Security Ignorance – A Cause For Concern?
This week, arguably, one of my biggest clients decided they wanted to pay their entire invoice via credit card instead of the usual check. Thinking that my credit card processing company would have my back (because I hadn’t had a single transaction issue or complaint and because this particular client of mine is a large financial institution with a great reputation), I proceeded with the transaction. Within 24 hours, I would discover that even at a large credit card processing company, ignorance of security protocols can still occur.
When I ran the card, the system processed everything just fine, and it even sent my client a receipt and confirmation as expected. Nothing indicated an issue, and everyone was happy… or so I thought. The following day, I received an email from the processor saying they were putting a hold on the transaction. They said…
Please provide a copy of your invoice, receipt, or contract showing the cardholders full name, billing address, contact phone number, and products or services provided for the transactions below. Please also provide 3 month’s of bank statements to raise your high ticket.
I went ahead and emailed the invoice for that transaction in question. I even invited them to contact my client directly to confirm that the transaction was valid. However, thinking that perhaps they didn’t quite mean what they wrote, I decided to hold off on emailing them the bank statements.
When I spoke to the rep, she declined to contact the customer and said it wasn’t necessary. However, she pressed me again about emailing the company my bank statements, which I directly and emphatically refused for what I thought would be obvious reasons. She was confused by my hesitation to email the statements and continued to pressure me as I declined the requests. Eventually, we hung up the phone, and within minutes, I was emailed the following:
“In an effort to protect our merchants from security threats, we periodically select random transactions for further investigation the transactions below has been randomly selected in this manner to ensure your account is protected.”
I’m not sure if you caught that or not, but I responded by pointing out the irony, which was that they were telling me that they wanted to protect me while, at the same time, trying to get me to email them my sensitive financial data. Now, I am well aware that WAY TOO MANY of us (statistically speaking) don’t see the big deal here, so let me demonstrate it.
When an email is sent to someone outside of your network, it travels across a series of other networks and servers before eventually reaching the intended recipient. More often than not, such emails are sent via readable text. Hackers can intercept the data completely undetected during all of this bouncing around. This is Security Management 101: NEVER EMAIL SENSITIVE OR POTENTIALLY SENSITIVE DATA TO ANYONE! Some will argue that I could have sent the message and files encrypted, but that only solves half the problem. I don’t know who is viewing the data on the other end or how they are storing it. Regardless, I just refused to take the chance, especially after requesting that I send them sensitive financial data over unsecured lines.
As I said, some don’t think it’s a big deal, but that’s only because way too many haven’t seen the data. Never mind the numerous events involving countless politicians regarding their hacked emails in recent years. Instead, let’s take a moment to consider what information could potentially be intercepted and used by potential evil-doers.
Go ahead and pull a complete bank statement. If it’s anything like mine, your bank statements likely contain at least some of the following useful information (if you know where to look):
- Your name
- Your address
- Your business, if you have one
- Your clients and potentially their info as well
- Your bank balance
- Your spending habits
- Your banking institution
- Your account number
- Your deposit habits
- Your routing number
- Your signature
- Copies of your checks
The check copies alone should raise some eyebrows because more than 1.2 million worthless checks enter the payment system every day. That’s right, more than a million checks are forged daily, equating to losses totaling more than $18.7 billion. And you know what? It’s getting worse. According to a report issued by the American Banker, estimates of losses from check fraud will grow by 2.5% annually through 2020.
So there I was… being asked by a financial institution representative to send this sensitive information over email. I was NOT happy. I see it as my responsibility to stop fraud if I see the potential, and I see the potential in this case.
The truth is that someone could simply steal the information and print that information on totally different check paper. Unfortunately, because police departments are desperately losing manpower with decreasing numbers of officers and recruits, prosecutors often fail to pursue an estimated 75% of bank check fraud cases. That leaves the mess and loss to people like us, and it places even greater responsibility on the shoulders of people who understand the threat.
In this age of technology, too many have become lazy about our information and privacy. WE NEED TO STOP IT! According to 2018 Identity Fraud: Fraud Enters a New Era of Complexity from Javelin Strategy & Research, in 2017, there were 16.7 million victims of identity fraud. That’s a record high. In fact, the Identity Theft Resource Center (ITRC) recently announced its 2017 Data Breach report and said that last year there were 1,579 data breaches exposing nearly 179 million records. They said that it represented a 44% increase in breaches and a 389% increase in records exposed. I don’t know about anyone else, but I refuse to be a part of that if I can help it, and this is especially true when my clients are even remotely involved. Just take a look at the growth of data breach incidents to get a better idea of the concern…
Now, of course, I was frustrated that the situation with this processor disrupted the flow of business in too many ways. Yes, I was angry that this experience would cause a major inconvenience to my client. Of course, my confidence in the service was shaken to the point that I had them go ahead and cease all activity until I could speak to a supervisor. But all of these things pale compared to my shock regarding the representative’s apathy towards my concern and her unwillingness to listen. She insisted that I would be emailing my statements if I wished to continue doing business, and she wouldn’t budge.
Thankfully, as it turned out, it was merely a horrible training gap. The situation was eventually rectified, and the institution processed the transaction without further hassle. From what I was told, the representative was pulled and trained on security protocols, and the company was going to ensure that others didn’t have similar gaps to ensure similar situations wouldn’t happen in the future.
Financial data security, care, trust, and cooperation are just a few things that make a business partnership prosperous. I should probably add diligence to that list as well. If I hadn’t pressed, pressed, kicked, and screamed, who knows what might have happened? If I were unaware of the dangers of emailing data and simply trusted that she knew what she was doing, who knows what I could have done to myself or my clients after hitting “send”? Thankfully, a potential tragedy was avoided due to a strong understanding of security protocols. Hopefully, this lesson helps you or motivates you.
This brings us to why I am sharing this. Really, I wanted to remind everyone of these three points:
1) Learn about the security threats that we face. Learn about them and learn about ways to protect yourself. Ignorance is no excuse. Fraud is on the rise, and your information is very valuable. The little things make all the difference or cause all the trouble. Even posting on social media without thinking can be a problem for some.
2) I wanted you to know that sometimes you’re going to have to advocate for yourself or others and that it’s okay to do it. You should never give up when you are confident you’re doing the right thing for the right reasons. Be open, be mindful, be ethical and listen, but fight for yourself and your clients/others, especially when they can’t.
And 3) from a business perspective, when my clients have an issue, I listen to their concerns and then proactively work to rectify the situation. Can you imagine a world where more companies trained their staff to do this? Sure, nobody is perfect, and mistakes can and will happen, but when we listen to one another, REAL solutions can be found, and REAL customers are made. When REAL solutions are found, solid long-term business relationships are formed. Remember that your customers, employees, and stakeholders are the boss. Without them… you have only you.