The SEC’s Office of Investor Education and Advocacy is issuing this Investor Bulletin to help investors protect their online brokerage accounts from fraud. As with all web-based accounts, investors should take precautions to help ensure that their online brokerage accounts remain secure. These online security tips can help.
Pick a “strong” password, keep it secure, and change it regularly. Select a strong password for your online brokerage account. A strong password is one that is not easy to guess and generally uses eight or more characters that include symbols, numbers, and both capital and lowercase letters. A strong password is not based on common words, phrases, or personal information such as a name or birthday. Keep your password in a safe place and out of plain sight. Never share your password on the Internet, by e-mail, or over the phone. In addition, you should change your password regularly.
Use two-step verification, if available. Your brokerage firm may offer or require a two-step verification process for access to your online account. With a two-step verification process, each time you attempt to log into your account your brokerage sends a unique code to either your e-mail or cell phone. Before you can gain access to your account, you must enter this code and your password.
Use different passwords for different online accounts (i.e., brokerage, banking, retirement, or other similar financial accounts). Avoid using the same password for different online services, particularly for financial accounts. Using a single password for different online financial accounts is the equivalent of using a single key for your car, house, and mailbox – if the key is lost or stolen, you potentially give away access to everything. While using multiple passwords increases the difficulty of managing passwords, it significantly improves security.
Avoid using public computers to access your online brokerage account. Try to avoid accessing your online brokerage account on a public computer. If you must use a public computer to access your account, remember:
- Log out of the account completely by clicking the “log out” button on the brokerage account website to terminate the online session. Closing or minimizing a browser application or window does not necessarily log you out of the account.
- Delete history files, caches, cookies, and temporary Internet files.
Use caution with wireless connections. If you use a wireless connection to the Internet (including a wireless home network) to access your online brokerage account, make sure your computer is secure and has current anti-virus software and a firewall enabled. You can learn more about security issues relating to wireless networks on the website of the WiFi Alliance at http://www.wi-fi.org/discover-wi-fi/security.
If you access your account on a public wireless connection, such as at a coffee shop or airport, you should use extra caution. It is very easy to “eavesdrop” on Internet traffic, including passwords and other sensitive data, on a public wireless network. If you use a public wireless network, remember:
- Do not type your password unless the website you are accessing uses a secure connection. The easiest way to determine whether a website is secure is to look in the address bar. If the page’s web address begins with “https” instead of “http,” then it is a secure connection.
- Turn off file sharing. With some operating systems, by default all of your local files are wide open to any other device connected to the same network. Make sure this feature is turned off when accessing information over a public wireless network. You can usually find instructions for turning file sharing on and off in your operating systems’ help menu.
Be extra careful before clicking on links sent to you. You should always verify that e-mails containing links regarding your brokerage account come from legitimate sources. Clicking on a malicious link could:
- Link to a website designed to trick you into providing sensitive account information that can be used to steal your money or identity.
- Cause malicious software (e.g., computer viruses, worms, Trojan horses, or spyware) to automatically infect your computer and allow fraudsters to obtain sensitive account information.
To guard against dangerous links, remember the following:
- Do not click on a link that was sent to you by a business or entity you do not know. Perform an online search for the business or go directly to the business’s website to determine if the link is legitimate.
- Do not click on a link that was sent to you by a business that you have an existing account with. Investors should confirm the legitimacy of the link by either going directly to the business’s website or calling the business with a confirmed telephone number.
Secure your mobile devices. Many mobile devices, such as smartphones or tablets, have software applications that allow users automatic access to their online brokerage accounts. Unauthorized access to these mobile devices could compromise these accounts. If you have a mobile device that is linked to your online brokerage account, make sure that the device is password protected in case it is lost or stolen.
Regularly check your account statements and trade confirmations. Always remember to check your brokerage account statements and trade confirmations for any suspicious activity. For example:
- Check for any discrepancies, such as misspelled names or inaccurate account information (e.g., address, phone number, e-mail address, or account number).
- Confirm that you authorized all of the transactions that appear in your account statements and trade confirmations.
