He was following up on a couple of previous blog stories we did on phishing emails and wanted some guidance. He received what seemed like a legitimate email message from a broker saying they were verifying a recent online sign in to his account. Problem is, he said “he never even knew he had an account at the broker.”
See our previous stories Security Alert: Fraudulent “Phishing” Email Attack and How To Avoid Falling Hook, Line & Sinker For ‘Phishing’ Emails.
The message he received could have been legitimate. It avoided all the obvious spelling errors and asked him to log in to a web address that was, indeed, the company’s legitimate web address.
But how to know for sure?
And that’s the point. You may never know for sure. The best course of action is just to call the company on the phone and ask to check on any recent account activity or security alerts.
This situation is a little unusual. Normally, if you have a brokerage account, you’ll know it. You’ll receive statements, tax forms, or correspondence referring to the account. But strange things do happen. Addresses get outdated, mail goes astray, accounts get opened and never used. In this case, my guess is the account is open (and legit) but was never funded. Again, the best course of action is to call the company on the phone and ask them to check for any open account listed under your tax ID (yes, I know, you’ll have to jump through a series of annoying security questions). If it is open, and you don’t intend to use it, close it once and for all to protect yourself from unauthorized activity.
Thanks to our reader for the question! It just shows there are no easy answers to many cybersecurity issues, and it’s hard to know for sure who to trust.