I received an email from Sallie Mae this morning about my student loans. “You have a new student loan account document available online,” it said.
Click on this link, it said. Then enter your user name and password. Oh, and can you verify the city where you were born?
Maybe it’s just me, but doesn’t that sound a lot like a phishing email? You know the type: that message from eBay or PayPal warning you about fraudulent activity on your account, so can you please RIGHT NOW log in and verify your date of birth, social security number and mother’s maiden name, or they’ll cancel your account forever?
The last time I checked, identity theft experts warn consumers not to click on links in emails that ask you for personal information of any kind. Even if it looks like a legitimate URL, and even if it leads to something that looks like your financial institution’s legitimate site, it might not be.
To be safe, experts recommend typing a site’s address directly into your browser instead. And some companies have changed the way they do things because of this. Vanguard, for instance, sends me emails that contain no hyperlinks—just instructions to open a browser of my choice, visit “vanguard.com,” and log in for important correspondence.
Sallie Mae needs to do something similar. Because here’s the thing: What I received today was a legitimate email. But if Sallie Mae makes a point of sending these emails to its customers on a regular basis, it’s just one small step for phishers to copy it, pose as Sallie Mae and send out illegitimate requests to consumers who don’t know any better.
Sallie Mae, are you listening?