We Would Never...

A couple weeks ago I participated in yet another financial industry discussion about email fraud. The pandemic created huge opportunities for fraudsters of all types, but email fraud like spoofing, phishing, spearfishing, and ransomware are still on the rise. While much of the information was similar to prior talks on the subject, the main difference was just how good the crooks are and how targeted they can be.

Email is still an excellent way to communicate and do business, we all just need to be more careful. One of the recommendations was that financial firms like mine write up a “We Would Never…” list, detailing what we won’t do, won’t ask for, when communicating with you via email. That way you’ll know any email is probably fake if it’s asking you for this stuff. Here’s our list and, as always, feel free to ask questions.

We Would Never…

Ask for your personal information, such as your passwords or full social security number, via email. This should be pretty obvious, but we still get folks who type out their full social in an email. The last four is fine, but not more than that. Although some email providers have high levels of security, from a practical standpoint it’s best to think of your email account as being wide open. Imagine each of your emails being viewed by a third party – do you want them to see what you’ve typed? Assuming the answer is no, pick up the phone and provide it verbally or ask for a secure link to transmit the information.

Accept instructions to link your investment account to an outside account, such as your bank or credit union, without verbally verifying with you first. Moving money electronically via the ACH system is pretty straightforward, quick, and free. We can set this up with a handful of datapoints and then the instructions are ready to use within a couple of days, either by you or most often by us. We gather the required information directly from you, usually via phone, and then prefill a form that you’re required to e-sign (the e-signature happens after the system verifies your identity). If you emailed all this to us, especially if I wasn’t expecting it based on prior conversations, we would verbally verify with you before acting.

Send money to 3rd parties on your behalf without your verbal and written authorization. We can easily send money to family members, charities, or others if you authorize it. But this is where things get interesting from a fraud perspective. Fraudsters can break into your email and patiently watch for money in motion. Maybe it’s a home in escrow, setting up ACH instructions, or sending a wire. The crook jumps into the email exchange and inserts their own instructions, hoping that sloppy procedures on either side won’t catch the change before money is sent to the fraudulent recipient.

Send you emails with our names misspelled. On very rare occasions we might slip and send you an email from our personal email address. Otherwise, emails from us are coming from brandon@, brayden@, service@, or info@ “ridgeviewfp.com”. I put the latter part in quotes because that’s our domain name and fraudsters, especially in the example above, will spoof an email address by creating a new one and slightly misspelling the domain name so that it seems legitimate at a cursory glance. They’ll even name the fraudulent email account so that it shows up as “Brandon” in your inbox. The way round this is to hover your mouse or finger over the sender name to see the sender’s actual email address. If the email seems to be from us but the address is misspelled, it’s fake. Don’t click a link or respond. Instead, forward the email to us and consider notifying your email provider. An additional step is notifying the FBI’s Internet Crime Complaint Center: https://www.ic3.gov/Home/ComplaintChoice.

Make detailed requests or send you links via text message. Texting may be more secure than email, but all of our emails are archived, and similar technology isn’t quite there yet with text messages, or at least not in my industry. In the meantime I’m happy to send basic information via text, but that’s all.

Those are some of the things we won’t do. Here’s some of what we definitely will do.

Take some instructions via email to make your life a little easier. If we’ve worked together to set up links to your bank or credit union, we’ll often take instructions from you via email to use those links to move money on your behalf. These are inside-the-box versus outside-the-box requests. In other words, email is okay if you’re asking us to do something we’re already aware of or that seems within character. I still worry about this, so we’ll call from time to time to verbally verify the instructions just to be safe.

Provide secure links to transmit information. We usually include links in an email to send documents to us via our encrypted cloud server. The links go to this page on our website https://ridgeviewfp.sharefile.com/share/getinfo/r715b255e9dd4afaa. You can bookmark this page or ask us for fresh links whenever needed.

Store your information in encrypted, two-factor password-protected cloud folders. This keeps your data safe and accessible by us from anywhere. Encryption also keeps your information 100% private, except for situations involving a court order.

Keep our tech up to date. This is an ongoing challenge, especially for someone like me who is a tech user and not an all-knowing expert. Take my note from last week as an example. I found out that my email system needed updating and ultimately hired an expert to do so. We’re taking the opportunity to add new anti-phishing and spoofing, and anti-ransomware monitoring services as well. My emails might still be going to your junk folder, so look there if you’re expecting anything from me. That problem should be resolved very soon.

The bottom line is we can do a lot to protect your information and the money we manage for you, but we need your help. Please be extra vigilant when working with email. Does the email seem legitimate? Is the sender asking appropriate questions? Do instructions seeming to come from us make sense? When in doubt simply pick up the phone and verify.

Have questions? Ask me. I can help.

  • Created on .

Contact

  • Phone:
    (707) 800-6050
  • E-Mail:
    This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Let's Begin:

Ridgeview Financial Planning is a California registered investment advisor. Disclaimer | Privacy Policy | ADV
Copyright © Ridgeview Financial Planning | Powered by AdvisorFlex