CEO DailyCFO DailyBroadsheetData SheetTerm Sheet

You might not ever notice hackers stealing your retirement savings

January 29, 2020, 2:17 PM UTC

This is the web version of Data Sheet, Fortune’s daily newsletter on the top tech news. To get it delivered daily to your in-box, sign up here.

More and more, retirement savings accounts are becoming an attractive target for thieves.

Hackers gain access to these accounts by stealing people’s identities and login credentials. Either they buy databases of stolen passwords, which are traded on shady forums, or they “phish” people. The latter category involves tricking people into revealing sensitive information, often using bogus emails and fake websites.

Last night, I discussed this threat on Fox 5 NY, the local Fox News broadcast station. I told Ernie Anastos, the show’s host, that people should be wary of inbound emails telling them to take urgent action, even when they appear to come from trusted sources. Many phishing emails look exactly like they came from the real deal: your bank, brokerage, or email provider. “You have an important message, log in here to read it.” How do you know the prompt is not a fake—a facsimile—sent by a hacker? It’s almost impossible to tell imposters apart.

For that reason, it’s always best not to follow the links in such emails. Instead, go directly to the sign-in page of the website in question; type the web address into your browser. Otherwise, you might be led into a trap.

Why target retirement savings? People spend their lives accumulating wealth in 401k and mutual fund accounts. Often they don’t monitor these accounts as closely as they do other bank accounts. Lots of people simply “set it and forget it,” making automatic contributions out of their paychecks and assuming that the pot is growing over the long term.

Hackers exploit the cover of darkness. So as not to trip any alarms, they withdraw funds little by little. A few thousand here, a couple thousand there—and soon they’ve drained a substantial amount. Scammers thrive in the places where no one is watching.

How often do you monitor your accounts? Maybe it’s time to get into the habit of regularly checking in. Even better: Make sure each account is locked with a strong, unique password.

Recycling is for plastic, not passwords.

***

Before I sign off, here’s a note from Adam Lashinsky:

The Fortune extended family lost one of its best Monday. Xana Antunes, a Fortune editor from 2003 to 2008, was a lively, wise, funny, caring, smart-as-hell soul. She was a tough but compassionate editor, a friend, a mentor, and a helluva newswoman. I’ll never forget a Xana-ism I think of all the time. She told me once that very often the critical nugget of a story, the kernel that demands further exploration that can lead to even greater stories, is buried in the 17th paragraph or so. It was simply a damn practical piece of advice that prods me to keep reading. She was 55 and leaves behind a husband and daughter, born right around the time mine was. Those of us who knew Xana are passing around stories about how much we enjoyed working with her and how much we loved her.

Robert Hackett

Twitter: @rhhackett

Email: robert.hackett@fortune.com

THREATS

Facebook stalker. Everyone's favorite social media app released a long-awaited tool called "Off-Facebook activity," which tracks the many ways Facebook and its third parties track your online footprint. Try it out and bask in the sheer creepiness of surveillance capitalism. "Think of it more as a reminder that we’re all living in a reality TV program where the cameras are always on," writes tech columnist Geoffrey Fowler for the Washington Post.

Huawomp-womp. The U.S. failed to stop the UK from giving a green light to Huawei. The Brits will allow the Chinese company's equipment to be used in what they deem non-sensitive parts of the country's 5G networks. Senator Tom Cotton, a Republican member of the U.S. Senate Intelligence Committee, wrote on Twitter, "I fear London has freed itself from Brussels only to cede sovereignty to Beijing." Senator Mark Warner, a Democrat who chairs that same committee, described the outcome as "disappointing because the security risks are so well understood."

Jive turkeys. British and U.S. security agencies have uncovered a cyber-espionage campaign that has been advancing the interests of the Turkish government, Reuters reports. Since early 2018, the hackers have targeted at least 30 organizations, including Cypriot and Greek government email services and the Iraqi government’s national security advisor, the newswire reports. The hackers used a technique called "DNS hijacking," which involves subverting key pieces of Internet infrastructure that match websites to web addresses. 

Avast ye, matey. Avast isn't the only "security" company that has been caught sharing people's data for commercial purposes. Noonlight, a company that provides a "panic button" for users of swipe-and-smooch app Tinder, has been sending people's information to Facebook, YouTube, and others, Gizmodo reports.  (In the meantime, Tinder is adding its own in-app emergency button.)

SextPanther, nice.

ACCESS GRANTED

Last week we discussed the alleged hacking of Amazon founder Jeff Bezos's phone by a WhatsApp account used by Saudi Crown Prince Mohammad bin Salman. Now a New York Times reporter covering the Saudi royal family says he, too, was targeted by Saudi spyware. You can read his personal account here, or a report about the attempted hack in Citizen Lab, a spyware research group based out of the University of Toronto, here. Below is his personal account.

On June 21, 2018, I received an Arabic text message on my cellphone that read: “Ben Hubbard and the story of the Saudi royal family,” with a link for a website, arabnews365.com.I had been writing extensively about Saudi Arabia, including its royal family, and at first glance the link appeared to be a Saudi news story about my coverage — a subject that would normally grab my attention.But it also struck me as fishy, so I refrained from clicking and decided to investigate. That led me to the booming market among governments for hacking technologies and a lesson in how easily the most intimate information on our phones — chats, contacts, passwords and photos — could become a target.

FORTUNE RECON

Hackers had a banner year in 2019 by Chris Morris

The A.I. in your workplace by Ellen McGirt

Apple’s iPad turns 10: Experts look at the decades behind and ahead by Don Reisinger

Facebook’s appeals court for questionable content takes shape. Here’s what you need to know by Danielle Abril

Wawa Breach: A hacker is selling 30 million stolen credit cards on the dark web, cyber experts say by Jeff John Roberts

What Walmart and Target need to do to stay on top in a reshaped retail world by Phil Wahba

A.I. is unstoppable. And A.I. is struggling. by Jeremy Kahn

ONE MORE THING

Sara Morrison, a data and privacy reporter at Recode, fell victim to hacking too. She explains how it all went down in this post. You can learn from her lessons: Use a password manager, set up two-factor authentication on your online accounts, and, this one is good, don't save your credit information everywhere online. Of course, if you're a regular reader of this newsletter, you may have heard these tips before!