Financial institutions (FIs) and the Internet: two things that seem to work together so beautifully. How simple is it to check your balance or pay a bill online these days?
At the same time, phishers (phishermen?) have used this fact to commit millions of dollars worth of fraud and identity theft over the past decade. Is there a general rule to be derived here?
You can’t just say “never trust an email or a text from a financial institution,” because credit unions, banks and credit card companies definitely use email. There’s no arguing that point; I personally get most of my bills through email, and I stopped receiving paper statements years ago. It’s safer than postal mail as long as you use strong passwords, keep them to yourself, and change them up now and then.
Many FIs also offer services for mobile phones, from “your account is getting low on funds” text message alerts to mobile banking applications for “smart phones.”
So how do you tell the difference between a real email and a phishing attack? That brings us to today’s Fraud Prevention Template:
If an email or text message from a financial institution asks you to click a link to login and “verify” or “reactivate your account,” it is a phishing attack. Delete the message immediately.
FIs just don’t send these types of messages out.
When you open an account, your FI is required to get your personal information. They check this information against national databases to verify it. Once an account is open, they’ve got your information. There is no need to have you verify it online. Any verification is already complete.
Sometimes credit card companies may contact you regarding unusual activity on your card. This is a security feature. However, they also never ask you to verify personal information.
I got a call a while back, after a trip to Florida. An automated message gave the name of the card and said there had been some unusual activity. If I knew where the card was, it said to press “1.” Since the card was right there in my wallet, I pressed “1.” That was the end of the call. At no point did I have to verify personal information.
Of course, this also illustrates how important it is to keep your phone number, mailing address and other contact information current with any FI you have a relationship with.
If you sign up for text message alerts from an FI, you’ll also never be asked to verify or reactivate anything.
In all honesty, if there’s fraud on your account, you will probably be the first to notice it. If someone has your account number and password, your bank or credit union probably won’t know the difference, since they can’t see who is sitting behind that computer. Someone with stolen credentials siphoning a few hundred dollars out of an account won’t even register as suspicious. They won’t contact you—you’ll be the one calling them, asking where your money went.
Finally, if you’re unsure whether or not an email message might be genuine, the way to find out is not to click on that link. Call your FI directly, using either a number from their actual website or by looking in an old fashioned phone book.
However, I think you can skip that step. When it says “verify” or “reactivate,” it’s phony.