Good afternoon. Thank you for joining us today. We're uh excited to host this
webinar uh where we have Cari Levy uh here to present with me on what uh we
both feel and I think many feel is a very uh timely and important webinar in
terms of content on cyber security fraud protection. Uh so Carney's going to jump
in here in just a few minutes and uh we have a good presentation for you. Should
run about 45 minutes or 50 minutes or so. I would encourage you to please uh
use the Q&A function uh that's part of the team service, the team's virtual
meeting service where you can pose your questions uh to me. I will relay them and we'll get those uh that feedback
from Carie. And uh we thank you again for pres uh joining us today. I just
want to emphasize that uh the the threats of cyber uh attacks and
financial fraud are are constant and the methods and the technology that are
being used by uh the people that look to uh to uh complete those cyber attacks
and financial fraud uh are are ever changing and frankly they're they're becoming more complex and uh more and
more difficult. ult to uh to prevent or or understand sort of what's what's real
and what's what's not. Uh so that's an important thing to keep in mind. I just
want to also just emphasize that uh this this is not a I can't guarantee that
this is a a presentation that's going to cover everything. uh but Carney and I
have collaborated on this presentation and we feel that it covers uh really the biggest part of the issues and uh not
just identifies them but gives some real good concrete uh steps that you can take
to uh as as you go as you leave this presentation. So again want to thank you
for joining us. I'm going to start the presentation here and I'll start by introducing Carie. Uh, so I I became f
familiar with Carme Levy from uh being such a big fan of News Talk1010 radio
and the morning show especially where I listen to John Moore the the radio host on the drivein to work in the morning
and car me is a regular contributor on tech Tuesdays with Carmy Levy and Carmy
comes on for uh for a discussion about technology related issues. So, Car is uh
a regular contributor on News Talk 1010 and uh dedicated much of his career to
understanding and forming about technology and he's a personal cyber security around personal cyber security
fraud protection is the is the uh discussion today. So, we're very fortunate to have Carie here with us and
I'm going to put the uh presentation up now and turn it over to uh to Cari.
Thanks so much for that introduction, Andrew, and thank you all for attending. I am uh I'm honored to be asked to be
part of this uh of this webinar. Um honored to be part of a conversation that quite frankly I think most of us
need to be having. Um and uh and you know, quite frankly, I think we're, you know, we're long overdue for a bit of a
reckoning when it comes to uh cyber security. uh you know my mission uh as Andrew uh alluded to in the intro uh is
you know really to break down the complexity of technology and make it simpler for us to use. Um I find the
technology by design uh is pro sometimes too complex for its own good and so it's
hard for us in the everyday to really unlock its potential. Uh and so you know
my you know working both you know with media I'm a journalist by by education and practice and so working with my
media partners um like John Moore at News Talk1010 and others across the Bell Media Network across the CBC um and
other major platforms in Canada. Um you know my mission really has been to kind of unlock that potential of technology
break it down in ways that you know even my mom would understand and if my mom understands then I I have absolutely
succeeded. And what I found out about technology as I've covered it over the
years is that cyber security related themes have increasingly dominated the
technology agenda. Um and so you know as as time goes on I kind of look at the
stories that I cover in the course of a given day uh or a given week and increasingly they they deal with uh
security breaches, ransomware attacks, fishing messages, things like that. And you know, just just this week, I'm sure
you all saw the headlines about uh the prime minister, Mark Carney, having his personal information uh compromised at
the at the Royal Bank of Canada by an employee, by an internal employee, uh closer to home. Uh Oxford County has
just suffered a major breach and uh that involved employee information. So through no fault of their own, they have
been exposed. So as time goes on, cyber security has become um you know an issue that whether we like it or not we all
have to deal with. Uh and so if we can just uh go to the next uh slide please. Uh we'll sort of start touching on sort
of what cyber security is and why we seem to you know why you know why we we
need to you know treat it with a little bit more uh let's call it you know care and diligence than we have in the past.
Um you know so I think you know if we can take a quick look at slide three our agenda items. Um you know I think the
first thing to that we really want to touch on is kind of understanding uh you know what a cyber attack is what it
looks like um especially in the context of the dayto-day. In other words what
does you know how do I even know that I'm under cyber I'm under uh threat? How
do I even know when I have been victimized? um what is the very definition of a cyber attack? Um you
know and and and once we kind of have an understanding of what it what it is and what the different categories of cyber
uh related events are uh we'll talk about some of the the the the tools the techniques the behaviors that we can
leverage uh to minimize our risk against these kinds of things. Uh and notice I
use the word minimize. Um you know the the the goal is to is to limit the risk.
Uh the unfortunate side effect of this is that there's no way to completely eliminate the risk. Um so it's really
about staying below the radar of of a cyber criminal um because we're all potentially victims. But if we do our
homework um we can limit the potential for that. Um we'll also take a look at
cyber, you know, I like to call it cyber insecurity. We'll talk about sort of what that looks like in the financial
space because obviously a lot of cyber uh related events, a lot of cyber crime
revolves around the finan financial space for obvious reasons. Um there's a reason why Mark Carney was targeted at
his bank. Um he is an individual of fairly high profile. His data is worth
something on the open market. And guess what? You don't have to be the prime minister of Canada for your information
to be worth it to someone. And so they're going after data, but they're also going after authentication
information. They want to get into our accounts. They want to trick us into sending money their way. There are all
sorts of different forms. And and and so and we're seeing, you know, those the dollar figures continue to increase
year-over-year um as cyber criminals become a lot more sophisticated in the ins and outs of uh of financial fraud.
