Super paranoid about my IRA cybersecurity. Did I just fuck up majorly?
January 12, 2024 11:03 PM Subscribe
I've been working with my former employer to rollover my 401(k) funds to my IRA. In my haste to get the process moving forward, I emailed, unencrypted, my IRA institution name and account number (NOT username or password) to the company that administers the 401(k) so they can complete the task ...
I have SMS 2FA set up with the IRA, and a very long, random password. Destination institution is a very large one, whose name anyone would immediately recognize.
Questions ...
Am I at any risk of someone breaking into my IRA account and transferring my hard-earned funds out of my account?
--If so, how much risk?
--If so, what should I do about it?
I have SMS 2FA set up with the IRA, and a very long, random password. Destination institution is a very large one, whose name anyone would immediately recognize.
Questions ...
Am I at any risk of someone breaking into my IRA account and transferring my hard-earned funds out of my account?
--If so, how much risk?
--If so, what should I do about it?
Unless someone is targetting you specifically and monitoring your email in an attempt to get personal information from you, no, you're in no more danger than anyone else.
You haven't fallen victim to a scam, you haven't publicised any information, and your email is not "out there" for people to easily read. Account numbers don't get you anywhere without additional information about the account holder, and it would be a lot of work for someone to get that info in order to try to get at your IRA.
There is a LOT more low hanging fruit for thieves to go after, and that's in the vanishingly unlikely circumstances that somehow a thief got your email. Personally I would see what you've done as normal and less risky than sending that information via a letter (which banks routinely do).
posted by underclocked at 2:01 AM on January 13, 2024 [3 favorites]
You haven't fallen victim to a scam, you haven't publicised any information, and your email is not "out there" for people to easily read. Account numbers don't get you anywhere without additional information about the account holder, and it would be a lot of work for someone to get that info in order to try to get at your IRA.
There is a LOT more low hanging fruit for thieves to go after, and that's in the vanishingly unlikely circumstances that somehow a thief got your email. Personally I would see what you've done as normal and less risky than sending that information via a letter (which banks routinely do).
posted by underclocked at 2:01 AM on January 13, 2024 [3 favorites]
If you have ever written a check in your life you have willingly provided your name, address, account number, banking institution, and a sample of your signature, and this is the system working as it's intended to.
If you've ever received a bank statement or account statement your bank has willingly provided your name, address, account number, and balance information, and this is the system working as it's intended to.
If you've ever received a W-2, 1099, or any other kind of tax document, all the same as above only also with tax ID numbers, and this is also the system working as it's intended to.
And then add to that all the numerous security breaches our credit institutions, etc, fall victim to constantly.
Point is, your account info is already out there, and you're no more exposed than at any other time. Which means your scam alertness, ID integrity process, and personal security process should be just as heightened as any other time. There's no reason to be worried about your email. No more reason to be worried about your email than anything else you do with your accounts.
posted by phunniemee at 5:11 AM on January 13, 2024 [6 favorites]
If you've ever received a bank statement or account statement your bank has willingly provided your name, address, account number, and balance information, and this is the system working as it's intended to.
If you've ever received a W-2, 1099, or any other kind of tax document, all the same as above only also with tax ID numbers, and this is also the system working as it's intended to.
And then add to that all the numerous security breaches our credit institutions, etc, fall victim to constantly.
Point is, your account info is already out there, and you're no more exposed than at any other time. Which means your scam alertness, ID integrity process, and personal security process should be just as heightened as any other time. There's no reason to be worried about your email. No more reason to be worried about your email than anything else you do with your accounts.
posted by phunniemee at 5:11 AM on January 13, 2024 [6 favorites]
As someone who worked on internet infrastructure for 30 years I would not blink at doing what you did. The information is infinitely more likely to be exposed by the institution than by someone randomly sniffing email.
Side note: If you are concerned to this level you should also be shredding all your physical mail, as a dumpster dive is an easier and more common way to collect this sort of information.
posted by Tell Me No Lies at 7:58 AM on January 13, 2024 [4 favorites]
Side note: If you are concerned to this level you should also be shredding all your physical mail, as a dumpster dive is an easier and more common way to collect this sort of information.
posted by Tell Me No Lies at 7:58 AM on January 13, 2024 [4 favorites]
I just did a 401k=>IRA and it was a 3 way phone call among the 401k Institution, myself and the Financial Planner creating the IRA at a different institution. The money was transferred from the 401k Institution to the IRA Institution via a check FBO me ("For Benefit Of" my name). That is important from a tax standpoint, the money never came to me technically, and moved from one tax sheltered account to another. The necessary forms were "e-signed" via DocuSign. So it sounds like your process wasn't as "tight", but I also agree with others that it doesn't appear to be a major faux pas.
posted by forthright at 1:36 PM on January 13, 2024
posted by forthright at 1:36 PM on January 13, 2024
I work in information security. If I were you, I'd worry more about getting hit by lighting while simultaneously getting run over by a car than this issue.
posted by Candleman at 3:24 PM on January 15, 2024
posted by Candleman at 3:24 PM on January 15, 2024
This thread is closed to new comments.
If you're worried about this, you could always contact the company yourself and give them a different password (one that you won't forget) to be used before giving out any information on the phone. From my experience working at a bank, this isn't something I would be concerned enough about to deal with the inconvenience of an additional password, but the company should have no problem setting this up if it's something you would prefer.
posted by Eyelash at 12:08 AM on January 13, 2024 [2 favorites]