In today’s digital world, accessing personal information, especially financial data, is easier than ever. In this episode, we talk with Page Adlington, Senior Manager at Charles Schwab, about why protecting your data is a key part of securing your retirement. Together we explore practical tips to help keep your personal and financial information safe.
Episode Transcript
Intro/Closing: 0:03
Welcome to the Real Talk Retirement Show, where we explore the financial side of retirement and beyond. Whether you’re currently retired or planning for the future, we offer real, relatable conversations about money and personal finances. Most importantly, we dive into all these topics using Real Talk. Now, let’s get real about your money and your retirement. Now, let’s get real about your money and your retirement.
Tracy Burke: 0:29
Well, hello everyone. This is Tracy Burke, co-host of the Real Talk Retirement Podcast and flying solo today as a host. We gave my witty co-host, Brian Graff, this episode off, since we have a special guest joining us today, and that special guest is Page Adlington, a senior manager at Charles Schwab Company and part of their technology consulting team. Paige has over 25 years of experience and we welcome her to the Real Talk Retirement Podcast. So thanks so much for joining us today, Page.
Page Adlington: 1:01
Thank you, I’m excited to be here today.
Tracy Burke: 1:03
And Page is coming to us from Dallas, Texas, so excited to have her with us again. So again, this is a special episode. We’ve all likely experienced fraud in our lives, especially financially, at some point, and unfortunately, it’s only likely to get worse. Today we want to spend a little bit of time here discussing what to be aware of in the world of fraud and how everybody can protect ourselves from being the victim of fraud, especially again on that financial front. So that’s our topic today.
Tracy Burke: 1:40
We’re just going to jump right in Page and as we read newspapers and take a look at the news, it seems like there’s just always news of data breaches on really a weekly basis. Now it’s frankly become so common that sometimes it doesn’t even hit the news, so to speak, anymore. But of course that doesn’t mean we can let our guard down anymore. But of course that doesn’t mean we can let our guard down. It really seems like everyone that I know has received at least one of those letters in the mail right, saying you’ve been a victim of a data breach of some sort. So at some point I think it’s probably fairly safe to say that it’s no longer a matter if pieces of our personal information are floating around there in a dark web or somewhere else. Would you say that’s a fair statement, Page.
Page Adlington: 2:29
Oh, absolutely. You know, when I’m having conversations about cyber, I stress here that a little fear, or even a lot of fear, is good. You just need to assume and I even do this in my own personal life, friends and family you just need to assume at this point that your information is out there and that can be some pretty detailed information. And I put it that way because, really, the way you defend yourself with that assumption is to think about actions, activities that you can do to protect yourself with regard to the fact that your data is probably out there. I mean, that’s really the way to address cybersecurity is assume it’s out there and then think about all the steps and the precautions you can take to protect yourself.
Tracy Burke: 3:17
Yeah, for sure. And again, I heard you just say you know it’s likely that your personal information is out there in some way, shape or form and really ready to be used by, you know, those bad actors, so to speak, for their own gain. So you know, it’s incredibly important to protect ourselves and make sure that we’re not easy targets and again, it’s a topic today. So, you know, let’s maybe start with email and some best practices with email, since you know, I know it’s very easy to be a clicker right when we’re dealing with email and that can get us in lots of trouble. So I think I’ve heard the phrase being used before that email is cyber public enemy number one. So tell us a little bit about what that means, Page.
Page Adlington: 4:03
Yes, so you know, when it comes to email, and specifically with regard to what we see at Schwab, almost you know well over 99% of fraud is initiated via email, and so when we say that it’s public enemy number one, you just it is. It is because it is the most common form of communication these days, and there’s definitely a false sense of security around email. What you need to be aware of is that email is, you know, you can think of it as an equivalent to sending postcards through the mail, imagining what you would put on a postcard and believing that everybody in that chain that handles that postcard can read what you say. And so would you put your social security number on a postcard? Would you put confidential information and an email? No, you wouldn’t.
Page Adlington: 4:55
And you really need to think of email that way. We see both. You know individuals, you know myself personally. You know, in all aspects of life, the chance that your email has been compromised is pretty high. Now, there’s things you can do to protect yourself, but really this is where we stress the idea of you don’t need to put confidential information in an email. I even like joke that we need to go back to the days where we pick up the phone. I mean, you know it’s like this kind of counter switch to oh, we don’t have to call each other, we can text and we can email. But really sometimes the most valuable way and the most secure way you can protect yourself is you don’t have to send that via email, pick up the phone. Or think of secure channels like portals or, you know, secure links.