Uh and at the same time, we'll talk about some of the things that you can do to tighten your protections against
them. Um and also some best practices that we can leverage um you know as we
are you know as as we're kind of going through the day-to-day um and uh you know to minimize you know as we're uh
dealing with for example our credit cards or we're we're managing our accounts online that there are ways uh
that we can minimize our our risk of falling victim and of being that next headline. Um so if we can go to next
slide please. Um, so the next slide, you know, let's
let's talk about the the the the types uh of cyber attacks uh that are out
there. And I think um I want to start just by sort of touching on on you know
sort of the the notion that cyber crime is something that happens to someone
else. Um and and the sad fact is that is not true. Cyber crime happens to
everyone. it happened to uh you know I if you're sitting among friends and you look to your left and you look to your
right chances are two of you either yourself and one of your friends or both of your friends um have already been
victimized in one way shape or form that is twothirds of all Canadians have been touched by this to date and that is a
percentage that goes up uh literally by the day as more victims are uncovered
and so we tend to think that cyber crime is something that touches those who are uh you know what I like to call rich and
famous. Um, but the sad reality is is each one of us is a potential victim as
well. That you don't have to be a high-profile victim in order to be worth targeting. Uh, you know, in the minds of
a cyber criminal. So, uh, this isn't something and and so again, if if you haven't been touched yet, chances are
someone you know has been and it's only a matter of time before it finds its way into your inner circle. Um, and it
often, you know, when we look at sort of the the the categorization of attacks, it often starts with a message. And so
the first sort of type of of cyber attack that you want to or the first what we call vector, the first sort of
way that cyber criminals reach out uh is what we call is what we call fishing. Um, and that is essentially a message.
It could be an email message in your inbox. It could be a text message um in your text inbox on your phone or any
other device that gets text messages. It could even be a direct message in social media if you use Facebook for example.
Facebook Messenger uh is is a you treated like an email service by a lot of people. I send and receive messages
on it because a lot of people reach out to me on that platform. Um and many of those messages come from accounts that
are not legitimate. And so, um, you know, we're all receiving countless
messages every day. And I would I would wager that if you kind of stopped right now and took a quick look at any one of
those accounts, there would be a fishing message, and that's fishing with a PH,
um, sitting in, you know, not only one of those accounts, but multiple of those accounts. Um, and it would be, uh, you
know, and and which isn't really, it's it's not a problem. the sky isn't falling if you don't interact with those
messages. And what a fishing message is is it's designed to get you. It's designed to convince you that it's
coming from a legitimate source. So, it could be uh your bank. It could be the
CRA. It could be somebody that you know, it could be pretending to be your grandchild uh or you know, a friend, a
long-lost friend. Um and it's designed, you know, here's that photo I promised
you. here's that budget I wanted you to look at. Could be pres pretending to be from a colleague. And in many cases,
those messages look frighteningly real. They have uh you know, they have the right logos and the right typography. It
looks like it's coming from your employer. Um you know, if you uh you know, it it has the the individual's
phone number and email address. Um and so it's just real enough that you're you're lulled into believing that it is
in fact a legitimate message. And in all cases uh or just about all cases, it
will ask you to either click on a link or download an attachment and that's the moment uh where you go from being you
know never having been attacked to becoming a victim of a cyber crime because the instant that you engage with
that payload with that link with that that attachment um as soon as you click
on that link that that's when bad things happen. And it's the fishing message that is the entry point, the gateway in
to this kind of uh you know this kind of attack. And so, you know, a lot of the
educational resources that we like to devote to understanding cyber attacks and protecting ourselves against cyber
attacks really focuses on how do we identify a message that that comes to us
in our inbox and how do we determine that it in fact is not a real message
that even though it looks like it's coming from my employer or from my bank branch manager um that it isn't real uh
and that I should not interact with it. Um and so you know once sort of we sort
of move beyond that message in our inbox um you know we you'll often hear a term
called malware and malware literally means bad software um and so what it
does depends on the nature of the particular type of attack. So, some attacks will be um you know,
significantly uh you know, some of them are are fairly benign, right? Uh it might run some software on your computer
that slows it down. It might steal some of your information in the background.
Um it might serve up ads. Sometimes that's called adwear. Uh or more insidiously, it could be uh a form of
spyware, which is software that lurks in the background quietly and it records
what it sees and it hears. It logs your keystrokes. It takes screen grabs without you looking. And of course, you
know, you're engaging in some pretty personal and confidential customized stuff on your computer. That information
in the hands of a cyber criminal uh can be used against you in all sorts of ways. And so, you know, malware doesn't
get there on its own. It usually ends up on your device if you engaged with a
message and clicked on that link. Same thing with ransomware. Ransomware is a
form of malware that has a very specific function. Um, instead of like lurking in
the background quietly, it makes its presence very known. If you click on on a link or if you download a piece of ma
of ransomware, what it will do is it will lock your computer and then it will
send a message to you uh and it'll say, you know, if you want your computer and your data unlocked, then send this
amount of currency. It literally holds your data, holds your system to at
ransom. Um, and it tells you that they'll they'll unlock it if you pay it off. Now, of course, there's all sorts
of guidance on why you don't pay ransoms when this happens. Again, story for
another day, but bottom line is ransomware happens when you get a fishing message and you unfortunately
click on it. Um, the final sort of major version of cyber attack is one that you
really can't do anything about. It's called distributed denial of service or DDoS.
And those are interesting. Those are almost like if you can imagine a pitchfork wielding mob um that is um you
know quite literally um you know marching down the street and they come up to your front door and they make a
lot of noise and they bang on the door and they terrorize the dog on the inside of the house but they don't actually
break in. They don't actually steal anything. they just disrupt your life
because you can't come and go as you please. Um you know it it essentially
freezes you in place and in the context of it being a website um a a a DDoS
attack what it will do is it will target a particular resource online. So it
could be a website, it could be your device, it could be a computer, it could be your phone company's network, it
could be, you know, something that is identifiable and it will literally hammer it with request after request
after request. And eventually there will be so much traffic there, so many pitchfork wielding mobsters standing out
on the front porch knocking on your door that the network eventually or the service the target eventually collapses.
