How to protect yourself from cybercrime scams

Summary

• Cybercrime continues to rise, along with the risk that cybercriminals will begin to use artificial intelligence to present more believable information.
• Educating yourself on the three main types of scams—imposter, romance, and business or call-center scams—can help you protect yourself and your loved ones.
• When someone contacts you, be skeptical—think about how you’d react if someone walked up to you on the street and asked to access your accounts. 

The New York Times recently told the story of a 76-year-old scammed out of his entire life savings by cybercriminals.¹

The retired lawyer thought he was speaking with federal investigators working to protect him. They told him criminals had infiltrated the bank where he kept his individual retirement account (IRA). In fact, the real criminals were the “investigators”—fraudsters who convinced him to wire his IRA money to “safe” accounts that were anything but.

Sadly, stories like this are becoming all too common. According to a Federal Bureau of Investigation report, Americans aged 60 and older lost $3.4 billion to cybercrimes in 2023, an 11% increase over 2022.²

Marti DeLiema, a TIAA Institute research fellow and an expert on elder fraud, believes the reported numbers understate the size of the problem. Many older victims are just too embarrassed to report their losses. “Older adults may have more to lose socially from acknowledging that they’ve been a fraud victim,” says DeLiema, an assistant professor at University of Minnesota’s School of Social Work. “Maybe they’re worried their children will try to take more control over their financial decisions if they found out.”

DeLiema and Rick Swenson, TIAA’s top fraud fighter (official title: managing director for fraud strategy and governance), recently discussed the most common scams and what you can do to keep yourself—and loved ones—safe. Here’s a summary:

Types of cyber scams 

Most scams fit into one of three categories: imposter scams, romance scams or business scams (also known as call-center scams).

• Imposter scams are like the one described in the NYT story: Someone claiming to be with the FBI or another government agency convinces a victim that their money is not safe. They convey a sense of urgency and tell the victim they must act quickly. TIAA, as a safety measure, will not transfer a retirement participant’s money to any outside account not owned by the participant or their beneficiaries. Problem is, TIAA processes hundreds of thousands of withdrawal requests annually, and rarely can it stop a client from sending money to their personal bank account and then on to a fraudster. That said, if TIAA suspects there is fraud involved, it can pause a transaction, pending further investigation. It will also warn the receiving bank if it believes a scam may be underway. (Swenson says these types of notifications happen five to ten times per month.)
  
  “You don’t see a lot of 90-year-olds trying to legitimately move half a million dollars,” he says of the red flags. “We just had a case where we became aware [of a potential fraud] and contacted the bank. They locked the money down, and we were able to recover those funds for our customer, preventing a $250,000 loss.”
• Romance scams are a favorite of cybercriminals in part because isolation and loneliness are so common in old age. “The victims want human interaction, even if it’s digital,” says Swenson.
  
  Fraudsters target victims via email or social media, pretending to be potential love interests. They start off asking small favors—maybe $50 to pay an electric bill—but over time it escalates to thousands of dollars, perhaps to pay off a mortgage, pay for surgery, or pay a child’s college tuition.
• Business imposter or call-center scams. Who hasn’t gotten a call or email from someone claiming to be from Microsoft or McAfee tech support, offering to fix a nonexistent problem with your laptop or remove malicious software? Victims wind up giving cybercriminals remote access to their computers—and along with it access to all their logins, passwords and other sensitive information. They wind up enabling fraudsters to take control of their financial accounts and steal their money.

Defending against cyber scams

What can you, as a TIAA client, do to keep yourself safe? DeLiema and Swenson have five tips.

• Call back. If you get a suspicious call from someone claiming to be from your bank, hang up and dial the customer service number on your ATM or credit card. If the caller claims to be from the FBI, inform them you’ll call them back at the FBI’s main number or a regional field office—phone numbers you should look up on your own. (Never rely on any phone number, email address or web page an unsolicited party has provided.) “Always, always, always verify,” says Swenson.
• Be skeptical. Think about how you’d react if someone walked up to you on the street, told you your money isn’t safe, and said you needed to transfer all your funds to an account in their name? You’d probably laugh and walk away—and then maybe call the police. The same skepticism should apply to those who reach out via phone, email or social media.
  
  DeLiema urges consumers to be especially wary of anyone suggesting money moves involving Bitcoin, cryptocurrency or crypto ATMs (which are increasingly popular with today’s cyber scammers, according to the Federal Trade Commission).³ “Whenever you have something anonymous and complicated like crypto, it just becomes a magnet for scammers,” says DeLiema.
• Fill out your trusted contact form. In 2018, the Financial Industry Regulatory Authority (FINRA) began requiring investment firms to ask retail customers for the name and contact information of a trusted contact person (TCP). FINRA’s goal was to protect investors from fraud or financial exploitation. If an investment company thinks a client is being scammed, it can now put a temporary hold on the withdrawal and then reach out to the trusted contact—who would presumably reach out to the potential victim.
  
  “Sometimes it breaks the veil of secrecy,” says DeLiema. “It can pierce through the control the scammer has placed over the person, especially if the trusted contact has a really positive relationship with the potential victim.”
  
  “It’s not a miracle cure,” adds Swenson, noting that the trusted contact cannot halt withdrawals or transfers. “But it does help to have a trusted person reach out to the customer to ensure all is well.”
• Listen to your buyer’s remorse. Imagine you’re wiring $100,000 to someone you thought was the love of your life. Yet the moment you hit send, you start worrying you’ve made a terrible mistake. The good news is that not all is lost—but time is not your friend and you need to contact your bank right away. “If it was an hour ago, your bank still has a fairly good chance of trapping those funds and getting them back to you,” says Swenson. “But if a day goes by, it’s going to be much more difficult."
• Be prepared for next-generation scams that use artificial intelligence (AI). Imagine getting a FaceTime call from one of your children telling you they’re in trouble and need $100,000. Swenson worries it won’t be long before cybercriminals start feeding audio and video from social media into AI—your family’s Instagrams or TikToks, for instance—to create fake videos or audios. “AI is going to have the ability to present information to you in a manner or form that you or others believe to be true.”
  
  The solution, says Swenson: “Don’t respond to what you see or hear. Always reach out and verify.” 

Reporting cyber scams related to your TIAA account

Worried you may be the victim of a scam? Contact TIAA as promptly as possible at 800-842-2252 or via email at abuse@tiaa.org.