Page Adlington: 5:46
You know you just really need to think of email as a place where fraudsters sit and that’s, you know, I actually go out there and stress fraudsters can sit in your email for months.
Page Adlington: 5:58
If your email is compromised, a fraudster can sit and watch your activity for months. They can have software that’s monitoring for keywords like mortgage or money movement you know all types of financial activity and then that flags them to come back and look at it. What also that means of a fraudster sitting in your email for a long time is. I mean, like most of you, I have an email that’s been around for decades, my personal email and I think sometimes of what I would have done maybe 20 years ago and sent because of, you know, just lack of awareness around cybersecurity. Those emails live there. So if you sent tax returns 20 years ago and you didn’t delete them and you didn’t clean up, there’s a very good chance that fraudsters can go back and go back 20 years or however many you’ve stored and pull out that data. So that’s where we talk about is like email is just extremely risky place to do anything of a confidential nature.
Tracy Burke: 6:59
Yeah, and that’s that’s so true with past documents that are being sent, that were sent and so forth. And just to emphasize a little bit for our listeners about sending secure documents and information here at Conrad Siegel, the clients we work with there certainly are times where we will be the receiver of sensitive data, whether sometimes it’s an account number they want to share an outside account or some type of information. And again, of course, we always try to you know, educate and direct folks. Let’s just not be sending anything sensitive, you know, and that includes attachments to your point there, but using some secure attachments to your point there, but using some secure, whether it’s a vault, client portal, secure messaging of some sort along there. So now that again, I think we can probably all agree that email certainly can be dangerous. Page, can you explain what can we do with email security to better protect ourselves?
Page Adlington: 8:02
Yep, when I approach cybersecurity, I tell folks that there’s no one thing that’s going to save you. And I say that because there’s no. You know people are like what’s the one thing I can do that’s going to protect me? Or if I do this, am I protected? And really it is no one thing. It’s all about layering protections. So, for instance, when we think about email, your first line of defense with email I could say is you’re not doing email over free Wi-Fi where somebody could be watching you even more specifically. So kind of think you know controlling the environment where you’re doing activities around email. Or you know, on networks, and then I say a password, I mean we can just talk. I mean I could spend an hour talking about passwords alone, but password is your first line of defense.
Page Adlington: 8:54
And when I say a password, you know historically there was some thinking, you know expert thinking that you needed to have, say, eight to 10 characters. You needed to change it every 90 days. You know that type of activity and really that is no longer the case. You know what we’re seeing over and over is that what is important about a password? It needs to be lengthy and it needs to be unique. So when I say lengthy, that means 12 to 15 characters and believe me, I live in a world, at Schwab, where I have a 15 character password, you know. So it’s becoming the norm. So, yes, we’ll start with lengthy.
Page Adlington: 9:33
The second part of that is unique, and I stress uniqueness. And when I say unique, that means you don’t want to do something called a credential replay. And credential replay is when I use the same username and, potentially, password on, you know, a bank account, on my Target account, on my Spotify account not pitching any of those, but you know, it’s just coming to mind what I use all the time, Because the chance that potentially one of those avenues where you’re using that username and password having a breach means that not only are you say specifically having a breach at one of those vendors, but that’s what they try to do. They try to go in and they gather those credentials and then they just, brute force, try to do it across multiple platforms, especially financial platforms. So let’s just say you’re thinking, oh, I use it for Spotify or I use it to do Apple music. What’s the harm? Well, if you use that same thing on your financial accounts, if Spotify were to get hacked, that means they’re going to go and potentially just try to brute force break into others. That really aligns with a data leak that we saw years ago around LinkedIn and people were very like, ah, I don’t care, it’s LinkedIn. You know what are they going to see where I’ve worked before, who my network is. But that was intentional to gain folks credentials so that they could go look for other avenues to use that data.
Page Adlington: 10:58
So what I say is password. Got to say it 12 to 15 minimum. It needs to be unique across platforms and when I say 12 to 15, it doesn’t necessarily have to be the whole numbers, letters, special characters, think passphrases. I mean, I’m a big fan of a passphrase. If that’s the way it helps you remember, then use a passphrase. So that’s your first line of defense. Once you’ve got that robust, unique and lengthy password, the next step absolutely I say no gray area in this. People often ask for the gray area. Two factor or multi factor is your next layer of defense.