So the you know the bad news is you you're out of commission. You can no longer use that technology. The good
news is unlike a ransomware attack uh your data isn't frozen in place. Unlike
other forms of malware, your data isn't stolen. Uh nothing is stolen. In fact, nobody breaks into anything. No one ever
makes it into that virtual house. But it is highly disruptive and in many cases
cyber criminals are using distributed denial of service attacks to gain attention to you know sort of cause a
really big outage. Uh and in fact there was a fairly significant one against the telecommunications networks in the US in
New York that was just discovered earlier this week. The US Secret Service discovered a plan to flood the cellular
phone networks with traffic with millions of texts and phone calls uh with the express intent of crashing it
while the UN General Assembly was in in uh in session. Thankfully, they caught it in time. it didn't happen. But it
illustrates just how sophisticated these attacks can be. Uh and how we sort of have to be on our, you know, on, you
know, keep our eyes open, heads on a swivel because you never know when, you know, you go to a bank and you want to
do your banking, the system may not be available. It might be under attack by criminals who are using DDoS. So if you
go to the next slide, please. So it just helps and and again there are
you know we can probably talk definitions on these uh you know for you know all day and all night. Um what you
probably want to do though is just kind of recognize that there are different kinds of threats out there and you kind of have to keep your eyes open for them
um just to make sure that you recognize them when they show up in your inbox um or you know or elsewhere. um you know so
you know definitions of malware I'll sort of I'll zero in on a couple of these and so Trojans and viruses just
the last two uh the last two paragraphs so um you know basically the if if you
think back and this is like way back to when I was a kid viruses were a thing the first real forms of cyber warfare
when you know the Apple computer was first a thing or when IBM first introduced its computers in the 80s
viruses were a really big deal and often times you would download a piece of software or you would get a disc from a
friend and it would have a virus on it which caused all sorts of behaviors that you probably didn't want. Um, and so
obviously nobody's exchanging discs anymore. Computers are a lot more sophisticated now, but um, they both
refer to and there's slight differences in terms of what they are, but the bottom line is is they're like a two
specific forms of malware and you never want to have to download them. And so this is, you know, this is another
reason why, you know, you don't want to be clicking on links from sources or hitting buttons or tapping on buttons
from sources that you're not familiar with because often time they will include downloads that in the background
install some form of malware on your computer. That's all you really need to know about it. It's the payload sort of
what it actually does will defer based on each type of uh of uh of attack or or
sort of the intent of the attacker. But you do want to make sure that you're kind of aware of those differences and
always lead with cynicism. If you're not sure of the source of a particular message, uh then the last thing you want
to do is be engaging with it. And a really interesting sort of, you know, a technique that I use is um I I if I'm
not sure about the origins of a piece of email or a message from someone, I don't
I I I I I put my smartphone or my tablet down, I go over to my computer that has
a mouse on it um and I I do what's called the hover test. So, you take your mouse, hover the mouse pointer over the
link or over the button in that message. Uh it also doesn't hurt to hover it over
the the uh the header, the information at the top of the email with the name of the person, the email address of the
person because they might claim to be from your bank or from a legitimate address, but when you hover over it, you
will see the the real address pop up. And that's when you can see that if it
if it looks like it comes from, I don't know, Russia, uh or it might come from some place that you're not familiar with. It certainly doesn't look like a
legitimate email, say from the CIC. That's usually a tell that it's a
problem. You can also see if you hover over the link, it will have some web address that is unrecognizable or a
download that you probably should not be accessing. So, use the hover method to keep yourself from getting into trouble.
But remember, hover the mouse over it. Don't actually click on it. So, if we can move to the next slide, please.
And we'll just take a real sort of quick look. um at ransomware. And again, just a reminder that um ransomware is it
takes on many different forms. And it doesn't just spontaneously activate on your computer. It requires you to um to
open up uh the message. It requires you to engage with the message by uh
clicking on it. Uh and then, you know, from that point on, it activates and does what it was designed to do. Um it's
sometimes called malicious software. It can encrypt your data. Um it can lock your computer. Um so you know the you
know the bottom line here is um I would rather risk being you know you know
embarrassed or feeling sheepish by contacting my bank and saying did you send me that message? Uh or you know
contacting Andrew and asking him if he sent that message uh then clicking on it and finding out the hard way that it
wasn't really from them. um you know so you know and and another you know when we look at uh sort of prevention
strategies um ransomware wouldn't be such a big deal if all of our data was already backed up and if you think about
it uh and this is important as you're you're managing your financial affairs you're you're managing your inbox you
know we're all responsible for an ever growing kind of collection of electronic
data to manage our day-to-day lives including our finances what we want to do is we want to make sure that if that
you know I I always think to myself, well, what if all of that wasn't available tomorrow? What if I were a victim of a ransomware attack? Would I
be able to restore myself to where I was? And there are some companies that
when they've been attacked and some individuals when they've been attacked with ransomware, they simply ignore it
because their data has already been backed up and they can easily start from scratch and just just use that information to reestablish themselves
online. So um do keep in mind that you know when you're working online you want
to make sure that all the data that you're working with your statements things like that they don't just exist in one place you know when your
financial advisor sends you information via email it's important that you download it you know put it in a place
that's secure make sure that if the worst if the worst happens your plan B
is I have everything that I need to restore my information. uh you need to have just like you have a physical plan
for your physical files in your home, you want to have a similar plan, plan B, backup, disaster recovery plan for your
electronic files as well. Um so if we can um hit next as well, we'll sort of
talk uh a little bit more about fishing. Um and Andrew, if you do have any questions, feel free to weigh in. Um,
I just want to point out fishing like a derivative or a subcategory of fishing
attacks that's become quite popular is the click fix attack, right? Which is you get a you it appears to come from
Microsoft saying there's a problem with your computer. It looks all very legitimate. It just pops up on your
screen. Click here uh to fix or to report it. And that's the same sort of
fishing attack uh ju but it just looks like a what they call a clickfix attack.
Exactly. And you know what I would do and you know to avoid that never respond to an unsolicited message from the
outside if you really want to make sure that your software is being you know properly updated and has all the latest
security fixes applied. You can go into the settings of your smartphone or your computer or your tablet and you can make
sure that that software updates are set to be automatically on so that it always
happens in the background. Companies like Microsoft don't magically send out messages like this saying click here to
update your software. There are all sorts of other ways that it can be done. Um and and in many cases those messages
they look frighteningly real. They might address you by name. They might have other you know pieces of information in
them um that suggest that oh this must really be for Microsoft because they know who I am. They know what computer
I'm using. Uh they know where I live. Uh but in many cases all they're simply doing is taking information that is
available out on the open internet. Sometimes it might have been uh you know released in a data breach and they're
pulling all that information together and they're using it to create very targeted fishing messages. Sometimes
they're called spear fishing messages which are highly customized, highly personalized fishing messages. Um which
of course makes it more likely that you would think that they're legitimate. Don't take the bait. Bail out of that
message. uh and then and then use your own methods to verify that you in fact are updating your software properly.
So now that we've you know we're all sort of you know we're we're kind of we're frightened um you know I I think
it's important that we focus on on you know the things that we can do in the everyday to reduce our risk. And so if
we can uh pop over to the the password protocols uh slide just a couple down.
