• What Does a Thief Need to Access Your Financial Accounts? It’s Likely Less Than You Think
• FBI Internet Crime Report (2025)
• Fidelity:
  • Customer Protection Guarantee
  • Fidelity MyVoice
  • Fidelity Security Overview
  • What Is SIPC Coverage
• Stay Wealthy Fraud Episodes
  • 8 Red Flags You’re About to Get Scammed
  • 3 Financial Scams Retirement Savers Need to Watch Out For
  • Financial Scam Alert + 3 Ways to Protect Yourself (and Your Loved Ones!)
  • How to Protect Yourself From Financial Scams
• Archive of Helpful Tools and Resources:
  • How to Stop Spam Text Messages on iPhone and Android
  • How to Filter Text Messages on iPhone
  • How to Stop Spam Calls for Good
  • How to Freeze Your Credit
  • Credit Sesame and Credit Karma
  • Dashlane and LastPass
  • Avast
  • Hive Cybersecurity
  • Pros and Cons of Virtual Credit Cards
  • What is a Virtual Credit Card and the Benefits of Using One
  • Have I Been Pwned
  • DeleteMe

What do you think a criminal needs to break into your investment or retirement accounts?

Is it your username and password? Your Social Security number? Some kind of sophisticated hacking software?

The answer, it turns out, is surprisingly simple. In many cases, all they need is a single six-digit code. That multi-factor authentication code that gets texted to your phone nearly every time you log in somewhere. The one most of us enter automatically and never think twice about.

I recently came across an article about a retired couple who lost $4,000 from their IRA after a scammer tricked them into sharing that code over the phone. That was it. The thief didn’t hack the system or crack their password. That one code was enough to get full access to the account. 

And while the financial damage in this case was relatively limited, it easily could have been much worse. Because here’s the unfortunate reality: After years of large-scale data breaches, information like your name, address, date of birth, email addresses, and even your Social Security number may already be floating around out there. Which means that simple six-digit code could be one of the last real barriers protecting your retirement savings.

So, today, I’m once again using this platform to do my part to help our listeners and their loved ones stay safe in this increasingly sophisticated world. In this episode, I’m showing you exactly how these “account takeover” scams work, why they’re so effective, and the specific steps you can take to close the gap and better protect your accounts.

Welcome to another episode of the Stay Wealthy Retirement Show. I’m your host, Taylor Schulte, and every week I cover the most important financial topics to help you “stay wealthy” in retirement. Ok, onto today’s episode.

The 6-Digit Code That Can Drain Your Retirement Account (And How to Stop It)

According to the FBI’s most recent Internet Crime Report, Americans lost nearly $21 billion to cyber-enabled fraud in 2025. That was a 26% increase from the year before. And once again, investment-related fraud was the single largest category, accounting for more than $8.6 billion of those losses. 

So, unfortunately, the trend is still moving in the wrong direction. And as I’ve shared in prior episodes, it’s not stupidity that makes us vulnerable to scams… it’s simply part of being human. Scammers are professionals, and they are experts at manipulating emotion, urgency, and trust. Which brings us back to the story I mentioned at the top.

A couple — we’ll call them John and Rachel — had just returned home from a trip abroad. Shortly after getting back, Rachel received what appeared to be a text message from Fidelity.

The text said: Did you attempt a transaction in the amount of $374.52 at Modern Fashions on 12/2/2025? Reply yes if you recognize this. Reply no if you don’t, and we’ll contact you momentarily.

Rachel didn’t recognize the charge, so she quickly replied, “No.” Almost right away, just as the text had promised, her phone rang. The person on the other end sounded professional and helpful, and explained that they just needed to confirm her identity before they could stop the unauthorized transaction. To do that, they said Fidelity would send a six-digit verification code to her phone, and all she needed to do was read it back to them.

So, she did. And that was all it took. In that single moment—reading a six-digit code out loud to a stranger—she gave a thief full access to her retirement account. Within minutes, the fraudster initiated multiple transfers out of her IRA.

Thankfully, Rachel and her husband realized what was happening fairly quickly and contacted Fidelity. One of the transfers was recovered, but the other two, totaling about $4,000, were gone for good.

