TIAA policy regarding "clicking on email links" ?

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
Post Reply
ResearchMed
Posts: 5493
Joined: Fri Dec 26, 2008 11:25 pm

TIAA policy regarding "clicking on email links" ?

Post by ResearchMed » Tue Oct 31, 2017 12:32 pm

UPDATE: TIAA WMA has subsequently told me that there is now a form waiting for me within my account, for me to download.
That's more like it.


Does anyone have a copy of TIAA's policy, assuming there is one, about whether or not one should "click on a link embedded in an email... and [worse] enter security information where that link takes you"?

I'm needing to take my first RMD from a 403b, and that requires spousal consent from DH.
(Heh, just as a curiosity, what if Dear Spouse refused, e.g., during a separation or whatever... we're just curious... "Not our problem" as they say...)

So, TIAA was to send me the form.
But no...

They sent me an email that requires that I click on an embedded link, and then enter my security information (before I can even see what it's about, although in this case, I know).

TIAA WMA insists that's how they "must" do it, because the form has "personal information" on it.
They can't just email a pdf that is blank, so I/we can enter that "personal information"?

We both refuse on principle to do what they are requiring, and we are astonished that they apparently routinely handle it this way.
No, there is NOT a way for me to "log in as usual", and get that form, apparently, strange as that is.

Main question here is: Is TIAA inviting - trying to *require* - me to violate the security procedures expected of us?

Thanks.

RM
Last edited by ResearchMed on Tue Oct 31, 2017 1:25 pm, edited 1 time in total.
This signature is a placebo. You are in the control group.

ccieemeritus
Posts: 440
Joined: Thu Mar 06, 2014 10:43 pm

Re: TIAA policy regarding "clicking on email links" ?

Post by ccieemeritus » Tue Oct 31, 2017 12:44 pm

Copy the link from the email and paste it into the browser. Then you can inspect the URL to see if the domain name is truly tiaa’s or a misspelled one from a hacker.

Because you are expecting the email and link at that time, I’d consider this almost no risk.

Good computer security is a balance of inconvenience versus “getting stuff done”. So you can click on this link because you asked for the form and expect it. But don’t click on unsolicited links.

Some browsers (safari on Mac) let you hover the mouse over a link and see the true URL. But even then I don’t click on unexpected links.

User avatar
Pajamas
Posts: 2837
Joined: Sun Jun 03, 2012 6:32 pm

Re: TIAA policy regarding "clicking on email links" ?

Post by Pajamas » Tue Oct 31, 2017 12:47 pm

ResearchMed wrote:
Tue Oct 31, 2017 12:32 pm


Main question here is: Is TIAA inviting - trying to *require* - me to violate the security procedures expected of us?
Not if you specifically asked them to send you a form and they provided access to that form via a link in an email. The admonition not to click on links in emails is general, not specific.

Here is some information from them about that:

https://www.tiaa.org/public/about/insid ... gnize.html

ResearchMed
Posts: 5493
Joined: Fri Dec 26, 2008 11:25 pm

Re: TIAA policy regarding "clicking on email links" ?

Post by ResearchMed » Tue Oct 31, 2017 12:52 pm

ccieemeritus wrote:
Tue Oct 31, 2017 12:44 pm
Copy the link from the email and paste it into the browser. Then you can inspect the URL to see if the domain name is truly tiaa’s or a misspelled one from a hacker.

Because you are expecting the email and link at that time, I’d consider this almost no risk.

Good computer security is a balance of inconvenience versus “getting stuff done”. So you can click on this link because you asked for the form and expect it. But don’t click on unsolicited links.

Some browsers (safari on Mac) let you hover the mouse over a link and see the true URL. But Even then I don’t click on unexpected links.
Thanks, but no for two reasons.

First, and especially, IS TIAA is expecting us to comply with security measures or they won't help out in case of loss.... etc., etc...?
This is my primary concern, if TIAA is routinely doing this, which apparently they are.
But are they not only sending links like this, but expecting clients to violate the policies that are supposed to protect them?
(I've already verified that our WMA did indeed send us the second email with that same link, so THIS time, WE know it's legit.)

