How Not to Get Robbed Online
Rick: Thank you, everyone. The only advice I got today to speak to you, guys, is to treat the microphone like a lollipop and pretend like I’m licking it, so you can all hear me, so if you can’t hear me at anytime or Mike at any time, please just yell at us, throw something at us. We won’t take it by offense.
I know IT is not the most exciting in the world for a lot of people, so we’re going to try to make this as painless as possible and hopefully you guys can catch on a lot of points. This is a quick outline of what we’re going to talk about today. We’re going to talk about what the big idea is, why are we discussing IT with landlords today. We’re going to talk about SCRA. We’re going to talk about FTC. We’re going to talk about the 201 CMR 17. Already you guys are going, “What in the world is he talking about?” That’s kind of the point today.
There are a lot of regulations out there that are governing how you need to protect PPI, personally protected information, your tenants’ information, whether that be on paper or digital format, so we’re going to talk about that. We’re going to give you guys some advice along the way.
What is the big idea? Basically, treat information as gold. You want to protect consumer identities. You want to avoid losses and things like that. A lot of you probably hear stuff online about big companies that were hacked and information were stolen and things like that. If Yahoo can be hacked, certainly you can. You’ve read a lot about Ransomware and different malware that’s out there that all of a sudden you have to pay a bitcoin for. You don't know what the heck a bitcoin is, but a bitcoin costs $7,000 now and you don't know what to do. We’re going to try to give you some tips.
The scary stuff. Javelin Report in 2017 did a study on identity fraud and they estimated 15.4 million consumers actually lost some sort of information in 2016. That’s a staggering amount and $16 billion in value was stolen. The FBI actually reported that there was $8 billion stolen in any given average year, and that number just goes up and up every single year.
Mike will probably tell you bitcoin a year ago, if you got certain malware, you maybe paid $500 to get your information decrypted and given back to you. Now we’re looking at bitcoin costing $7,000, $5,000, things like that, so it’s getting more and more expensive every single day.
We’re going to talk about some of that. There are some numbers at the bottom here. Average costs for a consumer to fix some of these problems is $263 plus an hour. For you, guys, what are we really talking about? We’re talking about is it a month’s rent? Is it a few month’s rent? In some cases, is it bad enough that we’re talking about bankruptcy? We’re going to try to give you some tips to prevent those.
Obviously, legal framework is what governs how you have to protect this information. FTC Regulations, Fair Credit Reporting Act, the 93H, and the 201 CMR, we’re going to talk about them a little bit.
First off, the FTC. Okay, regulations were revised in 2012. Essentially what happened is it became more stringent. Identity theft, when we talk about identity theft, what we’re talking about is fraud committed or attempted using somebody else’s information. You’ll see this a lot. For you, folks, when you’re filling out applications and you’re going through those credit checks and things like that, so we’ll talk about a little bit.
Here are some red flags that you, guys, may already look for, maybe you haven’t thought of them. (a) Documents appear to be forged or altered when they’re filling out their information. (b) Photo IDs are inconsistent with the people, with their physical appearance. (c) The photo ID address doesn’t match any of the listed previous information. (d) The signature on the ID doesn’t match the application. (e) The application appears to be altered. (e) The social security number is on the Death Master File. If you guys don’t already check that, you simply Google “Death Master File,” you’re able to put that social security number right in there, and it will tell you whether that person is still living or deceased. (f) Social security number is in the wrong range for your date of birth. It might be a little bit harder to detect, but the more you guys do this, it becomes more and more familiar with you. (g) Suspicious phone number supplied. Sometimes, so a lot of us know 774, or your 508 numbers, 617 number. You can learn to identify pager numbers, and things like that. (h) The address or phone number matches a previous renter and tenant, and things like that. More difficult if you’re on paper file, but as more and more people become software based and you’re putting your tenant information in there, these are some red flags that can be flagged sometimes. (i) The application doesn’t respond to requests for more information. To me, that’s the biggest one is you ask for more information and they get radio silent, it’s usually a first indicator that something might not be right.
