Skip to content

Cyber Threats: Prevention is Key

by Lindsey Stetson, CFP®

Websites and smart devices have increased in sophistication, allowing us to perform personal and financial tasks from the palm of our hands. The pandemic has caused many of us to leverage virtual options, either out of safety concerns or convenience. We can order groceries, meet with our doctors, and purchase cars in our pajamas. While our new e-lifestyle has led to more efficiency in our lives, we must acknowledge that it has created an additional way to become targets of criminals.

How Common are Cyber Attacks?

A Clark School study at the University of Maryland determined that cyber-attacks occur on average every 39 seconds which affect 1 in 3 Americans every year. This nearly constant rate of attacks means our guards can never be down. Hackers are waiting for the opportunity to steal our personal information, banking information, and anything else they can use to profit.

Who Does Cybercrime Hurt the Most?

While we hear about companies being attacked – remember the gas shortage caused by the Colonial Pipeline ransomware attack in May of 2021? – it’s average consumers who are hurt the most. The preferred victims of cybercriminals are 60+ years old but anyone can fall prey.

How Can You Stay Safe?

Do not click on links or open attachments in unsolicited emails or texts.

Phishing emails often attempt to mimic organizations or people you know. Even if you know the sender, study the email address, the wording used in the body of the email, and hover the mouse over links to confirm the destination before proceeding. Verify that the email or text is legitimate by asking the person who sent the message to you. Clicking on links and opening attachments may install malware on your device which can steal your information or even hijack your computer.

Be wary of urgent requests

Criminals know that stress can affect how we make decisions. By creating a rushed situation, they know that people are less likely to follow processes and procedures. A popular tactic is to impersonate a utility company claiming that your bill is overdue and without immediate payment, your gas/water/electricity will be shut off. Another popular one is to pose as the IRS and claim that your debt must be settled immediately. The IRS and utility companies will never call or email you out of the blue and you do not have to give any personal information to anyone calling or emailing you.

Use strong, unique passwords

Using the same password across multiple websites increases your vulnerability to attack. Passwords should be long, contain unique characters, numbers, and upper- and lower-case letters. Don’t use easy to guess words like pet names, middle names or birthdates. These are clues that can be gleaned from social media posts. Encrypted password managers can be useful, so you only need to remember a single password. Enabling multi-factor authentication when available also makes it more challenging for someone else to log in as you.

Keep systems and software updated

Keeping your software (including a reliable anti-virus product) updated will ensure that you have the most current security features to keep you protected. You should update the operating systems and browsers on your computers, tablets, smartphones, etc. regularly.

Keep personal information secure

Documents containing your personal information should be shredded rather than thrown away. When in doubt, shred it! Store sensitive documents like tax returns in a secure location and do not email documents, such as bank statements, without encryption. Make sure your phone has a passcode or face scan enabled for access.

What if You Become a Victim?

Change your passwords

This is a no-brainer, but if you get hacked or have a data breach you should immediately change all of your passwords.

Monitor your accounts and credit reports

It’s important to pay extra attention to your account activity after a data breach. You can sign up for text alerts on your bank and credit card activity and you should check your statements closely. Check your credit reports for anything suspicious. It is possible to freeze your credit, which prevents any new credit accounts from being opened in your name. The drawback to this is that you are unable to apply for new credit too until the freeze is lifted.

Alert your financial institutions

Notifying relevant institutions of the data compromise allows them to be extra alert and scrutinize suspicious requests regarding your accounts. Trust Company of the South has several standard security measures in place for high-risk requests such as wire transfers and address changes but letting us know of the issue allows us to monitor for larger-scale data breaches across our clients.

Cybercriminals will always be innovative with their attacks but taking the above measures will go a long way in protecting you and your family.

Protecting Your Identity

by W. Michael Bridgeman, CFIRS™, CFP

Identity theft.  We hear about it almost daily.  A retailer is hacked and your personal information may be exposed.  A social media site collects your personal information and then shares it without your permission.  A credit bureau is breached and your personal information is at risk.  Then we all have to wonder: how much of our personal information is at risk? Is it on the dark web?  Is there any way to protect ourselves?

You’ll be relieved to know that the answer is yes, you can protect yourself from identity thieves and others who try to steal your personal, financial and even health information.  Although there are many malicious individuals out there trying to do you harm, you can take action to defend yourself from their malevolent malware.

