There was an urgency and fear in her voice as she spoke. “I was told not to tell anyone this, but …” Under different circumstances these words might be the precursor to a bit of juicy gossip, but this situation had the signs of a financial mistake and the strong possibility of a scam
As the story unfolded, “Jane” (a hypothetical individual based on real conversations) ) said had received a call earlier in the day from someone claiming to be affiliated with PayPal. This individual provided her with enough personal information to appear to be legitimate, and then convinced her that her PayPal account — and all of her other financial accounts — had been compromised. Next, Jane was instructed to wire thousands of dollars from her retirement account to her bank, all with the “help” of the imposter.
Sadly, Jane is not alone when it comes to fraud and identity theft.
The FBI’s Annual Internet Crime Report noted that losses exceeded $16 billion in 2024, and that phishing/spoofing, extortion and personal data breaches were the top three cybercrimes reported based on the number of complaints. Over half of U.S adults (61%) have had their information compromised according to a survey last year by U.S. News and World Report, and 44% of U.S adults have had their information compromised more than once. The continuous violations of trust can leave clients overwhelmed and unsure of the best way to proceed.
As cyber-attacks become more common, clients may be tempted to say, “C’est la vie,” and simply hope for the best. But Jane’s story highlights the importance of paying attention when data has been stolen and taking steps to prevent further damage. Like spilled milk, once the data is out of the container, it’s best to address the mess quickly.
The first step, if someone steals an individual’s data, is to identify what information the thief targeted. The Federal Trade Commission (FTC) provides on identitytheft.gov a list of steps to follow based on the type of information exposed at.
For example, if someone gains access to an individual’s Social Security number, they can use it to open new accounts in that person’s name. If a hacker uncovers credit card or bank information, they may use those accounts to make fraudulent purchases, which may require the individual to close the accounts. If criminals obtain online information — such as user IDs and passwords — they can use the compromised credentials to access additional personal details. That’s why it’s critical for the individual to update their login information immediately.
Once you have determined what information has been exposed, review any details provided by the data breach about steps to assist the individual, such as enrolling in monitoring services for a certain period. Some of these services focus solely on credit monitoring, looking for any changes within credit reports; others services take additional steps to monitor and alert individuals of use of their personally identifiable information (PII) on any sites across the web. Data may be sold on “dark” websites, used for criminal activity, etc.
For Clients Who’ve Been Compromised
If your client has received multiple notices that their information may have been compromised, encourage them to read the letters and to take the following steps:
Take advantage of any free monitoring services offered. Your will be required to opt-in, as this service is not provided automatically, and typically there is a deadline to enroll. This is a great start, as it will help you monitor any changes that may occur over the time the service is provided. Even if each breach offers monitoring services, it makes sense to take advantage since the services and timeframes may vary.
Place a freeze on your credit to limit anyone from opening unauthorized accounts. This step places you in control of opening any new loans or lines of credit by preventing access to your credit report. (For older, more vulnerable clients who do not intend to open accounts, I encourage placing a freeze proactively!)
Change your passwords frequently and enable two-factor authentication where possible. While it can be frustrating to keep up with multiple passwords, two-factor authentication provides an additional layer of security by requiring a text/email/app code before allowing access to a website.
Self-monitor your credit and bank statements for any unknown activity. Even taking the steps above, it is important to monitor your accounts and watch for any transactions that you did not authorize.
Staying Ahead of the Scammers
The scammer who called Jane clearly had some of her personal information, and even if she had heeded all the steps above, it may not have prevented the call she received. Thankfully, Jane told a vigilant friend who recognized the red flags and encouraged her to immediately call a trusted advisor. As fraudsters become increasingly sophisticated, we can proactively tell our clients to be wary of these common tactics:
An unexpected call, text, or email alerting you to an issue. These take many forms, and some may be more easily identified as scams than others. For example, a text about an unpaid toll road balance may be ignored if you never drive on toll roads, but a text allegedly from the post office about an undelivered package may catch you off guard if you frequently receive Amazon deliveries. If you suspect a scam, hang up immediately (or delete the email/text), and call a number you know is legitimate to verify the information.
A sense of urgency to the matter. Most scammers will insist you take action now to avoid a more detrimental fate later.
Request for payment in unusual ways. Criminals may request that you wire funds to a different bank account or use cryptocurrency for payment.
Jane’s quick-thinking friend prevented a financial disaster. The wire transfer was stopped and Jane began the process of closing existing accounts and opening new ones. But for others, you may be the crucial advocate that stops the fraud.
Consider the story of “Bob”, a recent widower (and a composite character who reflects the experiences of others shared with me over the years ). He, too, fell victim to fraud — a romance scam. He was convinced he had found a new love and began sending his online girlfriend thousands of dollars so she could travel to marry him. The sudden change in his spending patterns created a red flag for his advisor who ultimately guided him to the difficult truth.
Building a Wall of Support
Both proactively and in the moment, we can protect our vulnerable clients by using the following:
Trusted Contact or Client Advocate Designation: A designated individual(s) who an advisor may contact if he or she recognizes a change in the physical or mental health of the client and deems it necessary to protect the client’s best interests.
Power of Attorney: The legal document that allows someone else to act on behalf of your client in the event of incapacitation.
State Laws. Many states have enacted provisions that permit delayed disbursements if an advisor or financial institution suspects financial exploitation or abuse. This delay can often provide the time necessary to uncover the fraud and prevent a mistake.
If someone has already fallen victim to fraud or identity theft, encourage them to take action and report the incident to the FTC at https://reportfraud.ftc.gov/ or https://www.identitytheft.gov/#/. The stories here are sadly common, but vigilance and preparation can prevent a big financial mistake.
Laura Rhoades, CFP®, is a financial advisor at Savant Wealth Management’s Birmingham, Ala., office. She has been involved in the financial services industry since 2006.
