My Mom just had her phone number and email account stolen

JBTX said:
I was referencing Fidelity which the other poster was referring to.

For those that don’t have authenticator options or involuntarily backup to your mobile phone, some sort of backup phone number, such as a google voice number could be an option.
Click to expand...
I understand.

Just pointing out that some financial places fall back to the sms if you say you lost your authenticator.

Some financial places don't allow google voice, according so some people, I don't know. But what are the blocks to someone doing a sim swap for google voice ?
As a non-telephone company google is probably less regulated.
 
Item of consideration. I'm thinking of using my wife's phone number at Fidelity. Logic - I'm the account holder for our phones. I went to t-mobile and switched on the porting protection, which as far as I can tell is in two separate places. As the account holder, only I can switch that protection off. Therefore, by using my wife's phone number for Fido, it would be detached from the ability to port the phone number over. Second, we currently use a third email account for Fido, however, we use it for other things so I'm thinking I will set up a separate email account that is only used at Fidelity. It may not be perfect, but I'm thinking that by separating our accounts and phones better than we do today, we might be a little better protected.
 
Sharing the results of my research thus far into account security at three brokerage houses:

PART 1 - ACCOUNT ACCESS

It seems I was a babe in the woods to think a good user name and password would actually protect my accounts at Fidelity, Wells Fargo, or even Vanguard.

It is WAY too easy for a fraudster who has obtained control over my cell number via SIM swapping or port-out fraud to click “forgot user name or password,” enter some information that I’m sure is easily obtained on the dark web (if that effort is even necessary), get my one-time 2FA code by text or call, and have full access to my accounts (locking me out in the process).

At Vanguard one of the pieces of information needed is the email they have on record, so at least I can create an obscure email address that I only use there and hope that protects me.

Fidelity allows authenticator apps and Wells Fargo offers a hardware key of some kind, but what I understood from talking to customer service is that the option to sign in using their existing 2FA systems (text or call to your phone) is not removed. Hmmm....

Vanguard again seems to be the clear winner in that you CAN remove those “basic” 2FA options (by setting up two hardware keys).

PART 2 - TRANSFERS OUT

Vanguard has some security against transferring money out. They do allow a one-time wire transfer to an account in a different name, but only by phone with the help of a rep, and the rep has to get an OK from a higher level. I can better protect myself from that by having an enhanced security password for phone access.

They said they would likely refuse a wire transfer to an account in my own name, telling me to link the account instead. They send alerts when a new external account is linked and impose a 7-10 day hold on transfers to that account.

I haven't yet researched security against transferring money out at Fidelity or Wells Fargo.
 
engineernerd said:
Sharing the results of my research thus far into account security at three brokerage houses:

PART 1 - ACCOUNT ACCESS

It seems I was a babe in the woods to think a good user name and password would actually protect my accounts at Fidelity, Wells Fargo, or even Vanguard.

It is WAY too easy for a fraudster who has obtained control over my cell number via SIM swapping or port-out fraud to click “forgot user name or password,” enter some information that I’m sure is easily obtained on the dark web (if that effort is even necessary), get my one-time 2FA code by text or call, and have full access to my accounts (locking me out in the process).

At Vanguard one of the pieces of information needed is the email they have on record, so at least I can create an obscure email address that I only use there and hope that protects me.

Fidelity allows authenticator apps and Wells Fargo offers a hardware key of some kind, but what I understood from talking to customer service is that the option to sign in using their existing 2FA systems (text or call to your phone) is not removed. Hmmm....

Vanguard again seems to be the clear winner in that you CAN remove those “basic” 2FA options (by setting up two hardware keys).

PART 2 - TRANSFERS OUT

Vanguard has some security against transferring money out. They do allow a one-time wire transfer to an account in a different name, but only by phone with the help of a rep, and the rep has to get an OK from a higher level. I can better protect myself from that by having an enhanced security password for phone access.

They said they would likely refuse a wire transfer to an account in my own name, telling me to link the account instead. They send alerts when a new external account is linked and impose a 7-10 day hold on transfers to that account.

I haven't yet researched security against transferring money out at Fidelity or Wells Fargo.
Click to expand...
Fidelity has transfer lockdown. Enable it as soon as you can.
 
engineernerd said:
Sharing the results of my research thus far into account security at three brokerage houses:

PART 1 - ACCOUNT ACCESS

It seems I was a babe in the woods to think a good user name and password would actually protect my accounts at Fidelity, Wells Fargo, or even Vanguard.

It is WAY too easy for a fraudster who has obtained control over my cell number via SIM swapping or port-out fraud to click “forgot user name or password,” enter some information that I’m sure is easily obtained on the dark web (if that effort is even necessary), get my one-time 2FA code by text or call, and have full access to my accounts (locking me out in the process).

At Vanguard one of the pieces of information needed is the email they have on record, so at least I can create an obscure email address that I only use there and hope that protects me.

Fidelity allows authenticator apps and Wells Fargo offers a hardware key of some kind, but what I understood from talking to customer service is that the option to sign in using their existing 2FA systems (text or call to your phone) is not removed. Hmmm....

Vanguard again seems to be the clear winner in that you CAN remove those “basic” 2FA options (by setting up two hardware keys).

PART 2 - TRANSFERS OUT

Vanguard has some security against transferring money out. They do allow a one-time wire transfer to an account in a different name, but only by phone with the help of a rep, and the rep has to get an OK from a higher level. I can better protect myself from that by having an enhanced security password for phone access.

They said they would likely refuse a wire transfer to an account in my own name, telling me to link the account instead. They send alerts when a new external account is linked and impose a 7-10 day hold on transfers to that account.