Um, I want to talk about and if you remember nothing from today, I I want you to think about the one thing that
you can do that can improve your security posture and it revolves around
passwords. Um, and so the problem with passwords is uh in many cases and and
passwords are if you think about it, we're in 2025 now. The first passwords
uh were first introduced with really the first you know we won't call them popular but publicly available you know
sort of computers to uh universities military and research labs way back in the 40s and 50s. uh and passwords really
became a thing then because they were the the best option that we had for authentication onto a system to ensure
that only people who were using that system, you know, that they were the ones who were authorized to do so and
nobody else could get in. And if you think about how far technology has advanced in the last 70 or 80 years, yet
the password still is our primary method of authentication.
uh and I would very humbly argue that there is uh there's infinitely there are
infinitely better ways to you know keep the bad guys out and ensure that only we have access to our stuff but the
password persists and part of the problem is also and I hate I'm not laying blame here but we are also part
of the problem we want our passwords to be easy we want to you know if we're downloading an app and and or or
something or some data or we're signing into our email inbox we don't want to get locked out We don't want to waste
time. We don't want to have to recycle our password and go through that whole rig roll. We certainly don't want to
have to explain it to our family members if we're their tech support. Uh and so in many cases, we all we we we lean
toward convenience instead of security. And so many people, and I hear this from a lot of people, they use the same
password that they've been using for years. Uh it's an easy to guess password. It usually has something to do
with maybe a family member or a pet or the street where they grew up or their favorite teacher from from primary
school. Um, uh, they use that same password across different systems and
apps and services. So the same password that they use to sign into the bank is the same password that they use to sign
into email, which is the same password they use to sign into their smartphone. Uh, and so the problem with that
approach, even though it makes it easy to remember so you don't get locked out, it also makes life easy for cyber
criminals that if your password gets leaked in some way in, for example, a data breach, um, it makes it
ridiculously easy for them to do what's called credential stuffing, they then go, "Oh, so I know the I I I have the
authentication for the email account. Let me try the bank account as well. Let
let me see if they have an account with RBC. I'll sign into that because we kind of know what the structure is. Let me
also see if I can sign into, let's say, their CRA account. Let me try their Microsoft account. Let me try their
Google account. And before you know it, it isn't just one account that's been compromised. It's multiples because the
the the passwords were not unique. Um, another uh sort of you know problem that
we run into is in many cases we are sharing personal information on social media which is really good for
connecting with your friends but it also mean it's also being watched by cyber criminals. And when I say watched sure
they might be actually reading your feed but in many cases they're using uh technology they're using automation to
scrape what you post to your your your feed and then use that as a way of
trying to break into your account. So when you fill out that survey on social media about your, you know, what street
you grew up on and, you know, what year you were born and you're sort of, what you're doing is you're sharing all sorts
of personal information that can be used to make it ridiculously easy for a cyber
criminal to get into your account. Combine that with information that's released in a data breach and next thing
you know, you have a significant problem. So, you know, the answer is what I like to call smart password
protocol. Um, it is unique. So every system, every app, every website, every
account that you have online has a unique password. That way, if one password is liberated or released or
breached, at least they're not getting into all of your accounts. You make it hard to guess. So, you know, don't
include easy words, certainly not your birthday or your partner or your dog or your cat. Um, and then you regularly
change them. And this is important and I know it's a hassle um but you change them regularly because in many cases
when there is a breach that information gets shared online and when it's shared
online it gets picked up by other criminals. In some cases they just give it away for free. In other cases they
sell it uh and those criminals will then take that information and immediately start trying to log into your account.
So, if you're using the same account that it's the same password that you've used for decades and let's say 5 years
ago there was a breach, it's almost like leaving the front door of your home open for 5 years, almost inviting thieves in.
And so, if you change your password regularly, what that does is it locks the door on cyber criminals. Sure, maybe
your information was released in a breach, but now there's nothing they can do about it because you slammed the door
in their face. And if you look at uh the this grid, this grid is an interesting
one because last year there's some uh some research that shows from Hive Systems that showed just how long it
takes to break into an account based on the complexity of your password. And I
would argue very politely of course that the longer we these things go on, the easier it becomes for cyber criminals to
break into an account because the tools that they have are getting more powerful almost by the day. So it might have
taken say I don't know you know uh you know 10 hours last year to you know you
run through a bunch of iterations that might be reduced to three or four hours by this year. And so you my
recommendation for folks who are trying to balance security and convenience is to consider a password manager. And the
three that are kind of at the top of the list here one password dash line Nordpass they're really simple that you
you load up the app you can install it on your phone download it for free. They do have they have subscriptions for
them, but you can also use the free version and they're quite capable. And what you do is you add your username and
password for all the different things that you have to sign into. And then that single app manages the process. It
generates secure passwords, hard to guess passwords for all of these systems. It will change them at regular
intervals. Uh and all you need to do is remember that one sign in for this app. Um, one password is at the top of the
list for a whole bunch of reason reasons. I believe it's best of bre, but at the same time, it's also Canadian.
So, if we're going to have our elbows up, may as well support the Canadian solution. It routinely is at the top of all the best of lists. But Dashland is
another great great choice, as is NordPass. And these are all, you know, security companies with long histories.
Absolutely worth considering because it certainly uh it balances off. It it lets you have strong patterns that are
regularly changed, but it also doesn't leave you vulnerable to being locked out just because you forgot one. Um, so
Andrew, I was wondering if you had any questions while we flip to the next slide. Uh well, I think this this is a
very good uh grid here because it shows uh just how quick it is for, you know,
and and how quick it is for uh cyber criminals to to hack a a computer or
technology piece of equipment if your password is not complex or long enough
or both rather. and and it's I think it's still being reported quite often that many people use the word password
as their password or they use like 1 2 3 4 5 6 7 8 and and that's that. Uh so
it's really really important to uh to to look at this and say okay where on this
grid do I fall? uh because you can see if you just go to 10 numbers and use a
combination of uh numbers upper and lowerase and then some symbols you're
already at 33,000 years that it would take for the current technology uh to
likely break through that. So that's not too big of an ask I think to say let's
get some complexity uh to and and uniqueness to each of our passwords.