And here’s the part that really stung: because Rachel had unknowingly given the thief the information needed to get into the account, Fidelity was not able to reimburse the loss—so she was ultimately on the hook for the mistake.

And to be clear, this isn’t something that’s unique to Fidelity. This is generally how large financial institutions handle cases involving authorized access, whether it’s Fidelity, Vanguard, Schwab, or someone else. 

My firm has used Fidelity to safely custody client assets since 2014, and I’ve personally found them to be one of the more proactive firms when it comes to security and account protection. In addition to their voice footprint technology, they also offer features like Money Transfer Lockdown, which can restrict certain transactions from being processed online, and provide excess SIPC coverage that adds another layer of protection on cash balances beyond what most custodians offer. 

Which is part of what makes this story so unsettling. The thief didn’t break through Fidelity’s security systems. They went around them entirely by manipulating Rachel into handing over the one piece of information they needed. And this could have been much worse. There was significantly more money in that account than what was taken. My guess is the thief started with smaller transfers on purpose, figuring that modest amounts were less likely to trigger alerts or draw immediate attention. Sadly, Rachel’s story is far from a one-off. According to that same FBI report, account takeover fraud — which is exactly what happened here — resulted in roughly $360 million in reported losses last year across approximately 4700 incidents. And since that only reflects what was actually reported, the real number is almost certainly higher.

Now, if you step back and look at what just happened, this wasn’t random. It followed a very specific pattern… one that shows up in a lot of popular scams. And once you see that pattern, it becomes much easier to recognize it in real time. So let’s break down how this actually worked.

When we think about logging into a financial account, we assume there are three separate things protecting us: your username, your password, and that multi-factor authentication code, which usually gets delivered as a text message to your phone. And because there are three layers, it feels like a thief would need access to each layer in order to get in.

But in Rachel’s case, all they needed was that six-digit code. And if that sounds surprising, just think about what happens when you forget your password on most financial institution’s websites. Take Vanguard, for example, another large financial custodian. When you click the “forgot password” link—which I personally did while working on this episode—you’re taken to a “Let’s verify you” page where it asks you to confirm a few pieces of personal information. In this case, Vanguard is asking me for my first and last name, the last four digits of my social security number, my date of birth, and my zip code. After entering that information, they send you a verification code, and after you type that code in, you’re allowed to reset your username or password and get back into the account.

So, if someone already has a few basic pieces of your personal information, oftentimes, the only thing standing between them and full access to your financial account may be that six-digit code. And here’s the unfortunate and even uncomfortable part: for a lot of Americans, that personal information is already out there. As you may recall, the 2017 Equifax breach alone exposed the names, dates of birth, Social Security numbers, home addresses, and phone numbers of about 147 million Americans, which is roughly 43% of the U.S. population from just that one breach. And of course, that was not the only breach, and it certainly won’t be the last. 

So for many people, the thief may already have almost everything they need — the only missing piece is that verification code. The problem is, we deal with those codes all the time now, so they start to feel ordinary, and almost disposable. Your phone buzzes, you glance down, type the number in, and move on with your day. But those codes are not routine and they are certainly not trivial. In many cases, they are the keys to the financial kingdom and it could be argued they are more important to protect than your Social Security number, because once a thief gets that code at the right moment when it’s needed, they may be able to use it to do some real, irreversible damage. 

And that brings us right back to what happened to Rachel, because the thief didn’t “hack” into anything in the way most people imagine. They didn’t break through some sophisticated digital barrier. They used social engineering by creating a believable situation, manufacturing a sense of urgency, and convincing Rachel to hand over the one thing they actually needed. And the tactic they used is one of the most effective in the entire scam playbook: pretending to contact you about fraud.

As I shared in last year’s episode on fraud, which I’ll link to in today’s show notes for quick access, the FBI actually has a term for people who appear at precisely the moment you feel most vulnerable. They call them rescue merchants. And that’s exactly the role this scammer stepped into. They presented themselves as the helpful professional rushing in to save Rachel’s account from an unauthorized transaction.

