FREE NEWSLETTER

Stay Safe Out There

Adam M. Grossman

SOME YEARS AGO, an elderly neighbor came to our door, asking for a favor. She was looking for packing tape because she’d sold her television and needed to ship it. She went on to say that the buyer, who she’d found on eBay, was in Nigeria. It was, of course, an obvious scam. But for whatever reason, she couldn’t see it.

Today, scams like this are better known and easier to recognize. But what makes online fraud such a problem is that the crooks are always developing new tricks.

Consider the latest incarnation: text messages which purport to be from Fidelity Investments. One reads: “Your investment account is locked due to unauthorized activity. Resolve before your account is suspended.” These messages look reasonably authentic, but they include a fraudulent link designed to steal users’ Fidelity login credentials. Recently, several people have forwarded me copies of messages like this, asking if they’re real. It can be difficult to know, especially because they include the Fidelity logo.

How can you protect yourself from bad actors? For starters, employ all technical means available. Use a password manager to generate very long passwords. Turn on two-factor authentication, ideally using an authenticator app rather than text messages. For sites that offer passkeys—an advance over traditional usernames and passwords—I favor using this option.

Depending on your bank, there may be further tools available to monitor for anything unusual. You can set up text alerts to notify you when funds are transferred out of your account or when a particularly large purchase is made with your debit or credit card. To guard against a type of fraud known as check washing, some banks allow you to preview checks online before they’re paid.

Technology isn’t infallible, though, which is why I recommend other steps to toughen your defenses:

  1. To further guard against check washing, be sure to use a gel pen when writing checks. These are easy to find, and their ink is more difficult to tamper with.
  2. Don’t feel compelled to respond to inbound communications, whether it’s an email or text message. If a communication asks you for financial information—or even asks you to click on a link—don’t do it. If you aren’t sure whether the communication is authentic, call the institution using a number you have on file or look up the number on the company’s website. Even with this step, you’ll want to be careful. Fraudsters often set up sites that look just like real banks’ websites, and they even employ what’s known as search engine optimization to make their fake websites appear in search results. My advice: If you want to go to a bank’s website, enter the address directly—chase.com, for example—rather than searching for “Chase Bank.”
  3. Recognize that voices and even video can be mimicked today. So can caller ID. No matter how authentic folks might sound on the other end of the phone, be cautious. If they’re asking questions, don’t hesitate to hang up.
  4. If a communication purports to be from an institution you don’t deal with, feel free to ignore it.
  5. Also ignore communications that seem innocuous but are odd or out of the blue. A scheme known as “pig butchering” typically starts with a simple text message. One I received recently read, “I noticed your number in my contacts. Can you remind me of your name?” They’re attempting to draw people into conversation and, ultimately, into a financial trap. The best response is to simply delete the message. Depending on the messaging app you use, there may also be a link to mark the message as spam. That will help slow the spread of similar messages.
  6. Don’t panic or act in haste. Fake communications often employ urgency, warning that an account will be locked, for example. If an incoming message is asking you to move fast, instead slow down. Ask yourself whether the request really makes sense.
  7. Be wary of anything that appears implausible. Some years ago, I saw a woman send money to an address in Jamaica because she’d received a call letting her know she’d won a raffle. To claim the prize, she would just need to send a few thousand dollars in advance to cover “administrative expenses.” In this case, it made no sense because the woman hadn’t even entered a raffle—and certainly not one in Jamaica.
  8. Don’t use a debit card to make purchases. Instead, use a credit card. That way, if your card number is compromised, it won’t affect your bank account.
  9. Examine links before clicking. In the texts pretending to be from Fidelity, the links were a clear tip-off. None included “fidelity.com.” In emails, fraudulent links aren’t as easy to spot. But if you hover your mouse over a link, you should see in the lower-left corner of your screen the web address to which the link is pointing. If that address doesn’t look right in any way, don’t click.
  10. Because of past data breaches, it’s easy for crooks to acquire personal information. They might have your bank account number or even your Social Security number, and they can use that information to make themselves appear more legitimate. Don’t let them fool you.

Worried that you may have already given up information to a bad actor? Depending on the situation, I suggest these steps: Change your account passwords, order a new credit or debit card, keep a close eye on transactions in your accounts, and put a fraud alert or a freeze on your credit report. To place a fraud alert, you need only contact one of the three major credit bureaus, Equifax, Experian or TransUnion. They’re then required to notify the other two. But to place a credit freeze, you’ll need to contact all three separately.

Adam M. Grossman is the founder of Mayport, a fixed-fee wealth management firm. Sign up for Adam’s Daily Ideas email, follow him on X @AdamMGrossman and check out his earlier articles.

Want to receive our weekly newsletter? Sign up now. How about our daily alert about the site's latest posts? Join the list.

Subscribe
Notify of
16 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Jon Daley
8 months ago

My mom opened a second account with a limited amount of in it after my father just barely missed being taken in. He allowed them to screen share and they edited a screenshot of his bank statement or something and “proved” that they had accidentally deposited a large amount into his bank account that they needed him to return via money order to Nigeria.

