The list of institutions where credit and debit card information has been reported stolen, lost or compromised reads like a who's-who in corporate America, including companies such as Target, Neiman Marcus, Bank of America, Citi Financial, just to name a few.
The most common reported cause of these incidents is hacking into supposedly secure computer systems where the thieves gain access to consumer records. The temptation for thieves is real: stolen personal data can fetch anywhere from $10 to as much as $80 per record.
But that's nothing compared to a new type of fraud in which thieves target your bank and brokerage accounts. And amounts stolen can be tens of thousands of dollars, or even more, depending on the accounts involved.
Over the past two years, some financial firms, including Charles Schwab, are reporting an alarming number of cases where thieves use information they glean from customers' email accounts to steal thousands of dollars from client accounts.
According to reports, the fraud works like this:
The victim uses a nonsecure hot spot to gain wireless access to the Internet and his email account. Typically, folks do this when traveling, on vacation, etc. The bad guy sees the log-on to the bogus hot spot, and then hacks into the victim's email account, downloading messages, personal information and specifically looking for messages to and from a financial institution.
Once the fraudster has your email address, names and contacts at financial institutions and account numbers, he then sends an email to your financial institution requesting that it urgently wire money from your account to another account. When the institution gets the email, which contains your information and even a copy of a document you had previously signed, it sends the wire transfer, and the funds leave the account.
If you're in disbelief that this can actually happen, you aren't alone. Some folks unknowingly give their financial advisors, brokerage firms and banks full discretion over their financial accounts. This includes the discretion to transfer money to and from outside accounts. Some firms will transfer money from your accounts with as little as instructions in an email or fax, which they assume you sent.
The good news is this type of fraud is on the Securities & Exchange Commission's radar screen. The not-so-good news is that it may be some time before the firm where your financial accounts are held will be audited to ensure it has the proper safety precautions in place to protect individual accounts.
In the meantime, here's what you should do to protect your financial accounts from bogus transfer of funds:
Don't sign into any wireless hot spot that isn't secure. Using a hot spot in a public area that doesn't require any authentication opens your computer to the risk of being hacked by thieves who can look for and then gain access to your email accounts.
Be very careful and require additional security procedures when you give full discretion to your financial firms and advisors over your financial accounts. Require your financial firm to speak with you and request a verbal password (which is different from your online password) before transferring any amounts from your accounts. Of course, written instructions should be required in addition to the verbal confirmations.
Finally, never use your email address as your log-on ID for any financial accounts. In some of the fraudulent transfers reported recently, the thief was able to use the victim's email address as the ID and then request a new password to be sent to the compromised email account.
Making these changes may be more of an inconvenience to you and your financial advisor, but if they increase the security of your accounts and prevent even one fraudulent transfer, that would be worth the trouble.