Second, there was a pretty amazing sample circulating recently where the font used made the "true URL" look EXACTLY like the real one, but it wasn't. It used some obscure (?) coding such that a different language (I may have some of this wrong) was translated using a font such that a different letter/character looked exactly like a "regular" letter/character.
There was a sample, a safe sample, such that one could blow it up and look more closely, and I would have flunked any test about whether they were the same or different, had I not known they were, in fact, different.

RM
This signature is a placebo. You are in the control group.

ResearchMed
Posts: 5493
Joined: Fri Dec 26, 2008 11:25 pm

Re: TIAA policy regarding "clicking on email links" ?

Post by ResearchMed » Tue Oct 31, 2017 12:56 pm

Pajamas wrote:
Tue Oct 31, 2017 12:47 pm
ResearchMed wrote:
Tue Oct 31, 2017 12:32 pm


Main question here is: Is TIAA inviting - trying to *require* - me to violate the security procedures expected of us?
Not if you specifically asked them to send you a form and they provided access to that form via a link in an email. The admonition not to click on links in emails is general, not specific.

Here is some information from them about that:

https://www.tiaa.org/public/about/insid ... gnize.html
That link leads to this:

"TIAA will never email you requesting personal, account or financial information to be provided as a reply. We will send secure messages to your TIAA account mailbox and alerts that contain information you need and can verify by calling us directly."

What we'd expect was a way to "get" this form by logging in to our accounts, using regular methods, and "once in", then to find a form to fill in or download.
That's the problem.
They claim this is impossible. (??)

RM
This signature is a placebo. You are in the control group.

Levett
Posts: 4177
Joined: Fri Feb 23, 2007 2:10 pm
Location: upper Midwest

Re: TIAA policy regarding "clicking on email links" ?

Post by Levett » Tue Oct 31, 2017 1:01 pm

Is there not a local TIAA office and/or wealth manager with whom you could do the paperwork?

I, too, take RMD's from TIAA, as I'm sure others who post here do.

Alternatively, since this is your first RMD, why not do it from within your account--e.g., the pdf is placed in your account and you fill out the paperwork.

For spousal signature (guaranteed), I have used a TIAA office which has notaries.

Hope it all works out.

Lev

P.S. I note that you have posted the following: "What we'd expect was a way to "get" this form by logging in to our accounts, using regular methods, and "once in", then to find a form to fill in or download."

Exactly. It's not impossible. I have done it repeatedly. The forms show up in the section "complete actions."
Last edited by Levett on Tue Oct 31, 2017 1:09 pm, edited 1 time in total.

bikechuck
Posts: 124
Joined: Sun Aug 16, 2015 9:22 pm

Re: TIAA policy regarding "clicking on email links" ?

Post by bikechuck » Tue Oct 31, 2017 1:04 pm

My TIAA advisor has often hung forms on their secure website for me. I log onto their site collect the form and proceed from there. Starnge that they are not doing the same for you in this situation.

ResearchMed
Posts: 5493
Joined: Fri Dec 26, 2008 11:25 pm

Re: TIAA policy regarding "clicking on email links" ?

Post by ResearchMed » Tue Oct 31, 2017 1:09 pm

Levett wrote:
Tue Oct 31, 2017 1:01 pm
Is there not a local TIAA office and/or wealth manager with whom you could do the paperwork?

I, too, take RMD's from TIAA, as I'm sure others who post here do.

Alternatively, since this is your first RMD, why not do it from within your account--e.g., the pdf is placed in your account and you fill out the paperwork.

For spousal signature (guaranteed), I have used a TIAA office which has notaries.

Hope it all works out.

Lev
Thanks.

Yes, doing this "within my account" - that's precisely what we'd expect. And then we could download it, and DH could take it to be notarized (I only have to sign, not get anything notarized).