And when you think about it, it makes perfect sense why this tactic works so well. If someone contacts you and says, “We’ve detected suspicious activity on your account,” your first reaction is not usually curiosity, it’s concern—maybe even a little panic. You want to do something…you want to stop whatever is happening before it gets worse. 

And that leads to the second layer of the scam, which is manufactured urgency. This is where the scammer creates the feeling that the clock is ticking, that you need to act right now or your money could be gone, and that sense of urgency shifts you out of a calm, rational mindset and into reaction mode.

Rachel wasn’t sitting there carefully evaluating whether the text and phone call were legitimate—she was reacting and trying to protect her account as quickly as possible. And that is exactly what the scammer was counting on, because many times, maybe even most of the time, we’re able to spot scams when we see them and avoid falling for the trap. But scammers are well aware that they don’t have to succeed in every attempt. They just need to try enough times to eventually catch someone in a vulnerable moment—when they’re distracted, tired, busy, stressed, or simply moving too fast—and in that moment, instead of slowing down and thinking critically, they react.

Because when someone tells you your money may be at risk, your instinct is usually to act, not to pause and calmly analyze whether the situation is real. And maybe most days you would catch it. Maybe most days Rachel would have too. But scammers know that if they create enough urgency and repeat the process enough times, eventually, they’ll find someone whose guard is down for just a few seconds, which is sometimes all it takes. And that feeling of urgency—that surge of panic, that sense that you need to do something immediately—is often the scam itself.

I’ve covered financial scams several times here on the show in an effort to do my part to help our listeners and their loved ones stay protected. I told the story of my grandfather falling victim to the grandparent scheme, where he dropped off an envelope full of cash at the post office because he believed I was in some kind of trouble. I shared the story of a couple who had reached out to our firm to evaluate our services, and in between our first meeting and the second, they had been scammed out of nearly $2 million. In a more recent episode, I walked through eight warning signs that could indicate you’re being conned, and shared the story of a Ponzi scheme that devastated a small college town in New York.

It doesn’t matter how educated you are, how rational you are, or how many financial podcasts you listen to. These scammers are professionals. They know it’s a numbers game. And they know exactly what to say, how to say it, and what emotional button to press to get the person on the other end of the phone to slip.

For my grandfather, the emotional trigger was me. For Rachel, it was the fear of losing money in her retirement account. For the couple who lost $2 million dollars, it was the perceived opportunity to gain access to better, more predictable investment returns.

And look—I very much recognize this is all easier said than done, and how hard it can be to react perfectly in the moment every single time. When adrenaline is running and you’re distracted or tired or stressed and someone tells you your money is at risk, the instinct is to act.  So before we talk about what to do, just recognize that reality, because it’s exactly why this works.

Now, here’s the simple rule to follow: when a financial institution contacts you, don’t give them anything. Not your date of birth. Not your Social Security number. And absolutely not a verification code.

If you receive a text that appears to be from your brokerage or bank, do not reply. 

If you receive an email you don’t recognize, do not click on any links. 

If you receive a phone call, don’t give them any information. Better yet, just don’t answer calls from numbers you don’t recognize. If it’s legitimate, they’ll leave a voicemail.

Instead, after hanging up or ignoring the message, go directly to a trusted source and initiate contact yourself. Call the number on the back of your credit card, or type the institution’s website directly into your browser and find the contact number there. Then, ask them what’s going on. If there truly was suspicious activity, they’ll know about it and they’ll help you. The key is that you are initiating the contact through a trusted channel, not responding to someone who reached out to you first.

Now, I’ve covered the fundamentals of protecting your personal data in prior episodes — credit freezes, password managers, virtual credit cards, data removal services like DeleteMe — and I’ll link to those episodes and resources in today’s show notes if you want to revisit them.

But what I want to spend our remaining time on is something I haven’t covered before, and it’s really the centerpiece of this entire episode: the vulnerability of multi-factor authentication codes and what you can do about it.

As we just discussed, for most of us, a thief already has the personal information they need to reset our account credentials. The MFA code is the last line of defense. And the traditional method — a six-digit code sent to your phone via text message — is more vulnerable than most people realize.