Follow these guidelines to build your “personal identity defenses”:

  1. Take responsibility.  With all the conveniences we enjoy by having our lives on Facebook, Instagram, LinkedIn, and having our financial information readily available on our smartphones – we must think before we share our information.  Identity thieves may call, sometimes posing as bank or government agency officials. Do not give out personal information over the phone unless you initiated the call.
  2. Create better passwords. Use passwords that use a mix of letters, numbers, and special characters.  Do not use your birthday, anniversary, or children’s names as passwords!
  3. Encrypt your smartphone and computer.  Using passwords to lock your phone and computer encrypts the data on the device itself.  A thief cannot unlock these devices without the password, and they cannot circumvent the password to view your data.  Imagine that when you encrypt data you take a piece of paper with your personal information and shred it to pieces.  If someone breaks in to your device without a password, all they see are the shredded pieces of paper. But, when you log in with your password, the data is unencrypted, and the little pieces of paper are magically put back together so you can see it in original form.
  4. Invest in a shredder.  Shred your receipts, credit card offers, bank statements, returned checks, and any other sensitive information before throwing it away.
  5. Avoid public Wi-Fi.  Public Wi-Fi is fraught with dangers.  Hackers know individuals using public Wi-Fi are easy targets for stealing information. This includes airports, hotels, and coffee shops.  They may be convenient, but they are not secure.
  6. Update your software.  Keep your phone’s operating system and apps up-to-date.  Software updates can contain fixes to security flaws!
  7. Sign up for account activity notifications from your bank to notify you of transactions.
  8. Make yourself phishing-proof – do not reply to unsolicited emails asking you to verify personal information, and avoid clicking on suspicious links.
  9. Be on alert for phone calls that could be phishing scams.
  10. Order your free credit report.  You are entitled to one free credit report from each of the three credit bureaus each year.  Order from each individually, or go to www.annualcreditreport.com to receive a consolidated report.  Review the report for inaccuracies and possible identity theft.

If you do become a victim of identity theft, report it to the Federal Trade Commission at www.identitytheft.gov.  You will find useful information on the website to develop a recovery plan and put it into action.  You also should consider placing a freeze on your credit file to prevent thieves from trying to open new accounts in your name.

One last consideration is identity theft insurance. There are many providers that offer to monitor your credit, Social Security number, credit and debit card numbers, etc.  Several companies offer restoration services and expense reimbursement.  You can purchase the insurance online through the provider, or check with your agent and ask if you can add it through your homeowner’s policy.

Unfortunately, we will continue to hear about more, not fewer data breaches.  We know they are going to happen, which is why we must be more vigilant than ever to protect ourselves.  Stay alert, stay cautious, and stay safe!

Michael is the Compliance Officer for Trust Company, and is based in the Raleigh office. He is responsible for assuring compliance with North Carolina banking rules and regulations, federal BSA/AML laws and regulations, and sound fiduciary practices. Michael is a Certified Fiduciary and Investment Risk Specialist™ and a CERTIFIED FINANCIAL PLANNER™. He has over twenty years of experience in the financial and wealth management industry.

Are My Assets Safe?

In light of past high-profile securities fraud cases and investment scams such as the Bernie Madoff scandal, the Stanford Financial Group, and continuous Ponzi schemes, we think it is important for our clients to know how their assets are secure with our organization.

As authorities investigated these schemes, especially Bernie Madoff, it became clear that neither investors nor institutions performed even cursory due diligence on Madoff, his operation, or the underlying investments (if there ever were any investments) before handing over their or their clients’ money.  In short, there was a lot of “trust” – with no verification.  Those potential investors and advisors who did try to obtain answers to basic due diligence questions quickly became suspicious and moved on.

In the case of Stanford, it appears suspiciously high yields were offered to clients investing in certificates of deposit in a related offshore bank.

Summarized below are some of the key factors ensuring the safety of our clients’ assets, the majority of which did not exist with other fraudulent security cases.

  •  Our clients’ assets are held and safeguarded by independent third-party custodians: (US Bank, Depository Trust Company (DTC), Matrix).
  • Our investment offerings are transparent and diversified – our investment offerings are widely known and owned – and easily vetted by our clients.
  • We use an independent third-party trust accounting system for the detailed record-keeping of client accounts as well as separate third-party performance reporting.
  • As a fiduciary trust company, we are examined each year by the North Carolina Office of the Commissioner of Banks.
  • Our operations and internal controls are reviewed annually by an outside public accounting firm.
  • We serve as the “back office” operations support for several bank clients.  These banks performed their own due diligence of our organization and operations before engaging us.  They require a separate audit of our activities specific to this operational support.
  • Our firm is owned by shareholders who, with the exception of Bill Smith and his brother Jim Smith, are unrelated by birth or marriage.   In addition, none of our employees are related by birth or marriage.

Most of the above factors are discussed in more detail below.

First, and most importantly, we use independent third-party custodians to hold and maintain all our clients’ assets.  US Bank serves as the custodian for all DTC-eligible client assets (stocks and bonds).  Our clients’ mutual fund assets (including money market funds) are held at the respective fund company and cleared through Matrix Settlement and Clearing Services, a broker-dealer which serves over 300 financial institutions and processes over $200 billion in customer assets on their platform.  The fact that Mr. Madoff did not use independent custodians is one of the linchpins that allowed him to pull off his scheme.  This fact also caused many potential investors to quickly turn away.

Assets maintained in custodial accounts by custodial institutions are segregated from the assets and liabilities of the institution and are not subject to the institution’s creditors. The custodian’s role is to hold the assets for safekeeping, to collect dividends and interest and provide other similar services.  Account ownership in the assets remains vested in the entities for whose benefit the institution is acting as custodian and the assets are not subject to the claims of creditors.  In contrast, assets held in deposit accounts of a bank become liabilities of the bank. As such, deposits create a debtor-creditor relationship between the bank and the depositor. Similarly, if investors hold assets with an investment advisor, who does not provide separate custody, these investors become general creditors of the investment advisors.