Yeah, that's really great great great great advice and and the reason being especially um don't think of it in terms
of some cyber criminal sitting at a keyboard manually hacking away. They are using automated tools often powered by
artificial intelligence that are allowing them to continually scale up their password breaking efforts. And so
they're getting better and better at this all the time. And if you use easy to guess passwords, you're essentially
making life easy for them. And and I mean that every year there's a there's world password. I believe it comes it
happens in the summer. Uh and every year they publish the list of top passwords and you're right Andrew they always it's
always you know the the the number one password is password all lowercase then 1 2 3 4 5 6 or 1 2 3 4. And what really
bothers me about this sort of annual tradition is that every year that list stays the same and every year we don't
seem to be getting the message. And so essentially what it means is that anyone who isn't following smart password
protocol is basically putting themselves at greater risk than than compared to someone who is taking a little bit of
time to tighten their passwords. And then you know looking beyond passwords. So again passwords have been around for
70 80 plus years and clearly the world has passed them by. Um you know if you
look at the front door of your house uh you'd rather have two locks instead of one. So, think of the password as that
first really lousy lock that you get when when you first move in. And then think of two-factor authentication as a
second more powerful lock on top of it. That way, if someone still manage some
if let's say your password is breached or compromised, the door is still locked, they still have to get through a
second form of verification. And two-factor authentication sometimes is called multiffactor authentication or
MFA. And that simply means more than two. Um, is, you know, it could be a
fingerprint, a biometric, it could be facial recognition. Apple has Face ID where you look at it and it lets you in
because it knows your face. It could be voice recognition. It could be a a a four or a six-digit PIN. Um, it could be
a code that's sent to you via text message or via an authentication app.
Um, and there are all sorts of different forms and and again the reason being is we should all have choice. But, um, the
bottom line here is is when you're given an opportunity to activate two-factor authentication, I highly recommend that
you do so. That way any weaknesses and passwords, you're still protected even if the passwords are compromised. And I
agree that yes, it makes life a little bit more uh, less convenient because you don't just open up the app and you're
magically signed in. you still have to maybe look at your phone or, you know, touch the fingerprint reader or type in
a PIN. But that little bit of inconvenience up front is a major uh uh
uh determinant in uh you determining whether you are targeted or not and
whether they're successful at it. So, I highly recommend going into the settings and in many cases they're not turned on
by default. They should be. I wish they were, but do go into the settings and activate them yourself. Um and another
uh form of of protection. If we can go to the next slide please. Um is is
software and and so once upon a time it was known as antivirus software. It it
it it did then and it still does carry you know the leading brands are Norton, McAfee, Bit Defender, Total AV. You
would install it on your computer and then later you'd install it on your phone or your tablet or whatever device
you were using and it would constantly monitor your device and make sure that you know let's say you did you know
somehow accidentally inadvertently download some uh you know malware out there. It would find it would flag it
and it would remove it and then that way you were kind of protected. It's almost like a vaccine for your device. Um and
there's still there's still you know a market for that. there's still a reason for having it. But if you look at sort
of the evolution of Norton, McAfee and Bits Defender, increasingly they're not just called antivirus solutions. They're
full-on security solutions. And so they might include other uh types of
capabilities. So they'll include the protecting against viruses and malware. Uh they'll provide real time monitoring.
So you'll get an alarm if it detects something really weird. Uh they have what are called firewalls. So, it'll
prevent uh connections that have no business connecting to you from trying to do so. Um, it'll have warnings about
fishing messages. So, if you if it sees a dangerous link, uh, you'll get a you'll get a popup. You'll get a warning
when you're browsing. Uh, it'll ensure that you're not visiting a website that is somewhat compromised. It'll, you
know, prevent you from clicking on the wrong things. Um, and so there are all sorts of tools that are incorporated
into them and they're really great to have. However, uh what I've noticed there's a psychological effect of having
security software on your device that many people who install it think that once they're once it's installed, they
are absolutely impervious to being uh compromised digitally. In other words,
that it protects them and now they can engage in behaviors that might be termed a little bit more risky. So, they will
open that email because they're, oh, well, the antivirus software is going to protect me. I will visit that website
that I've never visited before because I don't have to worry about it. I got the software. And so the trick here is to
recognize that this software is not 100%. It helps, but it certainly doesn't replace good behaviors and you still
have to be, you know, eyes wide open, heads on a 360° swivel to make sure that
you don't click on the wrong thing. And, you know, don't put too much trust in the software because the software
doesn't always get it right. So, it's a good thing. And I often talk in terms of toolkits. You know, you want to have a
toolkit with a bunch of different tools and techniques in it to keep you safe. No one tool is the the perfect or
complete answer. But in concert with all the others, it certainly doesn't help to have a toolkit filled with a bunch of
different techniques. And certainly security software is one of those techniques that's worth considering. And
just like password management apps, uh there are free versions of it that uh that you can have and you don't have to
be spending money in order to have this. Um Andrew, if you had any anything to add at this point before we head on to
uh software updates. uh just just I think like we'll we'll just briefly on this slide which is that you same as
with your automatic updates from Microsoft or Apple uh to keep your your
your internet security uh u m and uh pardon me and software
updated and uh you you you often will just the same thing have automatic updates download from your Norton uh
from from Norton to update your uh your internet security program.
Exactly. Because the, you know, often times new threats are always being discovered and the software that we use
is really complex. There's no way that it's it's it's perfect or secure, you know, all the time. And so they're
always discovering new new weaknesses and they're always releasing new updates to close off those vulnerabilities. So
the last thing you want is to have old software that hasn't been updated because that makes you an easier mark uh
as compared to folks who are always updating their software and closing the door on these newly emerging threats. So
um you know the the easiest way to do that is just go into your settings uh and just make sure that software updates
are all automatically on. that will ensure that both the operating system for your device as well as the apps on
the device are always receiving the latest updates and that you're never you know sort of vulnerable. It's one of the
reasons why, you know, you know, you don't want to have like a 20-year-old computer that hasn't been
updated in years because it is I I would virtually guarantee that, you know, a
computer that hasn't had an update in that long of a period of time is probably loaded with all sorts of
malware and viruses and it's just almost a it's asking to be attacked. So, um, do
be careful on that and if you're not sure how that works, um, you know, ask someone who does, just go into the settings, turn it on, and you will be
taken care of from that point going forward. So, now that we sort of taken a look at some of the the system type
risks that we face, let's let's sort of put them in the context of financial fraud because obviously we're engaging
in financial uh, activities on these devices. uh and cyber criminals know
that, you know, hey, if they I can zero in on them when they sign into their bank accounts or when they're making a credit card payment, that can be a
pretty good payday for me. So, um you know, it let's take a sort of a closer look at financial fraud and uh sort of
look at the different types, the different definitions of it. Um because obviously it takes many forms and
unfortunately the the victimology, the dollar figures continue to go up, uh as time goes on. Um, so you know, one of
the key sort of threats that we face in sort of the financial space is your data, identity theft. And so whenever
you hear of a data breach, really what cyber criminals are going are going after is your information. So it could
be as simple as your name and your phone number or your email address or or your physical address or it could be
financial information, what bank you're in, what authentication information do you have on it. It might seem innocuous,
but over time those pieces of information, they give cyber criminals a lot of ammunition to launch very
targeted attacks against you. And so, um, you know, you always think about you when you sign up for something, what
information am I giving up? Um, do I trust them? Do I trust that they will secure that information? What am I
getting back in return for that? Um, because often data is the fuel for this kind of thing. um credit card fraud.