The closest office isn't all that close, but ordinarily that could be done.
And I'm setting this up for "recurring", so the "annual permission" won't need to be done each year.

We'll have them mail us a copy of this top secret document.
(And I'm just waiting... to see if it ends up being a blank that I/we fill out anyway.)

But why are they NOT allowing regular online access to this form, one that should be fairly routine, from within my account... after I've gone there the "regular way", without using any email links?

RM
This signature is a placebo. You are in the control group.

ResearchMed
Posts: 5493
Joined: Fri Dec 26, 2008 11:25 pm

Re: TIAA policy regarding "clicking on email links" ?

Post by ResearchMed » Tue Oct 31, 2017 1:10 pm

bikechuck wrote:
Tue Oct 31, 2017 1:04 pm
My TIAA advisor has often hung forms on their secure website for me. I log onto their site collect the form and proceed from there. Starnge that they are not doing the same for you in this situation.
Your TIAA rep has done this specifically "for you", even if the document isn't generally handled that way?

If so, then sure, why can't "our guy" do that, too!?

Thanks.

RM
This signature is a placebo. You are in the control group.

User avatar
GerryL
Posts: 1463
Joined: Fri Sep 20, 2013 11:40 pm

Re: TIAA policy regarding "clicking on email links" ?

Post by GerryL » Tue Oct 31, 2017 1:20 pm

In a lot of companies (most?) different departments have no idea how security is defined and handled for their customers. They come up with processes that directly conflict with guidelines and rules for security. This appears to be the case with TIAA.

When I interact with customer service at my internet/phone provider, I routinely get a "please take this survey" email that is sent from "CEB." I am asked to click a link in the email to provide feedback. Now, I happen to know that CEB stands for Corporate Executive Board, a reputable company that I used to interact with in my working days, but how stupid is it for <internet provider> to advise their customers to never click on a link in an email, especially from a sender they don't know, while at the same time sending out "click on this link" emails to its own customers?

I never click on the CEB link.

ResearchMed
Posts: 5493
Joined: Fri Dec 26, 2008 11:25 pm

Re: TIAA policy regarding "clicking on email links" ?

Post by ResearchMed » Tue Oct 31, 2017 1:24 pm

GerryL wrote:
Tue Oct 31, 2017 1:20 pm
In a lot of companies (most?) different departments have no idea how security is defined and handled for their customers. They come up with processes that directly conflict with guidelines and rules for security. This appears to be the case with TIAA.

When I interact with customer service at my internet/phone provider, I routinely get a "please take this survey" email that is sent from "CEB." I am asked to click a link in the email to provide feedback. Now, I happen to know that CEB stands for Corporate Executive Board, a reputable company that I used to interact with in my working days, but how stupid is it for <internet provider> to advise their customers to never click on a link in an email, especially from a sender they don't know, while at the same time sending out "click on this link" emails to its own customers?

I never click on the CEB link.
Yup, that's IT exactly.

TIAA isn't the only one.

UPDATE, and I'll update original post: TIAA WMA has subsequently told me that there is now a form waiting for me within my account, for me to download.
That's more like it.

Thanks all.

RM
This signature is a placebo. You are in the control group.

User avatar
Earl Lemongrab
Posts: 3124
Joined: Tue Jun 10, 2014 1:14 am

Re: TIAA policy regarding "clicking on email links" ?

Post by Earl Lemongrab » Tue Oct 31, 2017 1:34 pm

ResearchMed wrote:
Tue Oct 31, 2017 12:52 pm
Second, there was a pretty amazing sample circulating recently where the font used made the "true URL" look EXACTLY like the real one, but it wasn't. It used some obscure (?) coding such that a different language (I may have some of this wrong) was translated using a font such that a different letter/character looked exactly like a "regular" letter/character.
There was a sample, a safe sample, such that one could blow it up and look more closely, and I would have flunked any test about whether they were the same or different, had I not known they were, in fact, different.
When you hover over a link in Firefox, it doesn't use the font from the email but the browser's text font. Similarly if you copy and paste to the URL block, the formatting doesn't come with it.
This week's fortune cookie: "Your financial life will be secure and beneficial." So I got that going for me, which is nice.