He was driving to the bank when my mom found him. The bank said that while they can’t legally stop someone from doing that they do try to keep the seniors from getting scammed.

He falls for it every time, and he used to be a software developer.

David Powell
8 months ago

You really do not want to tap or click on ANY links, in text or emails. Launch the app for that business or point your browser at its official web site, from your bookmarks, and log in. If there is a legitimate issue, you will find an action alert after logging in.

G W
8 months ago

Curious, if you use auto-fill for your login ID and password for an account and receive a bogus link via email to login, would your personal device security deny the attempt because certain things are not recognized or found in the bogus link or bogus look-alike website? Not that one should rely on this possible “feature” as another level of security. I’m more curious where the secret handshake occurs (if any) in the process to validate or invalidate the site using auto-fill.

indeed, it’s best to never click on a link if you can’t be sure of it’s legitimacy but as stated elsewhere, the crooks are getting better in advancing deception.

Jon Daley
8 months ago
Reply to  G W

Correct. It wouldn’t deny it, but it wouldn’t auto-fill by default because the domain is incorrect. And yes. I wouldn’t want to count on this “security”.

Examining the links are the way. I get lots of emails from people asking for me to check them out and I think it must be hard for people to see the From addresses for some reason. My email clients always show the From address, so it is trivial to see forgeries.

Joe Cyax
8 months ago

 Adam,

Thanks for another one of your periodic articles on good security practices. Your article of last year (https://humbledollar.com/2023/09/stop-bank-robbers/) got me moving to change some of my account access procedures.

Regarding item #1 in your list about check washing, someone else on HD had posted a suggestion that I subsequently did and I think bears repeating. Since I have one primary account where most money comes in and goes out of, it would be quite a mess if that account got caught up in a check-washing scheme – if the account was frozen all my automatic deposits, bill payments and such would have to be reconfigured. The answer was to establish another checking account, at the same institution, and use the 2nd account ONLY to write checks from. I keep only a small amount in the second account. If I am about to write a check, I transfer that amount into it to cover the check.

Another issue is 2FA (2nd factor authentication) using cell phones because of the potential for SIM-swapping. As you pointed out in your 2023 article, cell phone numbers can be hijacked and used to reset your account passwords. And yet, not all financial institutions allow use of non-text based 2FA. While my cell carrier requires a PIN over the phone for verification of the caller about the account, that still relies on a human to accept the PIN or not, and humans are generally subject to social engineering, so I don’t want to completely count on that.

Anyway, a solution to that is to establish and use a google voice number for 2FA that it itself is only authenticated using a password and a hard authenticator such as a yubi-key. I have done so for all my financial accounts. Thus, if someone were to hijack my and my wife’s cell phone numbers, they still could not get 2FA to any of our financial accounts. On accounts that allow use of it, I use only a password and yubi-key for 2FA, with no phone numbers involved.

I also use passkeys when allowed, but, quite frankly, I am still not sold on the safety of biometrics for validation, and so have avoided all use of biometrics thus far. Perhaps someone can enlighten me, but I still see the potential for fingerprints, facial recognition, et al., to be spoofed, and, I don’t know how one could recover from that since I can’t change my face (as much as others might want me to).

On item #8, debit cards are just a fraud waiting to happen. I agree to not use it for purchases. I only use it for ATM withdrawals, and, when I am not withdrawing from an ATM, I “lock” the debit card using the online feature at my bank. Unlocking it prior to a withdrawal takes only a minute.

On item #10, I think, in light of all the huge security breaches in the past year or so (I have received at least 3 letters this year advising me of my data potentially being compromised, one at a company I have had no interaction with in perhaps 15 years), I believe it is now realistic to assume that all bad actors have my Social Security Number, name, home address, email, cell phone number, probably even the name of my dog and pet gerbil, and, to design/use protections for ones accounts accordingly.

In my former life, I did some work in security where the focus was on the concept of “defense in depth”. The idea is that nothing is completely secure, and, it would be virtually impossible to use (and cost prohibitive) if it was. So, you keep adding layers to make it harder, so the thief hopefully gives up and goes somewhere else.

It is a continuing battle – I have little doubt that I will need to continually change security practices and procedures, trying to always keep one step ahead.

eludom
8 months ago
Reply to  Joe Cyax

Thanks for the push I needed to actually learn about/toy with passkeys. For this audience I think my most relevant finding to date is they are not supported by Vanguard, Fidelity, Etrade, Chase, PNC or most other financial institutions. Official list here: https://www.passkeys.io/who-supports-passkeys
It is supported by Google, Amazon, Apple, Walmart, Target, etc.
So if you want to use it to protect your Walmart account, go head, but if you want to use it for your financial assets, today, it looks like not as much of an option.