Detection does scale with size. What I mean by that is if you have one property, there’s a certain limit. It’s what reasonably expected is essentially how it’s governed. You have one property and there is a breach, there is a leak, there’s something that happens. if it does go to court, what they’re going to say is was it reasonably within your means to find out that information or to protect that information?
As you, folks, as your portfolio is growing, you have more and more apartments and properties and things like that, your expectation grows as well. They’re going to hold you more accountable with the more properties you add on there.
Respond and revise, what we’re really talking here is about 93H, just one of the other governing ones. Essentially saying that when you suspect a breach or an over-breach, you do have an obligation to report it, and in the State of Massachusetts, if you don’t report it and you’re proven that you were aware of it, it’s actually a criminal offense.
If you suspect fraud, obviously don’t rent to them and if it’s serious enough and it needs to be reported, notify the appropriate parties.
Revise your practices. The bag guys are always inventing new ways to steal. We’re going to talk about that a little bit more with malware and viruses and things like that, so you’re constantly having to revise and educate yourself on what you need to be doing. If you have staff, train your staff. There’s dozens of agencies out there. We listed a bunch of them. Some of them you may recognize, some of them you may not, all of them can be Googled, and we do have the handouts available as well that we can send off for you guys as well.
Best advice is don’t get frauded. Sounds simple. Let’s talk about that a little bit more.
Fair Credit Reporting Act, we’ve talked about this. If you get a credit report, you must treat it as if you’re a credit reporting agency. In other words, store it safely, lock and key. If it’s digital, make sure it’s password protected and stored somewhere that’s password protected. I’m going to give you some advice on how to do that best. Only authorized people can use it, and obviously shred those documents if they’re no longer in use.
Rejection for credit maybe the only way to detect an ID theft. Even if a credit report was not the primary reason for rejection, you must send an adverse action letter. This is actually a link to MassLandlords.net that will show you where to get that form, so if any of you don’t already have that form, it is available to you. Again, that address, that link will be in the handout, so we give you as well.
The 201 17, this is a state regulation in the State of Massachusetts. This applies to you, folks. It also applies to all businesses that are out there that says, “How should you and do you need to protect personal information?” It’s a long checklist. You can actually get the checklist right online from the State of Massachusetts. It’s going to start with you must have a WISP, a Written Information Security Plan. It just dictates how you treat that information.
We’re going to talk about the processes you have, how you train your employees if you have one, and then it gets into the specifics as far as it’s basically a document that’s going to say, “This is how I protect my passwords. This is how I protect my tenants’ information if I’m storing it whether it be paper file or digital.
Now let’s talk about some of the things that you guys have to do in order to maintain your compliance with a lot of these systems right here.
The first thing we’re going to talk about is updating your OS. I’m going to try to keep this as non-nerdy as possible and I know sometimes that’s hard to do. But what we’re really talking about here is keep your computers up to date malware, antivirus. The most common way that your information is breached is because you didn’t update your systems. Most commonly, we’ll run into people that have an XP computer. They’re running XP. They’re not running Windows 10 or Windows 8 or 7, or something like that.
Every virus in the world is written for an XP computer right now. This is a huge vulnerability because Microsoft no longer supports it. They no longer patch it. They no longer protect that software anymore, so every virus that’s written out there. if you have an XP computer and you’re on XP, chances are at some point, you will get a virus no matter what you do. Update your systems.
There’s lots of other things you can do. If you run an antivirus that has a firewall, or you run separate software firewall, make sure it’s turned on. Make sure it’s working. This comes back to that the larger your organization is, the more you’re obligated from a responsibility standpoint. Small one-person, two-person offices, software firewall might do the trick and you guys are good and you’ll meet that level of compliance. As your organization grows, you’re starting to get to bigger business-grade firewalls—SonicWall, Barracudas, Untangle, things like that. It does scale as you guys grow.
In other words, don’t keep old equipment. Don’t use computers that have been around for 10 years. Update them. You’re going to get better productivity out of them, and you will be protected.