- If you see any mistakes or unauthorized transactions, contact your brokerage firm in writing immediately. Your written complaint may be the only way to prove that you complained to the firm about the mistakes or unauthorized transactions. Also, remember to keep written records of any communications you have with your brokerage firm regarding these mistakes or unauthorized transactions.
Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information
Let’s hope this never happens to you: You have a few free minutes so you decide to go online to check your brokerage account information. Your account balance is much lower than you expect – and you know that, at least for today, neither the market nor any of your securities fell in value. You see that there were several wire transfers of money from your account to an outside checking account. But you never authorized those transactions – instead, an identity thief did, and that thief has now stolen your cash as well as your personal information.
Like many investors, you may enjoy some of the conveniences of an online brokerage account, like checking your brokerage account information at any time of day or night, buying and selling securities, or even transferring money between your brokerage account and another account. But if you don’t take steps to protect your personal information when you go online, you could be telling your own story of identity theft.
How Online Identity Theft Can Happen
Many identity thieves use malicious software programs to attack vulnerable computers of online users. These software programs can monitor your computer activity and send information back to the thief’s computer. Sometimes, these programs will log your key strokes, which allows identity thieves to easily obtain username and password information for any of your online accounts, including your brokerage account.
Other identity thieves “phish” for your personal information. “Phishing” involves the use of fraudulent emails and copy-cat websites to trick you into revealing valuable personal information – such as your account number, your social security number, and the username and password information you use when accessing your account. Sometimes fraudsters will use phishing scams to try to get you to download keystroke logging or other malicious software programs unsuspectingly.
But not all identity thieves have gone “high tech.” Many still use less sophisticated ways of stealing your personal information, such as looking over your shoulder when you’re typing sensitive information or searching through your trash for confidential account information.
How to Protect Yourself Online
You’ll need to protect yourself against identity thieves, whether hackers, phishers, or snoops, when you use your online brokerage account. Here are a few suggestions on ways to keep your personal information and money more secure when you go online:
- Beef Up Your Security. Personal firewalls and security software packages (with anti-virus, anti-spam, and spyware detection features) are a must-have for those who engage in online financial transactions. Make sure your computer has the latest security patches, and make sure that you access your online brokerage account only on a secure web page using encryption. The website address of a secure website connection starts with “https” instead of just “http” and has a key or closed padlock in the status bar (which typically appears in the lower right-hand corner of your screen).
Security Tip: Even if a web page starts with “https” and contains a key or closed padlock, it’s still possible that it may not be secure. Some phishers, for example, make spoofed websites which appear to have padlocks. To double-check, click on the padlock icon on the status bar to see the security certificate for the site. Following the “Issued to” in the pop-up window you should see the name matching the site you think you’re on. If the name differs, you are probably on a spoofed site.
- Use a Security Token (if available). Using a security token can make it even harder for an identity thief to access your online brokerage account. That’s because these small number-generating devices offer a second layer of security – a one-time pass-code that typically changes every 30 or 60 seconds. These unpredictable pass-codes can frustrate identity thieves. While fraudsters can use keystroke logging programs to obtain regular username and password information, they can’t use these programs to obtain the security token pass-code. Ask your brokerage firm if you can protect your online account with a security token or similar security device.
- Be Careful What You Download. When you download a program or file from an unknown source, you risk loading malicious software programs on your computer. Fraudsters often hide these programs within seemingly benign applications. Think twice before you click on a pop-up advertisement or download a “free” game or gadget.
- Use Your Own Computer. It’s generally safer to access your online brokerage account from your own computer than from other computers. If you use a computer other than your own, for example, you won’t know if it contains viruses or spyware. If you do use another computer, be sure to delete all of the your “Temporary Internet Files” and clear all of your “History” after you log off your account.
- Don’t Respond to Emails Requesting Personal Information. Legitimate entities will not ask you to provide or verify sensitive information through a non-secure means, such as email. If you have reason to believe that your financial institution actually does need personal information from you, pick up the phone and call the company yourself – using the number in your rolodex, not the one the email provides!