We're obviously we're seeing that skyrocket because increasingly we're engaging in e-commerce and and you and using our credit card numbers online to
pay for this. Uh I I I can't tell you how often I see people sharing photos of their their messy desk with a credit
card sitting on top of it with the number in full view. um or they will share it online in a message on in say
Facebook messenger or you know in an on from an unsecured email which of course then can very easily be picked off if
you're not using appropriate password protocols. So um you know the the relative ease of paying via credit card
online uh makes it an absolute target for cyber criminals and that credit card number with the security card number and
the expiry date that information in the hands of the cyber criminal is absolute gold. um investment scams. I'll tell you
the story of my aunt and uncle uh who uh you know would were would business with someone they thought they knew, friend
of a friend uh with a really great return rate, but it turned out it was not a sanctioned uh transaction and they
ended up losing uh more money than I care to even imagine. And it was heartbreaking to see them go through that uh all because they didn't do their
due diligence. the digital signs were there. Um that you know the the the uh
the uh the uh reports that they were getting on the size of their account uh were not legitimate. They didn't tie
back to actual accounts. Uh that the links were from non-legitimate sources, but by the time they realized that it
was a scam, it was too late and they had no recourse. Um, you know, and you know, real estate title fraud. This is an
interesting one because again, um, you know, if your information is out there and you're it's not controlled, it can
be used by a third-party actor, by a malevolent actor, a cyber criminal, um, to essentially register your property as
theirs. Uh, and you can find that literally the the carpet pulled out from under your feet before you even realize
that you have a problem. Information is power. Uh, everyone's information is worth something. And if we aren't
securing it on our devices in our day-to-day practices, we could find ourselves in some s some very serious
trouble. Um Andrew, have I gotten sort of everything on that before we move on to monitoring? Uh yes. Uh yeah, I think you've covered
it here. Uh couple of questions that we'll get to here. Uh talking about the
grandchild in the hospital, the panicked phone call, and we are going to be speaking about that. Uh a question about
how to safely use chat GPT. A very good question. I don't know that we'll necessar we won't likely have time to
address that type of question in this uh in this uh session, but I know that
perhaps we can have a followup uh presentation on artificial intelligence. Uh Carmen would be a great uh a great
person to speak to that. Uh so I'll just flip to the next slide here.
Awesome. Yeah. Yeah. Uh, not to scare anybody here, but the the addition of AI
into sort of the technology space, uh, it it it raises the stakes. It makes the
threat landscape that much more threatening. Uh, and it gives powerful new tools to malevolent actors, to
criminals. So, it's certainly something we want to keep our eyes on. Um, so, you know, this is this should be a
no-brainer, but a lot of people overlook this all the time. they don't monitor their accounts as closely as they can.
And you know, you don't have to wait for, you know, you it's 2025. We no longer wait every month to get a
statement from our bank. We can check online anytime. Uh and what cyber criminals often do once they gained
access to an account is they will test their access. They will make very small transactions uh involving small dollar
amounts just to see if it works, just to see what they're able to do because most of us aren't paying close enough
attention and we don't notice that. Certainly, if they if it's a large dollar amount that moves our our balances uh significantly, that would
get our attention. But if they stay below the radar and we're not really focusing on it, uh they can get away
with a lot and then of course their last transaction will be the big one that hurts. Um so most accounts have alerts
built into them, but they're not turned on by default. Uh and so this is something that you want to go into the
settings and turn on. And if you're not sure, uh do what I did. I went to my bank, my bank branch, spoke to my
manager, and I said, "Walk me through it." And he happily did. Uh, and it's probably not a bad idea to do that, you
know, every once in a while because the apps are always changing, and your financial expert is there ready to kind
of walk you through it. um Equifax and TransUnion, those those are the two biggest credit bureaus. They have tools
um that are attached to your credit file and can be used uh to detect uh strange
or anomalous behavior on it uh and can protect your credit rating uh from
damage in the in the event that you are victimized. And so again, these are available to all of us. It's sort of
part of the credit rating system. Uh but uh you you're you know, they're not
turned on by default. we have to go in and reach out to them. Um there also there's title insurance uh that can
protect your property from you know this kind of incursion. Then there's also identity theft insurance um for which
for a lot of people is a rider on a traditional uh insurance uh uh policy. Uh and considering the potential for
damage in this digital age might be worth having a conversation with uh you
know about with your broker. Um because obviously recovering from this kind of thing, the damage isn't just financial.
Uh it is to your personal brand. It is to your credit rating. Uh it can affect you on a number of ways. And so digital
f you know digital friendly insurance of this type can certainly go a long way toward cutting down the risk if the
worst does happen. I can just a couple of things uh as well here. setting up account alerts on like
your bank account, your credit cards, uh, incredibly important. And these are
alerts that you're getting as either text messages or email notifications whenever a transaction occurs on those
accounts, a bank account, credit cards. Uh, I really I I really encourage everyone to do that to review those
accounts online on a regular basis. And I mean like every few days, every maybe
every day or weekly. Um and and then I think most most people now are aware
that of the data breaches at at a whole slew of different companies. Uh you
know, I had one our our car and uh our auto and home insurance provider. They
were uh they were hacked and now I've been with TransUnion and Equifax for a
couple of years for monitoring. So that's becoming a pretty regular occurrence unfortunately. And I think
many people now are getting these sort of two-year, three-year, free setups with those credit agencies. Uh, National
Bank offers a service called Secure Zone that that actually brings those two together into quite quite a nice
website. Uh, so that's an interesting service to consider. And, uh, identity
theft insurance. Um, I think if you if you think about if your if your identity is stolen, the time and the cost that
goes into repairing that, correcting that is extensive. And the title or
pardon me, the identity theft insurance can cover you for, you know, tens of thousands of dollars of cost. Not to
mention the fact that people that deal with this every day are the ones that will be looking after restoring your
identity. and they they know the ins and the outs, where to go, who to speak to, what to submit, all of these different
uh aspects of it. And uh that could be a real uh a real benefit to consider.