This is usually when everybody looks at me like I’m crazy, but do you need antivirus? Everybody probably in the room is going to say, “Absolutely! You need antivirus!” I will tell you that yes, you should have antivirus just so you have a level of protection, but the truth of the matter is, what’s more important than antivirus is educating yourself and being careful when you are surfing the Internet, when you’re online.
There’s lots of different antiviruses that you can use that will block viruses. They will block spyware and malware. If you’re interested, viruses basically if they get into your computer, they do their own thing. Spyware is the kind of stuff that will steal your passwords. Malware is things that can slowdown your computers, they can steal credit card information, all that kind of thing.
An antivirus program will try to catch those things and quarantine them, but here’s the truth of the matter: there are thousands and thousands and thousands of viruses written every single day. If some smart guy comes out with a new virus today or new piece of malware today, chances are the antivirus you have is not going to catch it, if you get it today. It’s just not. Maybe a couple of days from now, it will catch that virus, so it’s not the end-all-be-all.
Just because you have an antivirus does not mean you’re not going to get a virus, you’ll never going to get malware. The best thing you can do is to educate yourself and be careful when you’re online. We’ll talk about some tips on how you can do that.
I’m going to turn this over to Mike just to talk about a little bit about encryption in case you guys are interested.
Mike: All right, encryption is very old. We’ve been using it for thousands years mostly in the military to pass messages. People had a cipher where you would basically convert one letter to another. It’s significantly more advanced now. This is basically how it works: You convert D to X, G to P, O to L, and PLLX LP! turns into Good Dog. That doesn’t work anymore. It’s easy to crack. Computers don’t use it. this is what we had to do when people had to figure out encryption.
Nowadays, we do it all with math. We take prime numbers, which get to be really, really big and really, really crazy. Well, picture G to D and those conversions do that, jumble it, and then do it again and then repeat that process 10,000 times, then do it another 1 million times, and then you sort of get results like this. This is what an encrypted email message might look like. If your message is not encrypted, it says this email is, “To Bob from Mike,” this is the subject, this is the body, and here is the attachment.
If your email is not encrypted, that’s what your email is going to look like on the Internet. That’s important if you are at a Starbucks or something like that. If you’re not sending encrypted messages, somebody at Starbucks can read your email, but if you’re sending encrypted messages, this is all they see.
Encryption is also very important on your hard drive, so you guys might have passwords on your laptop, but if your laptop is not encrypted, you leave your laptop behind, I can take your laptop, somebody else can take your laptop, they can reset your password. They’re in there in 5 minutes, and then they have all those scanned PDFs that your tenants filled out that have their social security numbers, addresses, phone numbers, previous addresses, all that stuff. Then 201 CMR 17 fines you a bunch of money, and then you’re broke. Encryption is very boring, but it’s very important.
The ideal encryption relies on private and public key system. It gets a little complicated. Basically, I have my own private key that nobody else knows other than me, and I have a public key that I tell the whole world and we sign things with our keys, and that’s how you know it’s from me, I know it’s from you. Anybody else only sees this jumble of mess, but then we can see the actual message of just hello on the public keys. Like I said, it happens thousands, and thousands, and thousands of times. Processes are very good at doing this, human beings are not.
Encryption we see most commonly on websites. The easiest way you’ll see it is HTTPS in the corner. If you don’t see that, don’t put any personal information into the website. It’s not encrypted. Again, somebody at Starbucks can see it. It’s very difficult, it’s not impossible, but it’s very difficult for somebody to fake the HTTPS.
Things to watch out for on the HTTPs, a lot of times, you might get taken to Bank of America with the I is an L, and it looks just like Bank of America but it’s not Bank of America, so pay attention to the website you’re on. Make sure they’re encrypted. You are the person entering that information. Even if you have something bad on your computer, you’re on the wrong website, if you are paying attention to the website, you’re the last bastion against it.
Some things that are encrypted by default. An iPhone comes encrypted now. Some Android phones do, some Android phones don’t. They all support it, though. I would highly recommend that you turn on encryption for the same reason that you encrypt your laptop. If somebody steals your phone, your phone is your most personal piece of technology you have. You want to protect that.
