Password123!
Many people reuse the same username and password across e-mail, banking, shopping, and social media because it’s convenient. Scammers count on it. As such, don’t use the title of this column as your password.
At a minimum, make your e-mail password long and unique, and avoid reusing it anywhere. E-mail is the reset button for everything else, so treating it like a master key is essential in today’s fraud environment.
Fraud is constantly evolving. Intelligence shared by the largest brokers and cybersecurity experts suggests many recent attempts are not direct breaches of a custodian’s internal systems. Instead, criminals target “soft” endpoints: your phone, laptop, and especially your e-mail. They only need one weak link.
One of the most dangerous threats is the “invisible spy,” often delivered as remote-access malware. It commonly starts with a phishing e-mail that looks normal, a shipping notice, an invoice, or document request. One click can install software that runs quietly in the background, recording your screen and capturing keystrokes. The attacker doesn’t need to guess your password; they wait for you to log in to your financial portal, then try to move money using your legitimate session. Because activity can originate from your known device, it may not trigger obvious alarms at first.
A second tactic is e-mail account compromise. Attackers gain access to your e-mail, sometimes using credentials exposed in third-party breaches, including incidents like MOVEit, and then they wait. They study how you write and how you interact with financial institutions. When the timing is right, they impersonate you and send an urgent instruction, often requesting a wire transfer. To stay hidden, they may create forwarding rules or filters that delete verification messages, so you never see them. If someone controls your e-mail, they can reset passwords across many other accounts.
A third threat is AI voice cloning. For years, people relied on voice as a failsafe. Now, AI can imitate a person’s voice from a small audio sample found online. Fraudsters use this to call financial institutions, or even family members, and push urgency to authorize money movement before anyone slows down to verify.
Why accounts get suspended
If you’ve experienced an account suspension, understand it is often a defensive “kill switch.” Custodians tune fraud detection to react quickly to patterns that suggest elevated risk. A common trigger is credential sharing through third-party budgeting apps or “wealth aggregators.” These tools may require your custodian username and password, then they repeatedly log in and scrape data. To a security system, that can resemble automated bot activity, so institutions may restrict access to close the vulnerability. Another trigger is widespread third-party breaches, which can prompt forced password resets to reduce account takeover risk.
What you should do
Defending your wealth requires a partnership between your financial institution and your personal vigilance. Start by upgrading authentication. Text-message codes are increasingly targeted through “smishing,” and phone numbers can be hijacked through SIM swapping. If your custodian offers it, switch two-factor authentication from SMS to an authenticator app (such as Microsoft Authenticator) or, best of all, a physical hardware key.
Next, establish a verbal password or challenge phrase with your financial institution. If a request ever feels “off,” the firm can require the phrase before approving a wire or other high-risk transaction. Even if a caller sounds like you, they can’t pass the challenge without the phrase.
Finally, practice the “clean device” rule. Avoid conducting financial transactions on public Wi-Fi at airports, hotels, or coffee shops. Use cellular data, a trusted network, or a VPN. Keep your operating system and security software updated; those updates often contain patches that block common intrusion methods.
If you feel compromised
If you suspect you clicked a malicious link, opened a suspicious attachment, or your device is acting strangely, call your financial institution immediately, do not e-mail. Place a “no movement” restriction on your accounts to act as a firewall against outflows. If you suspect remote access malware, disconnect the affected device from the internet. Change your e-mail and financial passwords using a different device, then check e-mail settings for unknown forwarding rules. As a final step, freeze your credit with Equifax, Experian, and TransUnion to prevent criminals from opening new lines of credit in your name.
Financial institutions are on guard, but the most common vulnerability is a lack of awareness and basic cyber hygiene. Build your digital fortress and ask your financial advisor for help tailoring these protections to your situation.
Joe Olive, CFP®, MPS, is a 10-year Air Force veteran who works as a CERTIFIED FINANCIAL PLANNER® with Sather Financial Group, a fee-only strategic planning and investment management firm. He holds a master’s degree from Columbia University.
