Some years ago, an elderly neighbor came to our door, asking for a favor. She was looking for packing tape because she’d sold her television and needed to ship it out. She went on to say that the buyer, who she’d found on eBay, was in Nigeria. It was, of course, an obvious scam. But for whatever reason, she couldn’t see it herself. Today, scams like this are more well known and easier to recognize. But what makes online fraud such a problem is that the crooks are always developing new tricks.
Consider the latest incarnation: text messages which purport to be from Fidelity Investments. One reads: “Your investment account is locked due to unauthorized activity. Resolve before your account is suspended.” These messages include the Fidelity logo, making them look somewhat authentic, but they also include a fraudulent link, designed to steal users’ Fidelity login credentials. Recently, several people have forwarded me copies of messages like this, asking if they’re real. Especially because they include the Fidelity logo, it can be difficult to know.
How can you protect yourself from bad actors? I suggest two lines of defense. First is to employ all technical means available. Use a password manager to generate very long passwords, then turn on two-factor authentication using, ideally, an authenticator app rather than text messages. For sites that now offer passkeys—an advancement over traditional usernames and passwords—I recommend this.
Depending on your bank, there may be further tools available to monitor for anything unusual. You can set up text-based alerts to notify you when funds are transferred out of your account or when a particularly large purchase is made with your debit or credit card. Some banks allow you to preview checks online before they’re paid, to guard against a type of fraud known as check washing.
Technology isn’t infallible, though, which is why I recommend a number of other steps to harden your defenses:
- To further guard against check washing, be sure to use a gel pen when writing checks. These are easy to find, and their ink is more difficult to tamper with.
- Don’t feel compelled to respond to inbound communications, whether it’s an email or a text message. If a communication asks you for financial information—or even asks you to click a link—don’t do it. If you aren’t sure whether the communication is authentic, call the institution using a number you have on file. Or look up the number on the company’s website. But even with this step, you’ll want to be careful. Fraudsters often set up sites that look just like real banks’ websites, and they even employ what’s known as search engine optimization to make their fake websites appear in search results. So if you want to go to a bank’s website, enter the address directly—chase.com, for example—rather than searching for “Chase Bank.”
- Recognize that voices and even video can be mimicked today. So can Caller ID. No matter how authentic someone might sound on the other end of the phone, be cautious. If they’re asking questions, don’t hesitate to hang up.
- If a communication purports to be from an institution you don’t deal with, you can ignore it altogether.
- Also ignore communications that seem innocuous but are odd or out of the blue. A scheme known as “pig-butchering” typically starts with a simple text message. One I received recently read, “I noticed your number in my contacts. Can you remind me of your name?” They’re attempting to draw people into conversation, and ultimately, into a financial trap. The best response is to simply delete the message. Depending on the messaging app you use, there may also be a link to mark the message as spam. That will help to slow the spread of similar messages.
- Don’t panic or act in haste. Fake communications often try to employ urgency, warning that an account will be locked, for example. So if an incoming message is asking you to move fast, instead slow down. Ask yourself whether the request really makes sense.
- Be wary of anything that appears implausible. Some years ago, I saw a woman send money to an address in Jamaica because she’d received a call letting her know she’d won a raffle. To claim the prize, she would just need to send a few thousand dollars in advance to cover “administrative expenses.” In this case, it made no sense because the woman hadn’t even entered a raffle—and certainly not one in Jamaica.
- Don’t use a debit card to make purchases. Instead, use a credit card. That way, if your card number is compromised, it won’t affect your bank account.
- Examine links before clicking. In the texts pretending to be from Fidelity, the links were a clear tip-off. None of them included “fidelity.com. In emails, though, fraudulent links aren’t as easy to spot. But if you hover your mouse over a link, you should see in the lower-left corner of your screen the web address to which the link is pointing. If that address doesn’t look right in any way, don’t click.
- Owing to past data breaches, it’s easy for crooks to acquire personal information. They might have your bank account number or even your Social Security number, and they can use that information to make themselves appear more legitimate. Don’t let them fool you.
Worried that you may have already given up information to a bad actor? Depending on the situation, I suggest these steps: Change your account passwords, order a new credit or debit card, keep a close eye on transactions in your accounts and put a fraud alert or a freeze on your credit report. To place a fraud alert, you need only contact one of the three major credit bureaus (Equifax, Experian and TransUnion). They’re required to notify the other two. But to place a credit freeze, you’ll need to contact all three separately.