Then we have fax. Nobody likes fax anymore, but it’s not on the Internet, which is why people still use it. It’s a direct hardline unless somebody is bugging your phone, then they can probably see your fax machine.
What you can encrypt your laptop with, if you’re on Windows 10 or you go to buy a new computer, buy a Windows 10 Professional. It comes with BitLocker built in. That’s a DOD compliant encryption software. it’s very good. It’s free. Like I said, it’s part of Windows, so buy a Windows 10 Pro computer. Windows 7, like Rick said, is miles better than XP, but it’s still 9 years old. Well, it will be 9 years old in a month. It came out in 2009, so there’s been 9 years of technology and security improvements on the Windows 10.
Email, Gmail is very good. They turn on encryption at any point. Gmail and Outlook.com are definitely the two most secure. I would hesitate to use the Verizon.net, or an AOL.com address for your business email. Sorry, Mike. They give it away for free to millions of people, and Gmail does as well, but Gmail they generate revenue from ads, a heck more than AOL does.
You can also send secure mails, so there’s secure mail from Gmail. I’m sure you’ve gotten emails from your bank, let’s say, “So and so sent you a secure message. Click here to open it.” That’s a good way to send those confidential PDFs when you’re trying to get a background or anything like that. Those are very good because those are totally encrypted.
As far as on websites, there are browser extensions that will try to use HTTPS if websites support it. Most websites support it now, but they don’t switch you over to it by default. Truth being it messes with their advertisements a little bit. It’s harder to serve ads on HTTPS. There’s also another browser extension called Web of Trust. A couple of those are pretty good. They’re easy to find in a Firefox Store, Chrome Store, anything like that.
The downside to encryption is that if you forget your password, you lose all your stuff because it’s encrypted, and you can’t break in. Ideally, your encryption will take thousands of years to break through, so that’s where backups come in. We want to back up our data. Even if it’s not encrypted, you want to back up your data. But there’s a million different ways you can back it up. You can do very simple things like keeping your files safe on a Dropbox, or Google Drive, or iCloud, OneDrive, anything like that. That’s the simplest thing you can do. Those are free. It’s not true backup, but it’s somewhere. It’s not on your computer. There’s a copy of it somewhere.
You can also use services like Carbonite, SpiderOak. SpiderOak is less popular, but they have a policy built in where they can’t access your files, so that one is good, but Carbonite and there’s a million others, just like them. They will take a full image of your computer, you get a virus, you can recover.
Almost all of these turn on encryption, so that whenever that data leaves your computer, it’s encrypted and stays encrypted up there and they work on a continuous basis, so you don't have to leave your computer on at 3:00 in the morning. You save a file, it gets backed up.
Bigger companies, like Rick said, they need bigger backup solutions. If you got an office with 20 people, you’re not going to want to only use Dropbox as a backup. You can want something a little more robust.
Finally, it takes us passwords. Passwords are the most important layer of security. If I’m a computer, I ask for your name, I ask for your password. I don’t care who gives it to me. If the name and the password are right, you’re allowed in. Passwords are very important. They’re easy to hack if they’re your kid’s names, your pets’ names, anything like that, if they’re your own birthday. If your password is password1, please change it. It still happens. A lot of people welcome1. I saw a guy, his password was changeme123 because he didn’t change it.
Passwords should be changed often. I know everybody complains about having to change their password and they have too many passwords. They have 30 of them. It’s for a good reason. If you sign up for a website and you have your business email address and you sign up for a website like MassLandlords and you use that business email address, then you sign up for another website, and you use the same password on all three of them because you can’t remember if one of those gets hacked, that person, whoever hacked it, has your information for all of those websites.
Rick: One second.
Rick: I was going to jump in and iterate real quick and have some fun, make sure everybody is still awake. While I was networking with everybody a little bit earlier, I was talking to one of your fan favorites. Michael Deluca. Mike, can you bring up that type? You don’t have to bring it up on the computer. Even on your phone, it’s fine. We won’t embarrass him too, too much. Mike Deluca has his email address on his business card, and while we were talking to him, we used a quick little program on our cellphone.