That’s because text-based codes can be intercepted through a technique called SIM swapping, where a thief convinces your phone carrier to transfer your number to a new device. Or, as in Rachel’s case, the thief can simply trick you into reading the code to them.

So what can you do?

1.) First, if your financial institution offers an authenticator app instead of text-message codes, consider using it. Authenticator apps generate codes directly on your device, which makes them much harder to intercept than codes sent to your phone number.

2.) Second, while major custodians have not broadly rolled out passkeys yet, they are worth considering anywhere else you store sensitive information online. A passkey is a newer login method that can replace both your password and your verification code. Instead of typing everything in manually, you verify your identity with something tied to your device, like your fingerprint, Face ID, or device PIN.

And that is what makes passkeys so powerful: there is no code to intercept, no password to steal, and nothing you can be tricked into sharing over the phone.

3.) Lastly, consider adding a verbal password or security PIN to your financial accounts. Some institutions allow you to add an extra layer of verification before any changes can be made over the phone. It is a simple step, but one more hurdle for anyone trying to access your money.

Now, really quick before we wrap up, I want to zoom out for a moment.

In my experience, one of the most common planning mistakes I see is people spending the majority of their time and energy focused on their investments — which fund to buy, what allocation to use, whether they should rebalance — while leaving other critical parts of their financial plan completely unaddressed.

And look, I get it. Investment decisions feel tangible. They feel like you’re doing something productive. Heck, they’re often more exciting to spend time on than figuring out how to freeze your credit or finally getting your trust done. But a gap in your cybersecurity practices, your estate plan, your insurance coverage, or your tax planning can do just as much damage to your retirement as picking a bad investment. If not more.

John and Rachel had done the hard work. They’d saved diligently. They had a healthy retirement account. But a single text message and a six-digit code nearly unraveled a meaningful chunk of that progress.

And if you’re thinking this mostly affects younger, less experienced people, the data says otherwise. According to the FBI, people over 60 filed over 200,000 fraud complaints last year, with losses totaling nearly $7.7 billion — a 59% increase from the year before. The average loss for this age group was around $38,500, and over 12,000 individuals in this group lost more than $100,000 each.

These aren’t careless people. These are retirement savers — people who spent decades building their nest egg — losing real, significant money.

And I think that’s really the takeaway here. This isn’t just a story about fraud. It’s not even really a story about technology. It’s a story about behavior… about how we respond under pressure… and how, in the right moment, even smart, careful, well-prepared people can make a decision they normally wouldn’t. Because the system didn’t fail Rachel, and she didn’t do anything reckless or careless.

She did exactly what many of us might do under the exact same circumstances when we believe our money is at risk—she tried to fix the problem as quickly as possible. The greatest vulnerability in our financial lives today isn’t always a lack of knowledge… it’s the moments when urgency overrides our ability to use it. The few seconds where we stop thinking and start reacting. The few seconds where a six-digit code feels routine instead of critical. And the few seconds where someone else is controlling the pace of the interaction instead of us. That’s all these scams need. 

So as you think about everything we’ve covered today, it’s not about memorizing every tactic or trying to outsmart every scammer. It’s about recognizing the pattern. Unexpected contact. A sense of urgency. A request for information. And when those three things show up together, that’s your signal—not to act faster, but to slow everything down. 

Because in a world where so much of this is automated, scaled, and happening constantly in the background, your ability to pause… to take back control of the moment… that might be the most valuable layer of protection you have. And in many cases, it only takes a few seconds to make the right decision. Or the wrong one.

If you’ve adopted something to improve your own security and help keep you and your loved ones protected, I’d love to hear about it. Send me an email at podcast@youstaywealthy.com. Some of the best tools and resources I’ve come across over the years have been introduced to me directly from podcast listeners, so please keep them coming.

Thank you, as always for listening, and once again, to view the resources and articles supporting today’s episode — including the FBI’s 2025 Internet Crime Report and links to my prior episodes on financial scams — just head over to youstaywealthy.com/279.

Disclaimer

This podcast is for informational and entertainment purposes only, and should not be relied upon as a basis for investment decisions. This podcast is not engaged in rendering legal, financial, or other professional services.