As I’ve written before, the most common financial planning mistake I see is to spend too much time focusing on asset allocation (or investments more broadly) and tax planning, while leaving one or more other major parts of the financial picture unaddressed. That’s often estate planning, some gap in insurance coverage, or spending tracking. But it can also be major gaps in cybersecurity/anti-fraud practices. So on that note, this article is the first in a series about cybersecurity/fraud prevention.
A long-time Oblivious Investor reader recently wrote in to share that he and his spouse had fallen victim to a fraud that resulted in a theft from one of their IRAs at Fidelity (which, as discussed below, was not reimbursed). The total loss was “only” about $4,000. But it absolutely could have been much worse.
Here’s how it played out.
John and Rachel (not their real names) had just returned from a trip abroad. Rachel received the following text:
If you can’t see the image, the conversation reads as follows:
Incoming text:
Fidelity ®: Did You Attempt A Transaction of $374.52 At MODERN FEMME FASHIONS 12/02/2025 (EDT).
Reply (YES) if Recognized.
Reply (NO) if Unauthorized, A Call Will Be Generated To You Momentarily
Outbound text:
No
Incoming text:
Fidelity ®: Thank you for confirming. Please hold for the next available agent to assist you.
After that text exchange, Rachel received a phone call as indicated. At the outset of that call, the agent said that, in order to confirm her identity, Fidelity was going to send her a 6-digit code and asked her to please read it back to them. Rachel received the code and read it back to the agent on the phone.
And that was it. As of that moment, the fraudster was able to access her Fidelity account.
The thief promptly initiated a few money transfers out of the account. Fortunately, John promptly noticed what was going on and contacted Fidelity. Fidelity was able to recover one of the transfers, but the other two (totaling ~$4,000) were not recovered. And because the theft involved the victim unintentionally sharing login information with the thief, Fidelity did not reimburse John and Rachel for the theft.
Why was it only $4,000 that was stolen, when there was much more in the account? (Even the cash balance at the time far exceeded $4,000.) I’m not entirely sure. I think the thief must have intentionally chosen a low amount to hopefully not trigger any alerts on Fidelity’s end. But the situation clearly could have been much worse.
How the Fraud Worked
When we log into an account (if not using a passkey, which is a topic for another day), we provide username, password, and the multi-factor authentication (MFA) code. So we might think of all three as being necessary.
But the thief didn’t need Rachel’s username or password at all. All they needed was the six-digit MFA code.
If that sounds surprising to you, take a look at the password-reset forms for any number of financial institutions. (Here’s Vanguard’s for instance. Here’s Fidelity’s.) Take a careful look at the information they ask for. For many financial institutions, the form requires:
- Name,
- Date of birth,
- Social Security number (or last 4 digits of Social Security number), and
- Zip-code.
After you enter that info, they send you a 6-digit code. And after entering that code, they let you reset your username and/or password, or perhaps they display your username on the screen in plain text and allow you to pick a new password.
And, unfortunately, for most of us, all of that information is available for purchase on the dark corners of the internet, due to large-scale security breaches that have already happened. In the 2017 Equifax breach alone, approximately 147 million Americans had their name, DoB, SSN, home address, and phone number stolen. That’s roughly 43% of the U.S. population in just one data breach. And there have been tons of other breaches.
In other words, for most of us, a thief has everything they need to get into our accounts, other than a 6-digit multi-factor authentication code.
We deal with MFA codes so often that they feel commonplace, mundane, disposable. But they’re the keys to the kingdom. It’s not an exaggeration to say that MFA codes should be guarded more closely than your Social Security number.
“We’re Contacting You About Fraud” Is Itself a Red Flag for Fraud
The readers targeted in this incident are not at all the only people to fall victim to fraud, via a fraudster pretending to be the financial institution, warning them of fraud. It’s a very common tactic. Here are two other examples, if you’re interested in similar stories:
“We’re contacting you about a suspected fraud” is itself a great way to defraud somebody, for two reasons.
Firstly, it gives the fraudster a plausible reason for the initial contact to the targeted person.
And secondly, it puts the targeted person in a mindset of wanting to take prompt action, in order to stop the supposed fraud — thus making it easier for the fraudster to get the target to follow instructions. It might even be effective enough to generate a panic/fear response in the target, thereby inhibiting clear thought.
What To Do When You’re Contacted
When a financial institution with whom you have a relationship reaches out to you (whether about a suspected fraud or about anything else):
- If it’s a phone call, take down whatever information they give you. (Or frankly just don’t answer the phone if it’s from a number you don’t know. Just listen to the voicemail, if they leave one.)
- Regardless of method of contact, do not give them any information. No information whatsoever. Not your date of birth. Not your Social Security number. And absolutely not a multi-factor authentication code. Give them nothing. Truly, nothing. If it’s a text, do not reply. If it’s an email, do not reply to the email.
- If it’s an email, do not click on any links in the email.
- Then reach out to a trusted phone number that you already have for that financial institution. If it’s your bank, call the number on the back of your credit/debit card. Or directly type in schwab.com (or whatever is the applicable website), and find the applicable phone number there. And once you know you’re actually in contact with the right organization, ask them for details on the situation.
There are plenty of other things you can do to reduce the likelihood that you’ll fall victim to theft/fraud. And we’ll get to many of those things in upcoming articles. But because I know many of you will ask, yes, Fidelity money transfer lock would have prevented this theft. And you can bet that John and Rachel have activated it on their accounts now! I wish other brokerage firms would offer a similar option.
To summarize:
- Don’t respond to any inbound messages that appear to be from financial institutions. Don’t give them any information.
- Separately reach out to a phone number that you know is genuine, to ask about what’s going on.
- Treat multi-factor authentication codes with the utmost security and caution. If you accidentally give one to a thief, that’s quite possibly all they need to get into your account.
Among people who read personal finance books, many save a high percentage of their income through most of their careers. One thing that eventually happens for some such people is that they reach a point at which they realize they have not only saved “enough,” they have saved “more than enough.” Their desired standard of living in retirement is well secured, and it’s likely that a major part of the portfolio is eventually going to be left to loved ones and/or charity. And that realization raises a whole list of new questions and concerns.
This book’s goal is to help you answer those questions.