If you want to know how technically advanced this really needs to be, and we put his email address through a program that identifies if his email and potentially his password has ever been hacked by anybody before and if it’s out there on the Internet. Mike Deluca, do you think that your email address and your information has ever been stolen? Mike, what do you got?
Rick: Twelve times it’s been stolen. Give me one. I think I saw LinkedIn on there.
Mike: LinkedIn was one of them, and there’s a few on the mailing lists.
Rick: When was LinkedIn hacked?
Mike: May 2016.
Rick: May 2016, LinkedIn was hacked and your email address and any information that LinkedIn had associated with you, which means your LinkedIn password has been stolen, compromised, and resold to everybody trying to do good. Let me ask you a question, answer this at your own risk. Is your LinkedIn password the same as your bank account password? Thank God!
Rich: Because if he said yes, your next question would be and what bank—
Rick: What bank do you use?
Rick: Honestly, we talked about whether we were actually going to try that live here to see if we can get into somebody’s bank account, but we figured we might get ourselves into trouble tonight, so we didn’t do that. But yes, your information has actually been stolen 12 times. We did the same thing with Michelle, sitting right next to you. Michelle, do you think your information was stolen?
Michelle: [inaudible 0:22:51]
Rich: Well, Rick, she’s an attorney. I mean there’s no way—
Rick: It could never happen to an attorney. Last year, I think Michelle maybe you’ve heard this story before, last year I had an attorney who uses our service and she called me up one day and she said, “Hey, Rick! Thank God you encrypted my cellphone because I was sitting on a beach and it fell out of my pocket and I lost my cellphone and all my client information is on there.” Her cellphone was encrypted, and she didn’t have to report a breach. Two years ago, we worked with a company in Boston. This is a restaurant company that got malware on there. They weren’t aware of it. They settled for a $100,000 fine.
When we’re giving advice, we’re talking about a couple of things. We’re talking about what should you do. Update your systems. If you have a system that’s 10 years old, update that system. Get yourself on an antivirus. Be careful when you’re on there. Encrypt your laptop. Like Mike said, if you’re updating your system and you’re buying a new laptop or a desktop, or something like that, if you’re buying a new laptop, it’s going to come with the latest and the greatest. This is such a big deal now that the latest and greatest software comes with encryption already built into it free, so make sure you buy the professional version, not a home version. Everybody here is doing business on that laptop. They’re professional. They’re not at home. They’re not just streaming Netflix, and things like that. Those are some good advice.
As far as passwords go, we gave you some advice over here. The best password here, everybody, write this down, and then tell me what your bank account is, r1ckp0rterisgreat, the I is a 1, the O is a 0, and you can see what I did over here. R1ckp0rterisgreat, write it down, best password ever. I promise. Well, it might get hacked, but hopefully it doesn’t.
Be creative, be creative. Yes, password1 is super easy to crack and we run into it all the time. You got a clicker, Mike?
Rich: Before we go on, I’m going to go around and collect some questions.
Rick: Yes, sure.
Rich: We just covered a lot.
Rick: A lot to talk about.
Rich: A lot of ground. One thing we just want to reiterate for me that was my very eye-opening was that at the very beginning where we just talked about the FCRA, if we collect applications and we run credit, we’re treated the same as like any creditor.
Rich: Which I didn’t realize like no matter how small your landlording business is, you’re held to that kind of standard at least, as far as the adverse action letter. Because I’ve always given it to folks if we turn them down because of credit, but if you checked their credit and you turn them down for another reason, you still have to give them an adverse action letter, and I didn’t know that until I saw that.
Also, while I walk around, can you tell us what a browser extension is because I would imagine some of us don't know?
Rich: Put your hand up if you have a question, I’ll start walking in your direction. Peter has one.
Mike: While he gets to Peter, a browser extension is like an add-on or a plug-in. If you use Chrome or Internet Explorer, they have extensions. Chrome has a whole Chrome Web Store, they call it. I would recommend you use it for Google Chrome. It’s very easy to use. It’s fast and they come with a lot of good security built in.