ResearchMed
Posts: 5493
Joined: Fri Dec 26, 2008 11:25 pm

Re: TIAA policy regarding "clicking on email links" ?

Post by ResearchMed » Tue Oct 31, 2017 1:39 pm

Earl Lemongrab wrote:
Tue Oct 31, 2017 1:34 pm
ResearchMed wrote:
Tue Oct 31, 2017 12:52 pm
Second, there was a pretty amazing sample circulating recently where the font used made the "true URL" look EXACTLY like the real one, but it wasn't. It used some obscure (?) coding such that a different language (I may have some of this wrong) was translated using a font such that a different letter/character looked exactly like a "regular" letter/character.
There was a sample, a safe sample, such that one could blow it up and look more closely, and I would have flunked any test about whether they were the same or different, had I not known they were, in fact, different.
When you hover over a link in Firefox, it doesn't use the font from the email but the browser's text font. Similarly if you copy and paste to the URL block, the formatting doesn't come with it.
I don't use Firefox. Maybe I should!

I need to try to find that example, and see how it looks in Firefox.
Thanks.

The "trick", at least not with FireFox, apparently is that in the various "translations", the font showing LOOKS okay, but really isn't.
It was scary how "proper" that link looked.
Sobering.
I was using either IE or Chrome, not sure which.

Point is, we just don't trust hovering the way we used to.

Thanks.
RM
This signature is a placebo. You are in the control group.

student
Posts: 1391
Joined: Fri Apr 03, 2015 6:58 am

Re: TIAA policy regarding "clicking on email links" ?

Post by student » Tue Oct 31, 2017 2:13 pm

Saw this late. I am glad that TIAA gave you an acceptable way to do this. Asking you to violate their policy is crazy. Regarding cutting and pasting to check the validity of the link, one can copy it and paste it in two steps. First paste it on the dumbest possible editor that you can find, think vi in terminal mode, that do not accept fancy font. Then check and copy from this editor and paste it to the url box of your browser.

ResearchMed
Posts: 5493
Joined: Fri Dec 26, 2008 11:25 pm

Re: TIAA policy regarding "clicking on email links" ?

Post by ResearchMed » Tue Oct 31, 2017 2:28 pm

student wrote:
Tue Oct 31, 2017 2:13 pm
Saw this late. I am glad that TIAA gave you an acceptable way to do this. Asking you to violate their policy is crazy. Regarding cutting and pasting to check the validity of the link, one can copy it and paste it in two steps. First paste it on the dumbest possible editor that you can find, think vi in terminal mode, that do not accept fancy font. Then check and copy from this editor and paste it to the url box of your browser.
Thanks.

As for that crazy font phishing... I'm forgetting how we did it, but somehow I did find a way to display it such that it showed it wasn't really quite "right" (understatement), and then we could see that the link was not valid, even though it sure had looked that way at first.

Like I wrote... that was really sobering.

And it does continue to surprise us both that quite a few financial institutions still "invite" one to check <whatever> by logging in THROUGH THE EMBEDDED LINK.
It's not just TIAA.
But TIAA got really annoying when it seemed that was the *only* way to get the document we needed.

I've got it now, and there isn't anything we couldn't have filled in ourselves, not of the "personal information" sort. :annoyed
A blank form should have been quite fine, or one with just TiAA info, and none of mine.

And guess what the "personal information" was?
My name (top secret, of course! :twisted: ) and... the "Estimated Withdrawal Amount" (also top secret, apparently).
Not even an account number, but yes, the Employer name and "Plan Number" (no doubt also tightly held info).
The one thing... the "Plan Balance", which admittedly IS "personal". But it won't be accurate when they receive this form anyway, as it varies daily, so not sure why that is there.

The real problem with these "invitations" is that it just encourages those who might not be aware, or are less aware, of the risks one takes in general with "links embedded within emails".