Our custodians employ comprehensive safeguards and controls over asset trading and transactions in their daily operations.  Each year the custodial operations of both Matrix and US Bank endure a SSAE 18 examination.  Officially known as a “Reporting on Controls at a Service Organization,” SSAE 18 audits provide independent third-party verification by a licensed CPA firm as to whether control activities described by a service organization were suitably designed to meet specified control objectives and were in place and operating effectively over a specified period of time.  Trust Company primarily requests a specific type of SSAE 18 audit called a System & Organization Controls (SOC 2) report.  A SOC 2 report evaluates a provider’s security, availability, processing integrity, confidentiality, and privacy controls.

We have a great deal of daily interaction with our contacts at both Matrix and US Bank. We monitor our custodians’ service and capabilities and have a very high level of confidence in them to safeguard our clients’ assets.  If we ever have concerns about a custodian’s service, we are free to, and will, move our clients’ assets to the care of another reputable and capable custodian.

As mentioned above, our investment offerings are very transparent and diversified.  We utilize mutual funds that are easily verified and vetted – and are tracked and reported in a wide range of mediums.  We do not recommend that our clients invest in “black boxes” or exotic schemes that cannot be easily explained or supported.  It has been reported that Stanford Financial Group invested in certificates of deposit issued by a related offshore bank. All Trust Company of the South investments are “arm’s length” transactions with independent mutual fund companies or investment managers.  We do not engage in related party transactions.

Unlike Bernie Madoff and other fraudsters, we report to our clients on how their assets are invested through our use of an independent trust accounting system to maintain individual client accounts and transactions.  We also use an independent third-party for client performance reporting.  In addition, clients can easily verify how any one of their investments is performing by looking in the business section of most newspapers or a host of other sources.

We use InnoTrust, the trust accounting and reporting system designed and maintained by SS&C Innovest.   It serves trust companies, trust and custody departments of banks, wealth management firms, and private banks.  Innovest Systems, LLC was founded in 1974 and is based in New York.  Innovest merged with SS&C Technologies Holdings, Inc. in 2020.  We have representatives on the users group that provides ongoing feedback and suggestions for further enhancements to the InnoTrust system.  This system has its own comprehensive internal controls and reconciliations that are performed with the range of activities and operations allowed by the system.  In addition, an annual SOC 2 audit is performed on the system and we receive and review the results of this audit.  The SOC 2 report also addresses the security of the data.

Beyond the daily back-up of our data on the InnoTrust system, the data also resides with the system provider, SS&C Innovest, so there is an independent source for detailed client account information should a catastrophe strike our facilities or people.

Client accounts are reconciled daily with the custodial accounts of Trust Company of the South at US Bank and Matrix.  These reconciliations are monitored daily by our internal operations team.  Any exceptions, though rare, are investigated and addressed promptly.

In addition to the controls and processes used by independent custodians and trust accounting system, Trust Company of the South employs rigorous internal controls and separation of duties in managing client transactions and accounts.  These controls minimize both employee errors and potential fraud.  At least two people are involved with each client transaction – the person who enters the transaction and a second person who reviews the transaction entered into the system against the supporting documentation from the client.  Once adequately reviewed, the transaction is authorized/approved by the reviewer.  Also note that the trust accounting system will not allow the same person to both enter and approve a transaction.  Beyond the separate entry and authorization of each client transaction, all transactions (disbursements, deposits, trades, etc.) are reviewed daily by our principal in charge of client services.

Our internal controls, processes and reporting related to maintenance of client accounts are reviewed each year as part of our required annual examination by the Office of Commissioner of Banks for the State of North Carolina.

Note we also have separate audits of our internal processes and procedures by an independent accounting firm, Elliott Davis.  The Elliott Davis auditors responsible for performing our audits specialize in reviewing and testing internal controls for financial institutions.  In addition, we serve as the “back office” for several banks who to date have chosen to outsource their operations.  These banks performed their own due diligence of our capabilities in their decision to engage our firm and require a separate audit of the specific functions we provide to them.

An independent audit of the financial statements of Trust Company of the South is performed each year by a public accounting firm. The auditors review and confirm our records of client accounts with the accounts of the custodians of our clients’ assets.

We also have a chief compliance officer who performs periodic reviews of client accounts, evaluates internal controls, and conducts random audits to ensure assets held with our custodians matches what it held in our client accounts.  These findings are reported to the Audit Committee of the Board of Directors of Trust Company of the South, who also oversee all risk compliance controls and meet on a regular basis throughout the year.

We realize that this is a lot of information to digest but we wanted to communicate some of the important safeguards and controls in place to protect our clients’ assets.  You have placed your trust and your money with us.   It is our job to ensure that you continue with that trust.

Please contact us with any questions or if you would like to discuss further areas outlined above or any other concerns.