Page Adlington: 11:41
So, if people aren’t aware of that. That is something like a face ID. If you’re looking at a specific type of account, you know it might be something that’s biometric. So your face ID it might be where it says OK, we’re going to text you to a known number and you need to put the code in. You know those are what we call multi or two factor. So that’s like that second credential beyond your password that protects you and you literally make accounts impenetrable by doing that two-factor. So when I say it’s all about layering like we’re layering using a secure network in the first place, having a robust password in place and username, and then turning on that multi or two-factor where it exists, those are significant things that will protect you.
Tracy Burke: 12:28
Yeah, and while those two factor multi-factor authentication items, they can be annoying, right, I know logging in this morning here, you know, conrad Siegel it’s, you know, trying to get into Fort Knox, half the time trying to get into my computer it feels like, but it’s a good thing and you know we almost have to do it and all good things along that line. So I just want to, you know, with password management, just want to talk a little bit. There’s different ways, different password managers out there. You know, as a user of Google Chrome, that’s one that I use quite a bit know some folks that use iPhones that have I think it’s called iCloud Keychain. So whether they’re encrypted and I assume they’re heavily encrypted and safe, but are they good? Good, because you know again, that’s if you put all your passwords in one place and somebody breaks into your password manager, now they have all your passwords. So how does all that work?
Page Adlington: 13:36
So we’ll start with what is just specifically called a password manager, and there’s lots of great ones out there LastPass, dashlane, you know I could there’s a whole list. You know that’s something that exists, and doing your own research is great when it comes to a password manager. We are, you know, fans of that. You know me and my team that work around cyber. We’re fans of those. And one thing I do say, though, is, if you’re going to use a password, I’m not a fan of using anything free. So, folks that know me and work with me, or even on a personal level, I’m like, never use the free version of anything.
Page Adlington: 14:10
I’m like the reason the version is free is because you’re almost like a test case for security. If you’re going to use a password manager or you’re going to use certain applications, just go ahead and spend the extra money and get a really robust licensed version because effectively, that means you’re getting more security. They’re patching holes. Licensed version because, effectively, that means you’re getting more security, they’re patching holes, you’re getting updates. Password managers are great one because, yes, they’re generating those pass codes for you and and and. Yeah, there there’s definitely some hesitancy and people thinking, well, there’s, like this, one code to the. You know it’s the key to the kingdom. But what you need to understand is, beyond that key, there are multi layers of encryption and barriers to get to your information. So you know, historically I think it was about a year and a half ago we had a password manager that had been hacked and made big news. But what people didn’t really dig into the data is all they got through was like a very front layer of defense. They didn’t even come close to those multiple barriers. So even if they were to get some small piece of data, they never got to. You know, specifically to encrypted data. But you know, once again I say when you go out to, you know, deploy or license anything yourself personally. You want to do your own due diligence, you know. Do your research, find out what you’re comfortable with.
Page Adlington: 15:28
I also say, when it comes to a password manager, if you’re not going to use it, then don’t deploy it. I don’t think tech is there for just tech sake. So if you feel more comfortable managing individual usernames and passwords in two-factor robustly, go that way. If you want to use a password manager, do your research. They even have things, like we call it an inheritance factor now, where let’s say, you can designate somebody if you needed to or if you knock on wood, if something were to happen and somebody needed access to your account, then there’s a designated person or way to get at that information. So it’s available. So that’s kind of like a backup. Now I’ll switch to what you said, tracy, talking about what we’ll think of more as our digital password manager. So when I say digital password manager, it’s more what most people are used to is like using Google or you know, more commonly is on the iPhone, using the chain.
Page Adlington: 16:27
And yes, the short answer is those ways of capturing information and passwords and credentials are safe. There’s layers of encryption and that’s updated regularly. That’s why it’s always safe and you should always do your updates on your iPhone or your Android device, like whatever that is. I joke that the reason you’re getting an update on your phone is not so you get a new emoji, that’s all cute and like trendy. The reason you’re getting an update is because they found a security hole and it’s there to patch that.
Page Adlington: 17:01
So I’m always stressing, in any type of software, but especially on our phones these days, because it’s a walking computer, let’s face it, it’s the last thing we do on those these days is talk. I mean, it’s our computer. So you know, do those updates and, yes, those methods in those ways. So you know, like having your key chain where it’s storing a password, all that data is encrypted, somebody, you know you’re having passcodes and you know and your phone is secure with biometrics et cetera. So there’s like that first layer and then when you’re going into that key chain, it’s typically authenticating again with like a face ID to then put that password in there. So, yes, those are secure ways of using the iChain, or we’ll just call it really the mobile password managers, and I hire highly encourage those, and I say that because if you’ve ever seen it generate a passcode for you, you know it’s like a crazy length and it’s crazy characters, or even if you’re creating your own, it’s just a next level of defense.
