Gil’s Musings

Beware of Email

email

People believe that email communications are secure and private. Unfortunately, nefarious operators exploit this misconception, crafting elaborate schemes to separate you from your money. We all need to reset our beliefs about email and remain vigilant in communications. I’ll share a few close calls we’ve encountered to drive home this point.

Once upon a time, a brand new client emailed us, listing all his account numbers and asking us to verify them. Within thirty minutes, we received another email from “the client” asking for a $20,000 outgoing wire transfer. Per our protocol, we called the client, who knew nothing about the wire request—close call. The client’s email account had been compromised for some time, and the scammer lay in wait for the right opportunity to step in and take advantage.

We have another client in the Midwest who experienced an email breach. This scammer hatched an elaborate plan to defraud the client. They intercepted emails, redirecting traffic to prevent the client from seeing incoming emails from us over the course of weeks as the scheme played out. They opened an account at the same bank as the client, and created realistic fake checks, showing our client’s name and address but using their own account number and routing number. Then they requested an ACH link to that new account. Finally, they signed forms mimicking our client’s signature and provided the fake voided check for verification. This scammer’s patience and cleverness got the better of us, but we caught it quickly by happenstance. Segment refunded the client his $30,000 while we waited for the bank to conclude their investigation. Two months later, they gave us our money back. It normally ends with a worse outcome. Segment backstopped this because we felt our procedures should have caught this. We have since stepped up our game, requiring all new instructions (first party or third party) to have verbal client approval and any needed physical documentation.

I have a relative who ignored warning signs that friends were receiving solicitations from his email address telling them he was in a bind and asking them to send him gift cards. Soon after, he was paying some company expenses for new equipment purchased and sent out a wire in response to an invoice. He didn’t notice the vendor’s email address had one foul character and was lulled into complacency since the language in the email and the logo on the invoice looked legit. Of course, he had, in fact, recently purchased equipment from this company. The scammer knew this information, having had access to his emails for weeks. He didn’t check the status of the paid invoice until three weeks later. Adios $75,000.

I tell you these stories because we see this pattern repeat. If anything, it happens more frequently, and the scammers are getting more and more sophisticated. People are at risk for this kind of mistake because they are overly confident in email security. Email is not secure!

Follow these tips (and others) to decrease your odds of a problem.

Password Security

Use unique passwords, especially for high-risk applications (i.e. banking, email, shopping). Frequent data breaches of large companies like Target leave your commonly used username/email/password combinations exposed on the dark web.

Having many unique passwords can be hard to manage. Be careful where you store passwords, as Excel documents and phone notes are not secure. Password managers like Dashlane or 1Password use state-of-the-art encryption and make the process very simple. They integrate into your browsers to help you autocomplete your credentials while you are responsible for remembering only one password. Do your research, and beware free versions of these applications.

Authentication

Use dual-factor authentication services for all high-risk applications. Most banks and email providers offer SMS verification or, even better, device-based authentication. Use it where available.

Use encryption software to protect unwanted access and beware of public Wi-Fi, like airports. Never share account numbers or send attachments containing sensitive information via email. 

Verification

Trust nothing, verify everything. For example, verify wire instructions via phone with someone whose voice you know. Do not assume all wire transfer information is correct and verify every digit in an outgoing wire. Verify receipt of wires promptly and do not send wires with urgency. Plan ahead; vigilance dies in haste.

I know this adds inconvenience to your life. But that pales in comparison to other outcomes.

Please see IMPORTANT DISCLOSURE information.

Subscribe to Gil’s Musings

Sign up to receive Gil’s periodic musings about investment trends, the stock market, investor behavior and current affairs. Join today and receive a handful of Gil’s favorite past musings, and be the first to receive his freshly penned thoughts

  • This field is for validation purposes and should be left unchanged.