The bait that hooked me was a receipt from an app I use all the time. Or so I thought.

It was a notification on my iPhone, looking like every Shopify order confirmation you’ve ever seen. Order #1924. A reference number, amount spent (in USD and AUD), a shipping address.

What?

Those jeans I bought were US$500? No way.

And buried in the description, where the product name should sit, a sentence: “If you DID NOT authorize this transaction, contact us immediately.” Plus an Australian phone number.

*sigh*.

Now, in case you’re wondering what any of this has to do with your WealthSpan – hold tight. It turns out that this real-life story is entirely the point.

Ok, so there was actually a ‘tell’ in plain sight, if I’d properly read it instead of reacting to it: there were two amounts, in USD and AUD, that obviously didn’t match – the USD was greater than the AUD. The AUD hasn’t traded above the USD in well over a decade.

In my defence, it had been a very long week. So I dialled the number.

The part I’d rather not tell you

A man answered. “Thank you for calling help and support. How can I help you?”

I gave him the order ID. He asked for the amount. I read it back. Okay, give me a moment please.” Then: “Yes, sir. Can you confirm your mobile number?”

I pushed back: “I’ve given you an order number, can you investigate that?” but he had an answer ready: “Yes, sir, I can investigate, but for the further investigation, I must need your mobile number”.

I gave it to him. The real one, the whole thing, no hesitation. It was Friday. Sue me.

Anyway, it was at this point, after I’d given him my number, that I flinched. Why does a billing query need my mobile? So when he confirmed it, I fed him a fake – my own number with the last few digits scrambled. He read that wrong number back to me and I told him it was correct.

I want to be honest about what just happened here: this was not a security system, it was dumb luck. It wasn’t my final defence, though, and that’s the point we’ll come back to. But first, I’ll finish my story.

Now he has something of mine. Cue the narrative.

“In my database, I can see there are a few hackers from Mountain View, California…”

These hackers, he explained, were using my PayPal account. He asked whether I had shared my PayPal details with anyone? A colleague, perhaps? A family member in America?

No, I said, not that I’m aware of.

“Then surely and definitely someone is using your account without your knowledge and without your permissions. Sir, what do you want me to do now?”

Read that again. This is my call, my decision. Clever.

He offers: “Sir, shall I cancel the bill, reimburse your account, remove all of those hazards who are using your information?”

What happened next was not my brilliance, it was a system rule

I said I’d go to PayPal and sort this out.

That’s it. That’s the rule: go directly to the source. That’s the bank. Or, in this case, PayPal. He didn’t like it.

“Are you going to PayPal, sir? Can I connect your call to the technical team?”

I said no and thanked him for his help. Now the mask comes off: “Now sir, listen – listen to me, if you want to go–”. Click.

Here’s the takeaway. And it isn’t “be careful on the phone.”

I wasn’t careless. I’m a professional. And yet I still read my number out to a stranger before any conscious thought caught up.

You aren’t Jason Bourne: tired Tuesdays are going to happen

You cannot run the defence of your wealth on the hope that, under pressure, you’ll outsmart the hacker. And yet, without a system in place, that’s the defence most people are running, whether they realise it or not.

Like I said, it had been a long week. It wasn’t the first and it won’t be the last. You know what I mean because you have them too. A call like that happens in the middle of three other things, when you’re rushed or distracted or simply being polite. That’s when you’re vulnerable.

Hackers know this. The major banks have done heaps of research into ‘off guard’ window times when scammers are purposely at their most active.

You aren’t Jason Bourne. You can’t be on guard all the time. But you don’t have to be, either. Because …

The hit that sinks a ship happens below the waterline, not above it

Picture your financial life as a ship. Above the waterline is everything you can see and tend to pay close attention to: investment performance tables, which managers beat the index, the latest forecast on where the economy’s going. It’s where almost all the attention goes, because it’s the part that shows.

Below the waterline is the hull. The protections. The structure and the habits nobody admires and nobody posts about: how your accounts are walled off from one another, where your data lives and who can reach it, what happens to your money if a single password falls into the wrong hands. Risk management is unglamorous, invisible, and it is the only part that decides whether you stay afloat.

The hits that sink ships come from below the waterline. They always have.

And here’s the trap. You can spend every waking hour above the line – chasing the extra one per cent on five million dollars, a genuinely worthwhile sum – and if you’ve left the hull unattended, a single breach can put all of it, and more, to the bottom. The return you fought for means nothing if the ship carrying it has a breach.

It got Gerard

Sixty-something, four decades of a successful business behind him, happily living off the proceeds of a high 7-figure nest egg.

A man with a very Australian accent, we think working from somewhere in eastern Europe, telephoned him posing as a wifi technician from his telco. He walked off with more than forty thousand dollars out of Gerard’s retirement savings. It took place not during one smash-and-grab call, but over a sophisticated series of calls and emails spanning 48 hours.

There’s a happy ending, of sorts: Gerard was made whole – whether by his bank or a policy, I genuinely can’t recall, and it almost doesn’t matter. What matters is that he’d done the work below the waterline. The protection was in place before he needed it, so when the hit came, his ship sailed on.

Whereas if Gerard had spent those years fixated solely on hunting down ways to earn higher returns, leaving the hull bare, that forty grand would be gone forever.

A fraud loss is a different kind of threat to your WealthSpan, because it doesn’t behave like a market loss. Markets recover but a breach like this offers no such promise. It also extracts a tax that doesn’t show up on performance charts – it rattles your confidence, your sleep, your joie de vivre.

Protecting your wealth on purpose, not by accident

My hack failed. But look honestly at why – not because I was Jason Bourne – I’d already proven I wasn’t, two minutes in, reading my real number out to a stranger!

Gerard’s hack, on the other hand, succeeded, but he kept his retirement anyway – not by accident, but because he’d protected the hull on purpose, long before the call came.

And that’s the point.

You don’t stay afloat by being on guard forever – you can’t be, there will always be a tired Tuesday. You stay afloat by doing the unexciting, deliberate work below the waterline, where the real vulnerabilities to your financial house live, it turns out. Call it getting your financial house in order, if you like.

This is a project sitting in the heart of your financial planning. Where else would it sit? Would your tax accountant, your hourly-fee lawyer, or your commissioned insurance agent take this project on because its in their wheelhouse?

The thief from “Help and Support” is still out there, dialling. The only real question is what he finds when he reaches you: have you done the work below the waterline?

-- Daniel Brammall

The WealthSpan Letter is general financial information, not personal financial advice. Consider whether any information is appropriate to your circumstances before acting on it.