Tracy Burke: 18:00
Yeah, and you know, key takeaway for me is you know, sometimes the free services that are out there might not be the better one, Right and yes something.
Tracy Burke: 18:10
So along that same line. We’ve always heard of LifeLock and there’s others that that I assume are still out there. Is that something just? And I’m not sure if that helps on the front end, you know, prevent cases, but at least it helps identify. How do those you know identity theft protection services? Do they help to prevent it? Is it just notification? And should people you know look into purchasing one of those?
Page Adlington: 18:42
Well, to your original point when we started the conversation today, assume that you’ve been hacked. I mean, there’s hardly anybody that I ask these days that hasn’t been part of a breach and hasn’t gotten free credit monitoring. I think right now I’m probably part of four and you know I’ve got multiple you know free services going on for the next four years monitoring my credit. I will say personally I also use LifeLock for all different kinds of reasons that you explained. I generally agree that you should have some type of service monitoring your activity, your credit activity, anything, I mean it’s even more than that. Those services, like specifically a LifeLock, will come back and tell me, hey, this specific data showed up on the dark web. We’re monitoring it Now again, a lot of times those are reactive and not proactive, so always keep that in mind. It’s good to have them because it makes you aware of what’s going on, so that, once again to my original point, you can go and protect yourselves. So like if they say, come back and it tells you, hey, your email or this username and password showed up on the dark web. You need to know to go change that Now. Has that already happened? Is that data out there? Yes, it is, so it is a little bit more reactive, but it can help you in terms of being proactive, as in locking down your credit, so helping you lock down where you can’t open a credit card in your name.
Page Adlington: 20:09
I get lots of questions around, like title fraud and people trying to take people’s homes. I will say that that’s rare. I get that question a lot. That’s not where I put most of what I would call my worry. You know, if I have a basket of where to put my the things I’m most scared of, it’s really hard to jump through those loops. Not that a basket of where, but my, the things I’m most scared of it’s really hard to jump through those loops. Not that it doesn’t exist, but yeah, I would it it. It tells me where my data exists. I have credit locked down and those types of services help me lock down that credit.
Page Adlington: 20:43
Something interesting that people don’t usually think about is those services don’t always monitor, like your checking and savings accounts. So the banking system is almost a separate thread of protection, and so I encourage people to go out and look for services that will also monitor your checking account activity and I’m not talking about you writing a check or your debit card transactions. But you know, people often open fraudulent accounts in like a checking account and that’s just a way for a fraudster to get in there and potentially like move money in a legitimate transaction to a fraudulent account. So I’m like, don’t just think credit, think bank accounts like you know, checking accounts and savings accounts whenever you’re looking for those services. I want you to make sure that you’re looking for a wide umbrella that covers multiple avenues of fraud okay, now you know.
Tracy Burke: 21:38
Talking along those same lines, I think you sort of alluded to this a little bit. But you know there’s three major credit bureaus. We got equifax, experience, transunion. Uh, most folks, I think, are aware that they can freeze their credit through there. It does make it a little bit more challenging than when you do try to get credit in some way shape or form. Is that a good idea for people to freeze their credit with those three major credit bureaus?
Page Adlington: 22:07
I say yes and you know, with a lot of things that are cyber related and protecting yourself, I believe that that inconvenience is worth the protection. So, you know, when people start talking about cyber and some of the things we’ve talked about today, everybody’s like starts to click oh my gosh, I have to have a really long password and oh my gosh, now I’m going to have to do two factor and I can’t use this. But when it comes to what’s at risk, that amount of inconvenience of maybe having to call those credit bureaus and they’ve made it easier now to like kind of open it back up for a window far outweighs the potential risk that’s associated with having yourself hacked or your credit taken over. And I’ve gotten questions when I’m doing this in person, you know like well why are they coming after us?
Page Adlington: 22:54
And why is this happening to us? And I’m like, because it works. Because fraud, you know, going after people that have the means or the financial you know capacity to attack, I mean, those types of activities work. So that’s the reason they go after the targets and they use these ways of target. It’s because they still work. So that’s, you know, Just protecting yourself just far outweighs the risks associated with it.
Tracy Burke: 23:24
Yeah, and if we sort of go back to computer maintenance or software maintenance, even from that standpoint, you know you Is the standard security software that really comes with those computers enough, or should we be adding some additional protection?