Peter: Yes, I have a question about the cloud sites like Google Drive and Dropbox. You’re saying the default is those are encrypted without you doing anything?
Peter: Okay, and is that I mean I’m always worried when I put stuff out there that all my stuff is there, and Dropbox or somebody, the government whatever there’s a way for them to get into it. How hard for them to get my data?
Rick: That’s a very good question. Actually, I’m going to give you a 2-part answer. It’s like anything else, some are better than others. You mentioned Dropbox. That’s one of the ones that’s on there. A lot of people use Dropbox to back up their files, maybe even store their files, share their files, very, very common one especially because for the first 2GB it’s free.
The way Dropbox works, for example, they use encryption, but their type of encryption is called encryption in transit. Basically, what that means, as you’re uploading it to them or as you’re downloading it to yourself, it’s encrypted, and you’re protected there. The one piece that Dropbox is not good at is what’s called encryption at rest. In other words, when nobody is doing with it, if they get hacked, is it susceptible? The answer is yes. It’s better than just storing it on your laptop. Is it perfect? No!
Now you start paying a little bit more for a company like the Box, a funny little thing here. Dropbox is an open box, that’s their logo. I don't know if you’ve ever heard that funny nerd joke before but it’s an open box. The Box right here, that’s an answer to the Dropbox issue. The Box is a little bit more expensive. I think you pay $15 a month for your account. They encrypt your data at rest and in transit, so there are some that are better than others, so when you’re choosing where you want to store your documents, I would just read through all that because you’re absolutely right. There are some that are more susceptible than others, and there are some like Dropbox that get breached all the time with passwords.
We’ve talked about passwords. Why is it that celebrities get hacked so often and their pictures that they had in Dropbox are leaked everywhere? It’s because if your password is not complicated enough, it can be hacked very easy. With celebrities, their personal business is everywhere. You know their birthday, their mother’s maiden name, all that kind of stuff. You put all that stuff in a software program, it can crack your password pretty easy. Our password is a little bit harder, but keep a very difficult password no matter which one of these you use. Does that answer your question?
Peter: [inaudible 0:28:44]
Rick: Sure, yes.
Rich: And a lot of celebrities have a limited vocabulary, so it’s probably not that hard.
Rick: Yes, exactly.
Rich: I know someone is going to ask, where did Hillary Clinton keep her email, so we cannot keep our stuff there?
Mike: Yes. That’s what she used to do.
Peter: Is the issue with the Equifax related to any of these? I’ve been hacked.
Peter: And Equifax has been hacked and I’m one of those people, but nobody seems to have an answer. They want to charge you for this and that, and then you find out—Equifax wants to charge you—what do you call the other one—wants to charge you and they’re with Equifax, so you don't know what to do.
Peter: I don't know what to do.
Rick: Absolutely, and that’s kind of the point that we’re talking about is that yes, you guys need to be compliant. You guys need to be careful and protect your information, but as we talked about, as companies grow and they get bigger, they become more and more susceptible. They were a huge target. People are trying to hack Equifax all day long, so they have to take even more security measures. Bottom line, at the end of the day, like I said, do you need antivirus? Sure, you should have it, but it’s not going to protect you from anything just like no matter what Equifax puts in place, they still get hacked. Hollywood studios still get hacked.
It’s a real issue, so the best thing you can do is a lot of these best practices that we’re talking about, but at the end of the day, I’d be lying to you if I told you if you do all of these things here, you’re never going to get a breach. What we’re talking about today is protecting yourself so that if you end up in a situation where there was a breach, or your information was stolen, you’re not liable.
You’re going to go to court and say, “I put all my information with the Box because they told me it would be safe. I have antivirus. My systems are up-to-date. I have my firewall, and my antivirus turned on. I’ve encrypted my laptop. I’ve encrypted my desktop. I did everything that told me to do, I’m not liable.” These are the defenses that you have if ever there is a breach.
Male Audience 1: I have an app that does barebone tenant data information aggregation. Which specific PII should I be more concerned about from a legal liability perspective?