I will probably follow your lead on the Google Voice account for texting, with a couple caveats: they deleted the Voice number I had “owned” for 10 years because I missed the “please use or renew messages”, my fault. But be warned, Google has a LONG history of discontinuing useful products when they no longer drive ad revenue https://killedbygoogle.com/ Google Voice could be next.

cd65a4b585e8ec8
8 months ago
Reply to  eludom

Vanguard does support Yubikey. I use it all the time to login to Vanguard.

https://www.bogleheads.org/forum/viewtopic.php?t=349826

Chris Rush
8 months ago
Reply to  Joe Cyax

I’m exhausted just thinking about all you have to do to use your money! 😦

Joe Cyax
8 months ago
Reply to  Chris Rush

To be fair, it is a pain to set up. BUT… years ago, perhaps about 20 years now, I read an interview with someone who had their identity stolen. This was before most people knew this could happen. Anyway, this person, due to the laws at the time (and I think still) was made “whole” again by the various accounts that had been created or hacked or stolen from – so, she ended up losing very little if any money.

BUT, the thing that struck me most, as she recounted, was that it took her about a thousand hours on the phone and over a year to get it all straightened out. That is time I would rather spend doing anything else but what she had to do. Anyway, in short order I sent letters to all credit bureaus to freeze my credit, as it has been ever since.

So, everyone assesses their own risks they are willing to take, and acts accordingly. Personally, I would rather have spent the (guessing here) 15-20 hours over the past year putting in place the stuff above then having to go thru some of the nightmares I have read about. And I didn’t do it all at once. I thought about how I could implement fairly consistent measures across all my accounts that I will not have to change (too) often.

Now that it is all in place, there is no more effort to access and use the money than before. And, every time I see another data breach, I don’t get flustered, as I have done most all I can do up to this point.

In the end, if some gang of cyber thieves wants my money, I am not likely going to be able to stop them. So, OTOH, because of my defenses, if your accounts are more attractive to them, well, just sayin’ :).

Remember, your house does not have to be “Fort Knox” to deter the burglars, it just has to be more secure than your neighbors…

Chris Rush
8 months ago
Reply to  Joe Cyax

All good points. I have kept freezes active on the three credit bureaus for years now. Recently, one of my credit card providers encouraged me to ask for an increase of my limit. I said: “Sure.” I figured they already knew I was a good risk. About two weeks later I received a written denial in the mail. The reason was their inability to access our credit reports. Though my and my wife’s ratings are superb (830-840; I can never figure out why we never hit 850; oh well), I didn’t want to go through the hassle of unfreezing for something that wasn’t my initiative (and I didn’t need the extra credit). I feel great that this large conglomerate couldn’t see how credit worthy we in fact are. I assumed they had more ability to pry, but here’s a little evidence to suggest that maybe there’s still a morsel of privacy in cyber-land.

eludom
8 months ago

Thanks, good list.

I spent 25 years working in cyber-security (before it was called that). Every so often, the corporate IT department would “phish” the employees. People sometimes clicked on the links, me included. This was in a population of people who’s obsession and life’s work was security. I’m not betting on my own ability to to avoid the ever more sophisticated scams, particularly as I age and am no longer in the thick of the latest scams as a day to day activity.

As a DIY investor, I think I have a particular vulnerability. I regularly (as infrequently as possible) make large transactions. In general, nobody is checking up on me to prevent fraud.

Not sure what the answer is, but I think that by age 70 or so I want to find a way to transfer some of the risk for large transactions/assets, possibly to someone else managing it (Trust fund? Financial planner/asset manager even if it means AUM fees).

Thoughts? Other alternatives?

Jon Daley
8 months ago
Reply to  eludom

Not the point of your message, but thought you would like this story.

Our IT department sent out an email asking the workers to download the .exe and run it!

It sure looked legitimate and so I emailed them to make sure it was, and they responded, yes it was required for all employees to run this scanner and it would report back to them. I was so shocked that an IT department would do exactly what you aren’t supposed to do…

I researched how the program worked and saw that it wrote to a network share that was freely writable (and readable) by all. I suggested that they change the NTFS permissions to insert only, but they refused, so I looked through the data to see what my coworkers were up to.

When the report came back, I was not in compliance of having various software downloaded that we weren’t supposed to have, mp3 player, Bible app, developer tools that they didn’t know about. My boss said, “kind of makes you feel violated”, but didn’t make me uninstall any of it…

My current IT department sends out obvious phishing attempts and all sorts of people click on them.

Michael1
8 months ago
Reply to  eludom

I also sometimes think about having an advisor or even manager. Partially because my wife is less interested in managing investments than I am, and partially for the reason you cite. And beyond increasingly sophisticated fraud, there’s plain old cognitive decline. I think at some point it will become desirable, and it would be preferable to have established the relationship well in advance of needing it, even if that comes with paying for it before we really need it.

eludom
8 months ago
Reply to  Michael1

Exactly. Same situation here.

Winston Smith
8 months ago
Reply to  eludom

eludom,

Retired IT guy here too.

We are constantly “winning” things from retailers we don’t use. Or being told that we owe taxes and this or that company would kindly help us.

The scammers are relentless.

Thankfully, one of our children – whom we all agree will be executer of our estate – advises us on WHAT NOT TO DO.

I guess if we weren’t lucky enough to have a financially savvy child, we’d look for a fiduciary advisor too.

Edmund Marsh
8 months ago

Adam, thank you for this great list.

Free Newsletter

SHARE