Yeah, definitely worth every penny. And certainly I've had a front row seat to uh some pretty heartbreaking cases uh
involving identity theft and financial attack and recovery from it is uh brutal
on a good day. uh and certainly having resources like this in your corner can go a long way toward uh facilitating
that recovery. Um you know one sort of area of risk that we often don't uh pay
attention to is uh just securing our data after the fact. So you know long ago you know you would see and you still
do see you know these these shredding trucks show up at businesses to to destroy sensitive documents. You should
have a similar plan for your own documentation. Um, you know, some nights I I I I have a Ring doorbell and the
footage when it's recycling night is actually quite frightening. Strangers walk up to my uh my recycling bins and
they go through them looking for papers with identifying information on them and they go down the street uh and many many
people are just putting information in there. So, use a shredder. Uh, you know, Andrew recommends a crosscut shredder
and uh and my wife swears by ours. Uh so uh you know it's it's easily the
probably the most cost-effective appliance that we have in the house because we use it for everything. And then you want to apply the same you want
to apply the same logic to your online information. You know how many times do you know do we just sort of save files
on hard drives or external drives or flash drives or even in in cloud accounts and then we kind of forget them
there. Uh and so you really do want to kind of have a sense of what am I storing? Where am I storing it?
increasingly if you're using say Microsoft Office they've moved all of that into the cloud and so if you're not securing your Microsoft Office 365
account um that information is now out there and it's vulnerable if there is an if there is ever an attack or or a
breach and so pay attention to your to to your your data make sure that it's secured make sure it's done so in a
comfortable way that still ensures that you don't lose at all if there is a a phys you know if let's say the drive
fails you still want to make sure you have backups but you don't want to lose control over it because in the hands to the stranger that can do do some very
serious damage. Um if we can move to the next slide and this is again most of us are you know
we're engaging in transactions all the time certainly during the pandemic uh we would go months without physically going
into a store. Everything that we bought was online. Um and so you know you want to use an acknowledged platform. So you
know built into your iPhone is Apple Wallet. Built into your Android phone Google Pay. PayPal is a payment platform
that's been around for a long time and is fairly secure as well. So, you want to make sure that you're using known uh
platforms with built-in security to keep things as safe as possible. Uh your
antenna should be going up if say you're buying or selling something on Facebook Marketplace and the person insists on
gift cards or some download some app that you've never heard of before. Be incredibly wary of deviating from the
tools that you know and trust. um you know online as well. Never buy anything
with a debit card. Uh reason being is credit cards have protection built in if a fraud does occur whereas debit cards
the money is taken right from your account and there is no recourse. So uh you know bottom line there is debit
cards are super convenient but not for online transactions. They're way too easily breached and soon to say that in
a in you know in a conversation uh you know criminals know that you're an easy mark. So please don't go there. I don't
I don't those are stories that absolutely break my heart. Um so you know again sort of if we can go to the
next slide um please just about unsolicited messages we have to disavow ourselves of the notion that uh you know
legitimate companies just will send us messages out of the blue for whatever reason that almost doesn't happen. And
so even if it looks like it's my bank or my financial adviser who are trying to get a hold of me uh I I will usually
view them with suspicion and then I will contact them directly. In other words, don't use the contact information in the
email or the message, but instead, you know, if I'm calling Andrew, I have Andrew's number. I will call him and
say, "I got, you know, it looks like I got an email from you. Is that in fact legit?" Uh, and Andrew will be able to
tell me, "No, we never sent you that message. Good thing you dodged a bullet." So, uh, you know, don't be
afraid to, uh, feel embarrassed if you don't respond to an email. You can be an
impolite Canadian. I give you permission to do so. Um and and you know my family we have um
we have code words um and so uh you know for example you know grandparent um
scans right grandparent gets a message uh their grandchild has been in an accident and needs money to you know get
the car uh you know pulled out of the ditch or uh committed a crime and needs money for bail. Um yet you know if you
know where you know my kids or we all have a password uh a code word uh and so if that ever happens uh then our kids
you know if I ask for the code word and they don't know it I know that it's false um in cases like that what you
want to do and thanks to AI um they can actually replicate they can voice clone your voice from a few seconds of footage
that they found online in a YouTube video and then it actually sounds like your grandkid but it isn't. Uh but it's
so real that you're emotionally uh upset and you make rash decisions and you start you start pulling money out
because you want your kid to be okay. So um bottom line here is is same deal. If you get one of those emergency calls,
you want to bail on it. You want to contact that that member of the family directly and ask them if they're okay.
If you don't hear that code word, you know full well this is an absolute ripoff. So again, the techniques are
becoming a lot more sophisticated over time. uh and cyber criminals are using artificial intelligence to you know
really put us in terrifying situations uh where you know we're possibly not making the best possible decisions. Uh
so if you can flip to the the next slide please we'll talk about sort of what you do if you are uh in fact compromised.