Security Tip: Even though a web address in an email may look legitimate, fraudsters can mask the true destination. Rather than merely clicking on a link provided in an email, type the web address into your browser yourself (or use a bookmark you previously created).
- Be Smart About Your Password. The best passwords are ones that are difficult to guess. Try using a password that consists of a combination of numbers, letters (both upper case and lower case), punctuation, and special characters. You should change your password regularly and use a different password for each of your accounts. Don’t share your password with others and never reply to “phishing” emails with your password or other sensitive information. You also shouldn’t store your password on your computer. If you need to write down your password, store it in a secure, private place.
- Use Extra Caution with Wireless Connections. Wireless networks may not provide as much security as wired Internet connections. In fact, many “hotspots” – wireless networks in public areas like airports, hotels and restaurants – reduce their security so it’s easier for individuals to access and use these wireless networks. Unless you use a security token, you may decide that accessing your online brokerage account through a wireless connection isn’t worth the security risk. You can learn more about security issues relating to wireless networks on the website of the Wi-Fi Alliance.
- Log Out Completely. Closing or minimizing your browser or typing in a new web address when you’re done using your online account may not be enough to prevent others from gaining access to your account information. Instead, click on the “log out” button to terminate your online session. In addition, you shouldn’t permit your browser to “remember” your username and password information. If this browser feature is active, anyone using your computer will have access to your brokerage account information.
How to Know if Your Identity Has Been Stolen
Sometimes, it can be extraordinarily difficult to determine whether someone has stolen your identity. If you take the steps below, you may be able to find out whether you’ve been victim of identity theft and protect yourself from further harm:
- Read Your Statements. Don’t toss aside your monthly account statements! Read them thoroughly as soon as they arrive to make sure that all transactions shown are ones that you actually made, and check to see whether all of the transactions that you thought you made appear as well. Be sure that your brokerage firm has current contact information for you, including your mailing address and email address. If you see a mistake on your statement or don’t receive a statement, contact your brokerage firm immediately.
- Monitor Your Credit Report. Reviewing your credit report may alert you to unauthorized activity, and, therefore, can be an effective way to fight identity theft. You can obtain a free credit report every 12 months from three different credit bureaus by contacting the Annual Credit Report Request Service.
Investor Tip: Read your brokerage account agreement carefully because many firms take the position that you are responsible for the security of your account information, such as your username, password, and account number. In addition, your brokerage account agreement may provide information about what specific steps you should take if you notice any unauthorized account activity.
What to Do if You Run into Trouble
Always act quickly when you come face to face with a potential fraud, especially if you’ve lost money or believe your identity has been stolen.
- Identity Theft. If you think that your personal information has been stolen, visit the Federal Trade Commission’s Identity Theft Resource Center (www.consumer.gov/idtheft/index.html) for information on how to file a complaint and control the damage.
- Securities Scams. Before you do business with any investment-related firm or individual, do your own independent research to check out their background and confirm whether they are legitimate. For step-by-step tips and links to helpful websites, please read Check Out Brokers and Advisers and SIPC Exposes Phony “Look-Alike” Web Site. Report investment-related scams to the SEC using our online Complaint Center.
- Phishy Emails. If a phishing scam rolls into your email box, be sure to tell the company right away. You can also report the scam to the FBI’s Internet Fraud Complaint Center at www.IFCCFBI.gov. If the email purports to come from a brokerage firm or mutual fund company, be sure to pass along that tip to the SEC’s Enforcement Division by forwarding the email to email@example.com.
For additional educational information for investors, see the SEC’s Office of Investor Education and Advocacy’s homepage (http://www.sec.gov/investor) and the SEC’s Investor.gov website (http://www.investor.gov/). For additional information about safeguarding online brokerage accounts, also see:
The Office of Investor Education and Advocacy has provided this information as a service to investors. It is neither a legal interpretation nor a statement of SEC policy. If you have questions concerning the meaning or application of a particular law or rule, please consult with an attorney who specializes in securities law.