And there is no need: The vendor can just request/suggest that one "log in to your account as usual, and then <whatever>".

RM
This signature is a placebo. You are in the control group.

student
Posts: 1391
Joined: Fri Apr 03, 2015 6:58 am

Re: TIAA policy regarding "clicking on email links" ?

Post by student » Tue Oct 31, 2017 2:35 pm

ResearchMed wrote:
Tue Oct 31, 2017 2:28 pm
student wrote:
Tue Oct 31, 2017 2:13 pm
Saw this late. I am glad that TIAA gave you an acceptable way to do this. Asking you to violate their policy is crazy. Regarding cutting and pasting to check the validity of the link, one can copy it and paste it in two steps. First paste it on the dumbest possible editor that you can find, think vi in terminal mode, that do not accept fancy font. Then check and copy from this editor and paste it to the url box of your browser.
Thanks.

As for that crazy font phishing... I'm forgetting how we did it, but somehow I did find a way to display it such that it showed it wasn't really quite "right" (understatement), and then we could see that the link was not valid, even though it sure had looked that way at first.

Like I wrote... that was really sobering.

And it does continue to surprise us both that quite a few financial institutions still "invite" one to check <whatever> by logging in THROUGH THE EMBEDDED LINK.
It's not just TIAA.
But TIAA got really annoying when it seemed that was the *only* way to get the document we needed.

I've got it now, and there isn't anything we couldn't have filled in ourselves, not of the "personal information" sort. :annoyed
A blank form should have been quite fine, or one with just TiAA info, and none of mine.

And guess what the "personal information" was?
My name (top secret, of course! :twisted: ) and... the "Estimated Withdrawal Amount" (also top secret, apparently).
Not even an account number, but yes, the Employer name and "Plan Number" (no doubt also tightly held info).
I literally LOLed seeing your comments. :D :D :D

bikechuck
Posts: 124
Joined: Sun Aug 16, 2015 9:22 pm

Re: TIAA policy regarding "clicking on email links" ?

Post by bikechuck » Tue Oct 31, 2017 5:12 pm

ResearchMed wrote:
Tue Oct 31, 2017 1:10 pm
bikechuck wrote:
Tue Oct 31, 2017 1:04 pm
My TIAA advisor has often hung forms on their secure website for me. I log onto their site collect the form and proceed from there. Starnge that they are not doing the same for you in this situation.
Your TIAA rep has done this specifically "for you", even if the document isn't generally handled that way?

If so, then sure, why can't "our guy" do that, too!?

Thanks.

RM
Yes, my TIAA advisor has done this specifically for me but I cannot say whether or not it is "generally handled this way". I can say that there has never been a case where I could not get a document from him in this manner and both he and I like it because it seems to be a very secure way of sharing documents both ways. By that I mean that I can hang a document for him on their site as well.

I really like my TIAA advisor. He has never pressured me to move funds from my non TIAA accounts to TIAA and he has made several excellent suggestions that I have taken advantage of re my portfolio. My wife (who generally avoids financial management) likes him as well. We tend to meet once a year, however I retired earlier this year and my wife will retire later this year so we have met twice this year.

A couple of examples.

1) I have company stock from a previous employer that I was going to roll over into an IRA. My TIAA advisor informed me about the NUA rules which I will take advantage of which will allow me to dispose of this stock with a much smaller tax liability

2) I had a very small amount of money < $30K in a fixed annuity that was not annuitized. My advisor noticed that it was earning 4.5% annually which he pointed out was a good rate of return. He encouraged me to call the insurance company to see if I could add more money to it through a roll-over after first checking that the new money would also earn the same return without any restrictions or penalties on withdrawing the money if it was needed. Turned out I can add money and the new money will earn a guaranteed minimum 4.5% annually. SInce I have held this for more than 7 years I can take money out or put it in without penalty or fees any time I want. I am now using this as a bond substitute and it now accounts for approx 17% of my portfolio.

I have learned a few very useful things from this advisor and I am thankful for his availability and advice.

Post Reply