Um and what we've done in our house is we've actually itemized we have um like
documents uh that we keep on the fridge of you know uh our our bank our bank
branch manager um our financial advisor. So all the key contacts that we would
need to contact in the event of uh some kind of event. Uh we know who to call in
what order. Um we have contact information for law enforcement. Uh, and we also have contact information for
both Equifax and TransUnion for credit bureau. So, um, you know, it might seem a little weird to put that on on the
side of your fridge, but it certainly does help. We, you know, we have we have an action plan for, heaven forbid,
there's a fire or a flood in our neighborhood. Uh, we should have an action plan for a financial or a data
disaster as well. And having all that information on hand, pulling it out, um, it can save you a lot of hassle if in
fact you feel that you need to reach out when an event does occur. And then uh so next slide please. And
then longer term if you are in fact targeted you know the things that we can do again learn how a credit freeze
works. Learn how you would you would implement one if you needed to. Um understand what the options are for
identity theft protection. Know who you would contact within your particular financial institution. This is what
financial adviserss are there for. They answer those questions uh fairly and
impartially. And frankly, mine's an absolute superstar and Andrew clearly is as well. Um, so, you know, be lean on
them for that kind of guidance, too, because they're hearing these stories every day in their practice and they can
certainly share that with you and recognize that cyber crime is a constantly evolving thing. So, you know,
we have best practices in place today. Um, but over time obviously those best
practices will have to evolve as the criminals get better at what they do as
they use AI in ever more creative ways uh to pretend to be legitimate sources
to get inside that trust circle of ours. So, if we can uh pop over to slide 17,
we'll sort of just take a quick look at some of those best practices which we've touched on, you know, all all through
here, but this is probably a really good slide to print out and kind of put in a prominent place just so that you kind of
have a sense of these are the, you know, the top 10 things that you want to be doing to make sure that you're minimizing your risk as much as you
possibly can. Um so uh Andrew so just if we can um
switch to the next slide just kind of the conclusion just to kind of re revisit our agenda sort of make sure
that you know we covered what we felt we wanted to we wanted to understand what a
cyber attack was uh and recognize that it's happening to us even if we think it
isn't. Uh, in fact, our inboxes probably already have examples of it right now,
and we protect ourselves by being able to identify them and stopping them cold. Recognizing that increasingly cyber
cyber fraud uh, and cyber attacks are taking on a financial uh, component
simply because we're doing all we're living our financial lives online. Cyber criminals recognize that they're taking
advantage of weaknesses in the technology and our behaviors to, you know, go after those vulnerabilities.
Cyber criminals are not these, you know, brilliant masterminds that you see in the movies. They're looking for the
easiest mark. So, if you make life a little bit hard for them, uh they will in fact look to the next one. It's like
all those houses on the street, the house with the alarm system and a couple of locks on the front door and, you
know, maybe secured windows and some cameras on the outside, they're going to avoid that house and they're going to go after the house with the easily breached
front door and nothing else on it. So, uh, you don't have to be the the fastest, you know, person in the
neighborhood. You just have to be a little bit faster than the slowest and that'll keep you protected. They go after the easiest mark. Um, and then,
you know, recognizing that a lot of the stuff is a little bit annoying, you know, because, you know, you've got to invest time and energy and sometimes a
little bit of money um to, you know, put these protective measures in place. But when you compare the upfront versus what
it would cost you to recover from a cyber attack, recognize that it is a lot easier. you know, it's it's insurance.
You can pay me now, you can pay me later. Uh the upfront investment is a lot smaller than what happens if a
disaster actually befalls you. So, take the time. It's absolutely worth it. Uh and then, you know, making sure that you
have a disaster recovery plan for things like fires and floods. You want to apply the same kind of logic and the same kind
of, you know, planning rigor or methodology to cyber attack awareness,
cyber crime awareness as well. And if you have those conversations with the members of your of your family, you
stand a much lower chance of being victimized. No matter what kind of attack attack it or form it takes on, no
matter what kind of what kind of what we like to call attack vectors the cyber criminals are using against us because
they are a wy group. They're constantly changing their approach. But if we've got our eyes wide open and we're having
conversations with the people who matter most, we stand a reasonably good chance of sending them off and letting someone
else be the victim instead of us. So that's uh I I I unless I've I've I've
missed something. I think that again, you know, this is introduction to cyber crime. It's it's it's you giving you a
sense of what that awareness is. Keep in mind this starts a conversation. So this is probably a really good conversation.
You can continue with Andrew. You can certainly seek me out. Uh my my contact information is available online if you
have further questions. I always welcome u questions from you. I always do my best to respond to them. This is the
kind of dialogue that keeps me going and quite frankly informs the kind of coverage that I provide going forward.
So absolutely do not be shy and please know how thankful I am uh to all of you
and especially for an to Andrew for the invitation but also to all of you for taking the time uh to be part of this
conversation and hopefully the way I see it. This is an ongoing conversation and I'm already looking forward to the next
chapter. Thanks very much. That was excellent car. Thank you so much. Uh honestly, I think there's uh
there's just so much uh information to uh to consider when we think about uh
when we think about cyber crime, cyber attacks, financial fraud. Uh there's you
kind of have to think about what are the different um avenues that a criminal could take to attack me and my family
and what what steps do I need to take to uh protect against that? and if the worst occurs, how do I address it? And
Carmy's given us a lot of great information there. And I think there's a
lot to to sort of take away from this whole presentation. And not just only on
the uh on the technology side, uh but also on sort of the the the you know
insurance side. Uh, I think that that uh unique password or phrase uh with family
members and friends perhaps that's something that's kind of new to me at least where it's really becoming
necessary because as we touched on the the grandparent scam uh is is coming
becoming more common and actually there was a story not too long ago of a lawyer
a very successful accomplished lawyer around I think he was in uh mid60s or so
and he gets a call from his son or what he thought was his son uh and and he was
testifying before Congress actually to this effect. He was get he got a call from what he thought was his son saying
he was in trouble. I think it was a case where he was in jail. He needed money for bail and then there was an
intermediary who was getting involved to to you know move money to quote unquote
the bail bondsmen. And anyhow, the the the father was ready, just about ready to hit the the send button on a lot of
money going to this this criminal organization. And then the son calls and says, "Dad, it's me. I'm fine. You're
being scammed." And you know, so it's so it's so um uh sophisticated that so many
people can fall prey to it. And I think having that password or phrase established, that challenge password,
that challenge phrase established can can avoid a lot of that risk. So perhaps
consider doing that along with all of the other suggestions that Carmy uh has shared with us especially around alerts
uh on your on your bank accounts, your credit cards, especially around uh getting set up for credit monitoring uh
considering the title insurance, considering the insurance for identity theft because if that happens uh that
can become a real savior and uh so a lot of good information. Car me, I want to thank you again for uh coming on today
and sharing all of this wonderful insight with us. You're a tremendous presenter, a tremendous speaker, and I
want to thank everyone here uh attending uh very much for sharing this time with us. And if there are any follow-up
questions, please don't hesitate to send me an email. And uh if I can answer it, I will. Of course, if it's better for
Cari, I'll share it with him. And uh we want to just uh keep everyone informed and safe uh as best we can.
Thanks again, Carmy. And uh I'm going to end the presentation here. I want to thank everyone again. Have a great
evening.
Chat Replay
