact, a 2012 Consumer Reports study concluded that consumers who have suffered a data breach are about eight times more likely to be the victim of identity fraud than those whose data have not been compromised.

In today’s environment, we recommend you:

  • Secure your credit bureau files. The single most effective way to prevent credit fraud is to secure your credit files at the three main credit bureaus. You have two options — a credit file “lock” which you can toggle on or off as needed via a website or a mobile app, or a credit “freeze,” which accomplishes a similar result but is more cumbersome to place and maintain.

    All three bureaus allow you to freeze your credit files. Equifax and TransUnion also have the more convenient free credit lock feature. The only free way to secure your Experian file is with a credit freeze.

    Securing your credit bureau files has no impact on existing credit cards or mortgages, but it does mean that applying for credit will involve the extra step of making your credit file available. We believe that the minor hassle associated with securing your credit reports should be standard “financial hygiene” in a world where databases are regularly breached, data is readily traded in robust marketplaces, and cybercrime is a thriving and lucrative business.

    For more details on how to lock or freeze your credit reports, visit the credit bureau websites using the above links.

  • Opt-out of pre-approved credit card offers at or call 888.567.8688.
  • Review your three credit reports for free annually at

Many companies now offer credit monitoring services for a fee (and often for free if you’re affected by a data breach). While we don’t see any harm in using these services, our view is that they are of limited value since they don’t actually lock down your credit files. Rather, they just alert you when someone is trying to access your files so that you can take action at that time.

If the risks of identity theft were limited to credit fraud, we wouldn’t be as concerned, since there are strong consumer protections in place that limit consumers’ liability from credit fraud. We’re more concerned with newer forms of identity theft.

Financial account fraud

In recent years, identity thieves have been increasingly targeting bank accounts and investment accounts. This typically starts with a thief gaining access to an email account (probably through a successful phishing attempt), where he’ll find communications with personal bankers and investment advisors. Then, posing as the client, the thief will request a wire transfer to his own account.

To prevent fraudulent wire transfers, brokerage firms such as Schwab and Fidelity, and independent advisors like Aspiriant, have put in place extensive and independent security measures.

These steps are a last defense against fraud, though. Prevention starts with denying thieves access to your data in the first place. Steps you should take include:

  • Add enhanced security measures to your online accounts. We recommend you add a voice ID and two-factor authentication to your brokerage accounts, so a thief cannot access them even if your password is compromised. Many banks offer the same feature. Your wealth manager might be able to help you put these protections in place.

  • Beware of phishing schemes. This is one of the key ways that thieves gain access to your computer. Know the signs. These are becoming increasingly sophisticated and can be nearly impossible to spot if the thief is posing as your credit card or mortgage company. It’s best to open your browser and log in to your account rather than click a link to see if an email offer or notice is valid.

  • Keep your personal computer secure with updated anti-virus software and regular checks for malware, such as key loggers that transmit your keystrokes (and thus access to your email and financial accounts) to thieves.

  • Use unique, strong passwords for all of your financial accounts so that a thief doesn’t gain access to all of your accounts with a single password.

  • Regularly change your passwords for financial and email accounts, doing so at least annually. This trips up thieves who have already gained access to your accounts.

  • Treat your email account as if it’s public. Send sensitive personal data only through encrypted portals. If you send or receive email with sensitive data, delete it then empty your trash folder so that it can’t be found by someone who has hacked into your email account.

For more tips and information about cybersecurity, visit the Federal Trade Commission’s website.

Medical fraud

There’s been a boom in medical identity theft and prescription drug fraud, whereby the thief uses their victim’s insurance information to schedule medical appointments and obtain drug prescriptions. Once uncovered, the process of cleaning up one’s medical records can be exceedingly difficult since current consumer protections aren’t geared toward medical identity theft. In fact, once fraud is revealed, some health-care systems will lock the victim’s medical records — even from the victim — for fear of tripping over federal rules by revealing the thief’s health data, according to the Federal Trade Commission.

Worse yet, there have been numerous reports of people receiving incorrect diagnoses or improper treatment because their medical record is tainted with someone else’s history. And in extreme cases, where the thief has purchased and distributed large amounts of prescription drugs, it can lead to significant legal troubles. A recent Consumer Reports article discusses a variety of ways to protect against medical fraud.

Tax return fraud

Tax fraud, in which a thief files a fraudulent tax return to claim a sizable refund, is also on the rise. Victims of the Equifax breach are particularly at risk for this type of fraud. The IRS is dedicating resources into combating tax return fraud and, as with credit card fraud, victims are ultimately not held responsible for fraudulently filed returns. The IRS is currently piloting a secure PIN number program with taxpayers in Georgia, Florida and the District of Columbia, and those who have previously been victims of tax fraud. Don’t be surprised if the Equifax breach prompts them to roll out the program more broadly.

The combination of big-data techniques and massive data breaches means that all consumers, especially the wealthy, are at risk for targeted and sophisticated attacks on their identity. This new reality calls for a proactive approach to data security using all of the available tools. While taking these steps may result in the occasional inconvenience, keeping your identity yours alone will be well worth it.