Page Adlington: 23:54
You know generally these days, I would say that the software that comes with you know both PC devices often obviously Windows or a Mac and iOS. The software to manage updates and protections is leaps and bounds what it was like even five years ago. I mean I could I give definite props to the Apple world and how robust their security settings are and how well those devices are protected on their own. Sometimes more on the PC side, I personally use another layer. So you know I use another antivirus software on top of what comes with it. It just it’s not expensive. It makes me feel safe you know me and extending it to my family those licenses it gives me other types of notifications of like stuff that’s going on. Or you know we’ve stopped this many websites from tracking you. So I think it’s worth it. Once again, they’re not that expensive.
Page Adlington: 24:52
The thing that you need to make sure in either case you use, but using a third party software will often help you like this is like Bitdefender one of those is that remind you and they give you reminders and they make sure you’re on top of it. So if you’re not one to manage yourself and go and make sure patches are happening or that you know what’s in the background is working or if you’re not setting it up properly, then that third party software can often be. You know I call it like my little babysitter for my PC because I don’t constantly think about it. You know I live in the world of Schwab. Like I am so managed on my computer. You know that I don’t have to hardly do anything because somebody is doing it all for me, so that can create a hygiene like laziness for myself on my personal stuff and those third party softwares help me be active in monitoring it and reminding me.
Page Adlington: 25:49
But generally what’s included in, like the Windows, you know, bitdefender and all those kind of things that are going on are really robust these days.
Tracy Burke: 25:58
Yeah, and as we wrap up, Page, we’re going to finish up with some possible action items here, but I think what you just mentioned is such a good point. You know, even at Conrad Siegel we have a phenomenal IT department that helps keep us safe, right, but we still have to do a lot of things proactively to make sure it’s there. They’re giving us the tools and setting the table, but it’s up to everybody. So a couple of action items that I was writing down as we were talking through some of this stuff your first one is thinking before you click right Super important, there’s a lot of links out there and emails.
Tracy Burke: 26:39
So talk about emails mostly, but just be careful, even something we didn’t talk about text messages. There’s a lot of phishing things out there. Sending files with sensitive data in a secure fashion that was a point that I wrote down. Password management you know strong, you know lengthy, strong passwords and multi-factor authentication was something that you that that you talk quite a bit and and really you know, I’ll see if you have any additional to put there, but just being overly, you know overall being just very suspicious and cautious. Uh, in all that you do. But anything else that you would add here before we finish up?
Page Adlington: 27:18
Yep. I would say in closing you know, my recommendation is I call it the. Don’t acknowledge anything incoming. I wish I had a better phrase for it. But if you get an email that looks suspicious or is asking for information, you do not have to respond to that email. You can go to a legitimate website. You can pick up a known number. There’s nothing that’s requiring you to action that email. The same thing these days, if you get a phone call asking for information, if you get a phone call from you know XYZ Bank, saying we recognize fraud, say great, I’m going to hang up and I’m going to call the legitimate number. You never have to action something incoming If an issue or something is going on that’s legitimate.
Page Adlington: 28:02
Nobody’s going to argue with you about going to a legitimate phone number or a legitimate website. Same thing with text, which is now called smishing. You know there’s phishing and now smishing is basically SMS. You know you get a text that’s like how are you doing today? And you’re like I don’t recognize this phone number, don’t respond to it, I promise it’s fraud, you know, just ignore it, block it, whatever you want. Same thing If you get a text and it looks suspicious. Remember, we see fraud on your account, do not action. That’s why I say just do not do an activity based on something incoming to you. Turn that conversation around. If I could stress anything is reach out to a legitimate website, reach out to a legitimate source, and that will do leaps and bounds to protect you about around fraud these days.
Tracy Burke: 28:49
Yeah. So again, be suspicious and be cautious, of course. So thank you so very much, paige, for all your wisdom and suggestions today. This has been fun. Could go on probably for hours, but we do need to move on. So we also thank our listeners for tuning in and, as always, encourage you to reach out with questions or comments to our email address. This is a secure email address. Podcast at conradsegalcom and, as you all know, we’re here to help. So if you like what you’re hearing here today, we ask that you share with your friends and family and if you find it valuable, give us that five-star review and subscribe, if you have not already done so. So until next time, stay well and have a great rest of your day.
Intro/Closing: 36:35
Thank you for tuning into today’s show. The Real Talk Retirement Show is created and produced by Conrad Siegel, an advisory firm that specializes in helping people prepare for retirement and beyond. If you want to learn more about our work or meet the team, you can visit conradsegel.com. Information on this show is for educational purposes only and should not be considered personalized investment tax or legal advice. Before making decisions, you should consult with the appropriate professionals for advice that is specific to your situation.