Rick: PII is different from every different organization. I’m going to go with the 201 CMR, which is specific to Massachusetts. It is a gray area [unintelligible 0:31:16] whatever, but nowadays, it’s considered first name, last name, and an address. It could be as simple as that—did I lose? Okay, sorry.
Credit card information, certainly. Social security information, of course. Those are the big ones but nowadays even first name, last name, and an address is considered PII now and these are protected because if you put all those things together, you can go online and you can find just about anything you want to know about the person.
Male Audience 2: I have two, one question and one statement. I have two computers and I have them on all the time. They’ve been on for years, but what I do is when I’m not on the Internet, I shut the Internet off on the computer, but the machine stays on. Would you recommend that people do that rather than leave it logged on to the Internet 24/7?
Mike: That mostly comes down to a choice you have. I like to explain security as a little bit of a dimmer switch. You have security all on one side and convenience all on the other side. I wouldn’t necessarily recommend that because that tilts you very far away from the convenience side and it may make it much more difficult to do your job in a timely fashion. But if you’re okay with that, it absolutely makes you more secure, but it does make it much more inconvenient. You have to find that balance and if anybody here ever needs help finding that balance, that’s what Rick and I are for.
Male Audience 2: Okay, the other thing is how do these people from Windows Support get my number? They call me three times a week when I log on to my computer and help me, because my computer has been infected. They always seem to have an accent.
Mike: Part of the problem is a lot of the actual IT support has been outsourced to those same countries, so people come to expect that accent with real tech support, but the answer is they get your info from people that didn’t protect it. They didn’t protect your information. They got hacked. Now your number is in a database with 4.8 billion other people.
Rick: We talked about Mike Deluca. His information from LinkedIn, for example. His information from LinkedIn was stolen in 2016. They don’t steal it just for fun. They want to make money on this, whether it’s they want to personally hack in and try to steal from them, or what most people do is they sell his information, his and thousands other people who will call you and the popup that you’re getting or the phone call that you’re getting, they’re probably saying, “Hey, we found a virus. We found this on there. $400 will clean it up.”
Rich: Because they put it there.
Rick: Yes, because they either put in in there or because they bought your information because somebody else stole it. Best thing to do in that situation if you’re getting a popup on your computer on a regular basis is run your antivirus program as well, just make sure you don't have anything. If they’re calling you and nothing is actually happening on your computer, it’s because they bought your information from someone who stole it.
Rich: We’re going to let these guy finish up this part. I know we still have questions. The meeting is over in 5 minutes. Rick and Mike are hanging around, so you guys won’t mind if people come up and ask you their questions afterwards, right?
Rick: No, not at all.
Rich: Okay, all right.
Rick: Yes, we’ll hang out. One thing, in my opinion this is probably the best slide that you guys can take away from this. I may or may not have been talking to somebody before this, that said, “Yes, I don’t use the same password for everything, which is great. you don’t want your bank account password to be the same as your email or your LinkedIn because if LinkedIn gets stolen, they can get into your bank account, right?
Now you have a million passwords and that’s probably the most frustrating thing on Earth for you, guys, especially when these programs make you change your passwords and you forget all your passwords. What a lot of people do is they write it down on a piece of paper. If that piece of paper ever goes missing or stolen, or whatnot, you’re in a world of hurt. There are some free programs and some paid programs that are out there.
This is a really good one here, LastPass, Dashlane, Encryptr, KeePass. There’s a bunch of them out there. What do these programs do? I personally like the LastPass. What this is, this is a secure website. They pay a ton of money for security more than you ever will, so if you’re going to store your passwords with yourself or with somebody else, store with somebody who’s going to pay a lot of money to protect it. It’s your best choice.
LastPass, what you do is you create one password to get into the software and all of your passwords are stored in that program. Now you really are going to record them all. You’re going to take that piece of paper and you’re going to put it online to a company that spends millions if not billions of dollars to protect it, and you’re going to have now remember one password. Get rid of the piece of paper.
I can’t tell you how many companies we go into and I sit down at somebody’s computer and there’s a yellow sticky note on there screen with their username and password.
Rich: Or a Word document.
Rick: Or Word.
Rich: On their computer that has everything in there.