I haven't yet researched security against transferring money out at Fidelity or Wells Fargo.
Click to expand...
Yep, Mom and Dad received letters in the mail Monday that their Vanguard account was hacked. Three withdraws of $1,000, $1,000, and $500. Not sure how it happened. But now someone at Vanguard (I hope) has assured them everything is locked down.
 
Interestingly, my wife had me watch a YT video on this topic yesterday and it reminded me of a recent scam email I received. It was an evite from a friend and I didn’t think much about it until I clicked on the link to open the invitation. That opened a window prompting me to log into my Google account. Even though everything looked exactly like the official Google page, I knew that something was off. Why was evite asking to log into Google? Thank goodness I didn’t proceed. My son received the same invitation and noticed that autofill didn’t fill things in, which alerted him to the fact that the URL wasn’t Google.
 
COcheesehead said:
Fidelity has transfer lockdown. Enable it as soon as you can.
Click to expand...
I have that enabled, but it is only for the kind of fraud where someone pretends to be me to a different brokerage firm, let's say Schwab, and asks Schwab to roll over my holdings at Fidelity to Schwab. Where of course they have provided phone number(s) and email address(es) under their control.
 
engineernerd said:
I have that enabled, but it is only for the kind of fraud where someone pretends to be me to a different brokerage firm, let's say Schwab, and asks Schwab to roll over my holdings at Fidelity to Schwab. Where of course they have provided phone number(s) and email address(es) under their control.
Click to expand...
Right. I looked at that and wasn’t impressed. Once they get into your account, they can disable the account lock.

I wish they had a way to force me to physically come into the office for any transfers out. Especially my IRA and Roth’s which hold most of my wealth and is the bulk of my holdings at Fidelity.
 
engineernerd said:
I have that enabled, but it is only for the kind of fraud where someone pretends to be me to a different brokerage firm, let's say Schwab, and asks Schwab to roll over my holdings at Fidelity to Schwab. Where of course they have provided phone number(s) and email address(es) under their control.
Click to expand...
I not sure that’s right. I have had to disable it in order to make transfers between different registered accounts and into local checking.
 
I noticed Fidelity offers their "Customer Protection Guarantee":

Fidelity will reimburse you for losses from unauthorized activity in your Covered Accounts occurring through no fault of your own.​

Thoughts on this "Guarantee"? (Of course one should still take all security precautions.)
 
COcheesehead said:
Do you have any clue as to how this all started?
Click to expand...
Probably the scammers stole her personal data, called Spectrum and pretended to be my Mom to "port" her number to a new device or SIM card. Once they got the phone number, they just clicked "forgot password", and had her email and other accounts. Since she didn't have a phone, she didn't get any "if that wasn't you email or text". I did, but it doesn't matter, because it's too late.
 
engineernerd said:
I have that enabled, but it is only for the kind of fraud where someone pretends to be me to a different brokerage firm, let's say Schwab, and asks Schwab to roll over my holdings at Fidelity to Schwab. Where of course they have provided phone number(s) and email address(es) under their control.
Click to expand...
Exactly!
 
audreyh1 said:
If you have login credentials and cellphone number stolen together the thief simply turns off transfer lockdown.
Click to expand...
Yep, once they have the only 2 sets of keys to your house, they come and go as they please
 
48Fire said:
Probably the scammers stole her personal data, called Spectrum and pretended to be my Mom to "port" her number to a new device or SIM card. Once they got the phone number, they just clicked "forgot password", and had her email and other accounts. Since she didn't have a phone, she didn't get any "if that wasn't you email or text". I did, but it doesn't matter, because it's too late.
Click to expand...
Where do you think they got the personal data?
 
audreyh1 said:
If you have login credentials and cellphone number stolen together the thief simply turns off transfer lockdown.
Click to expand...
I use passkeys now often, so they’d have to steal my face or fingers too I guess.
 
COcheesehead said:
People click on links they shouldn’t, talk to people they shouldn’t, give people access to their computer when they shouldn’t, open attachments when they shouldn’t.
Just thought you might know the beginning.
Click to expand...
The Elder hotline guy thought it might be a guy pretending to be Spectrum. My guess, too, since there's been some suspicious "help".
 
simple girl said:
I noticed Fidelity offers their "Customer Protection Guarantee":

Fidelity will reimburse you for losses from unauthorized activity in your Covered Accounts occurring through no fault of your own.​

Thoughts on this "Guarantee"? (Of course one should still take all security precautions.)
Click to expand...
But will they claim it's your fault if you "give away" the password to someone by being scammed ?

Or if the person just changes the password, by cloning the phone or getting email access, how do you prove you didn't authorize it (an impossible task).
 
Sunset said:
But will they claim it's your fault if you "give away" the password to someone by being scammed ?

Or if the person just changes the password, by cloning the phone or getting email access, how do you prove you didn't authorize it (an impossible task).
Click to expand...
Read the fine print. Lot of “outs” in their guarantee. Watch you money. No one else will.
 
You must log in or register to reply here.

Similar threads

S
Help me help my mom.
2
pb4uski
pb4uski
Kings over Queens
PSA - Zelle Scam
2
swakyaby
swakyaby
Amethyst
New hack tactic? Someone bought Amazon (electronic) gift cards using my Amazon credit card, and the cards went to me!
2 3
audreyh1
audreyh1
A
Locked out of account
2 3 4
almost there
almost there
NeilDH
Wire transfer scam via hack of contractor's email
Spock
S

Latest posts

Back
Top Bottom