Always Verify Identity: Good habits for staying secure.

Every day I hear stories, whether from headlines in the news or from my friends and neighbors, about hackers and fraudsters eliciting money, access, or sensitive information from victims by pretending to be someone they are not. Security awareness trainings aim to help people identify the signs of social engineering and phishing. Policies and procedures are defined by companies to try to ensure the right checks are done before critical actions are taken. The problem is, we are all human. We are empathetic. We react to stress. We have fears and many of us lead with trust. Attackers know this, and they often show up armed with information that you would expect to be confidential.

Whatever the situation, if you do not know that the person asking you to send money, grant them access to a sensitive account, or to share sensitive information is legitimately who they say they are, verify their identity. If "your bank" sends you an alert that there is fraudulent activity on your account, don't click the link or call the number they sent you, verify the sender. Go log into your bank the way you normally do, likely typing [mybank].com into the address bar of your browser, and use the support features available there. If "a customer" calls in and tells you they have lost all authentication methods (password, MFA, etc.) and need access immediately, have them verify some things that only that customer would know (hopefully your company has provided you with tools for verifying customer identity!). If someone who sounds a lot like that person you've been working with on your new mortgage calls and tells you to wire funds to x account immediately to ensure your home sale closes, take the info and then reach out to that person the way you normally would to verify the request. If the IRS calls to say they are suing you over unpaid taxes, unless you know something I don't, it's fake.

We keep hearing about and seeing "deep fakes". Unfortunately, bad actors may be able to impersonate your family member's voice, they have information that is detailed and timely. I do know someone that faced the mortgage related issue. Clearly the mortgage company or title company had been breached. They might have access to someone's email account and be using it to launch attacks. You really have to be in the habit of using a second, and in some cases third and fourth methods of verification when you are being asked to 1.) share sensitive information (including when someone else initiates asking you to verify your identity by sharing your personal details!), 2.) grant access to sensitive accounts, or 3.) transfer funds. Just a quick "hey, I got a request from you, can you verify that this was you?" can do it in some cases. Making this a habit will help you not have to spend time assessing each situation and will help protect you from being caught off guard.