Rick: Don’t fool me if you slide it underneath your keypad. That’s the second place I’m going to look to. These are really good programs. It’s a much more secure way for you store a lot of that information.
This is a big one. I know we’re running down to the last 5 minutes, so if anybody leaves on me at least from here on, I won’t be offended. If anybody left before this, I’m deeply offended, but we’re going to talk about emails because emails are huge, huge issues. I know we have some lawyers here. We have buyers and sellers and things like that. There is a ton of wire fraud going around. I think you guys all know that, so we want to talk about it an address it a little bit and give you guys some advice on some ways to protect that and make sure it doesn’t happen to you.
Mike: The most common things we see right now are email impersonation and the wire fraud transfers. This is from BZ 4. The I-Team investigated. A couple closed on a house, public record, got an email from somebody impersonating somebody involved with the transaction said, “Wire your funds to this bank account, this routing number.”
They did it. They lost $142,000. Now the bank didn’t do anything wrong. The bank listened to their instructions. They wired the money, and that’s it. It’s not the bank’s fault. Because these people didn’t have an insurance policy, they lost $142,000. Banks are not going to help you.
Male Audience 3: I have customers right here in Worcester that have sent $30,000, $40,000 wire transfers gone. FBI is involved now, and bank insurance and things like that, so this is not just a widespread story. This is in Worcester that this still happened as well.
Mike: Yes, this happens I think it was something in the ballpark of $35 million in Massachusetts was stolen, and that’s based on what’s reported, which is around 10 percent to 15 percent.
The important things to look at, this is an example from Gmail. You can change what the display name is. My email address could be a bunch of gibberish at nothing.com, but I can make my display name look like somebody on that public record of your closing deal and you see, “This email is from Mike. It says it right there, it’s from Mike. Sure, I’ll listen to the wiring instructions.”
But click on that little button if you’re ever suspicious or even on a very important email and you can see who it’s actually from. This email is from firstname.lastname@example.org, so we know it’s from the Gmail team, but a lot of times you’ll see this to be something gibberish or it won’t match. If you don’t recognize it, don’t trust it. Call somebody. It’s not worth losing tens of thousands or hundreds of thousands of dollars over.
It’s very important. You can do this in Outlook as well. You can double click on the address. Just be vigilant because the computer is only going to do so much. Spam, if it’s a well-written email, it’s not going to get caught in spam.
This is an example of something. We see here, ICICI Bank, some bank. That’s the display name, but it’s coming from whatever this is, so you should know, “All right, I’m not going to trust this.” It’s good just to have a phone call. Needless to say, this is where the mail came from, did they use encryption. Any legitimate email is definitely going to use encryption as part of it. But you really just have to be vigilant and be suspicious of everything. When in doubt, just make a phone call.
I think we can probably skip that. We’re running out of time.
When you get a URL link much like faking that display name, they can make the URL link, the blue text, look like anything, but if you hover over that, your web browser will show in the bottom left-hand corner what the actual URL is. If it says, “Click here to verify your Bank of America log-on details,” and that URL doesn’t go to Bank of America, don’t click on it.
We can skip that We actually hit this overstep, so I don’t want to run too late. I want to get questions.
Rick: Yes, we can get a couple of more questions, but does everybody now understand when we’re talking about hovering? We’re talking about taking that mouse, placing it over, not clicking on anything, placing it over the URL or whatever the word is, the link, and finding out where it actually goes to?
Okay. I don't know if you want me to recap. Again, but these slides are available for you, guys, so you have them all, so I can give you some good steps and some good tricks and some good resources for you, guys, to be able to better protect your tenants’ information and things like that.
If there’s any other questions, we’re more than happy to answer questions.
Male Audience 4: Where are the slides?
Rick: Are you going to email them all? Post it—
Rick: Okay, it will be posted to the website.
Rich: Yes, they will show up there. When you go on, you see the past meetings. You go to WPOA Past Meetings, you’ll see this whole presentation and you’ll see the slides there available as well. Let’s hear for Rick Porter and Mike, Cinch IT. Thank you very much.