Investor Alert: Identity Theft, Data Breaches and Your Investment Accounts
Nov. 17, 2022
The SEC’s Office of Investor Education and Advocacy is issuing this Investor Alert to provide investors with important steps to take regarding their investment accounts if they become victims of identity theft or a data breach. Investors should always take steps to safeguard their personal financial information (e.g., Social Security number, financial account numbers, phone number, e-mail address, or usernames and passwords for online financial accounts). However, if identity theft or a data breach compromises your personal financial information, here are some important steps to take immediately.
Contact your investment firm and other financial institutions immediately. If you think your personal financial information has been stolen, contact your broker-dealer, investment adviser or other financial professional immediately to report the problem and ask what steps you should take to protect your account. You should also contact any other financial institutions where you have accounts that may be impacted by the loss of your personal financial information. These may include banks, credit card companies, or insurance companies. Please remember to document any conversations with your investment or financial firms in writing.
Change your online account passwords or passphrases. Immediately change the password or passphrase for any investment or financial accounts associated with the compromised personal financial information. Always remember to use strong passwords or passphrases that are not easy to guess. Strong passwords should consist of at least twelve or more characters that include symbols, numbers and both capital and lowercase letters. Strong passwords should not use words found in a dictionary, or personal information such as a name or birthday. Strong passphrases should consist of random words, using characters that include symbols, numbers, and both capital and lower-case letters. Strong passphrases should not use: (1) common phrases from literature, music, or other media; (2) personal information such as your name or birthday; or (3) only words found in a dictionary. To help keep your accounts safe in the future, remember to change your passwords and passphrases regularly.
Close compromised accounts. If you notice any unauthorized access into your investment account, you should ask your investment firm to close the account and move the assets to a new account. You should consult your investment firm about the best way to handle closing an account.
Activate two-step or “multifactor” verification, if available. Your brokerage firm or investment adviser may offer (or require) a two-step verification process for gaining access to your online accounts. With a two-step verification process, each time anyone attempts to log into your account through an unrecognized device (i.e., a device you have not previously authorized on the account), your investment firm sends a unique code to either your e-mail or cell phone. Before anyone can gain access to your account, they must enter this code and your password. Activating this added layer of security may help reduce the risk of unauthorized access to your accounts by identity thieves.
Monitor your investment accounts regularly for suspicious activity. Closely monitor your investment accounts for any suspicious activity. Look out for any changes to your account information that you do not recognize (e.g., a change to your address, phone number, e-mail address, account number, or external banking information). You should also confirm that you authorized all of the transactions that appear in your account statements and trade confirmations.
- Account logins
- Failed account login attempts
- Password changes
- Personal information changes (address, e-mail or phone number)
- Securities transactions (placing orders to buy or sell investments)
- Transfers of money or securities in or out of the account
- Adding or deleting an external financial account where you can transfer money or securities to or from (e.g., bank account, investment account)
If you find any suspicious activity, immediately report it to your investment firm. Please remember to document any conversations with your investment firm in writing and provide a copy to your investment firm.
Place a credit freeze or fraud alert on your credit file.
A credit freeze stops any new creditors from accessing your credit file until you remove or temporarily lift the freeze from your credit file. Since most businesses or financial firms will not open new credit or financial accounts without checking your credit report, a freeze can stop identity thieves from opening new accounts in your name, but it does not stop them from taking over existing accounts.
To place a freeze on your credit file, contact each of the following national credit bureaus:
Each of the credit bureau’s websites provides specific details you will need to add or manage a freeze to your credit file. A freeze will stay on your credit file until you either remove or temporarily lift it. You can add, remove, or temporarily lift a freeze to your credit file online, by phone, or through the mail for free.
Placing a fraud alert in your credit file provides notice to potential creditors (e.g., banks and credit card companies) that you may have been a victim of fraud or identity theft and will help reduce the risk that an identity thief can use your personal financial information to open new accounts. Contact any of the three credit bureaus listed above and ask them to add a fraud alert to your credit file. You only need to contact one of the credit bureaus to add the alert to your credit file at all three credit bureaus. The credit bureau you contact will notify the other bureaus about the alert. The fraud alert will last for one year, and can be renewed annually. Requesting a fraud alert and renewing the alert are both free.
Active duty members of the military may elect to add an “active duty alert” to their credit file. Active duty alerts last for one year and can be renewed annually.
If you have been a victim of identity theft, you may also consider placing an extended fraud alert in your credit file. An extended fraud alert is similar to a regular fraud alert except that it lasts for seven years.
For additional information on alerts and freezes, please visit the Federal Trade Commission’s (FTC) webpage on credit freezes and fraud alerts, and the FTC’s identity theft website at www.identitytheft.gov.
Monitor your credit reports. After you place an initial fraud alert in your credit file, you are entitled to obtain a free copy of your credit report from each of the credit bureaus. Check each of your reports for signs of fraud, such as an unknown account, a credit check or inquiry to your credit file that you do not know about, an employer you have never worked for, or unfamiliar personal information.
Consider creating an Identity Theft Report. If a breach in your personal financial information results in identity theft, you may want to consider creating an identity theft report. An Identity Theft Report helps you deal with credit reporting companies, debt collectors, and business that opened accounts in your name. You can use the report to:
- Get fraudulent information removed from your credit report
- Stop a company from collecting debts that result from identity theft
- Place an extended fraud alert on your credit report
- Get information from companies about accounts the identity thief opened or misused.
Creating an Identity Theft Report involves three steps:
1. Report the identity theft to the Federal Trade Commission (FTC) by completing the FTC’s online complaint form at https://identitytheft.gov/Assistant# or by calling the FTC at 1-877-438-4338, and obtain an FTC Identity Theft Affidavit. If you decide to use the FTC’s online complaint form at Identitytheft.gov, please remember to either create an online account with the FTC to save your Identity Theft Report, or print out and save your completed form before leaving the Identitytheft.gov website since you will be unable to retrieve it once you leave the website if you do not create an account.
2. Contact your local police department about the identity theft and provide them with:
- A copy of your FTC Identity Theft Affidavit
- A government-issued ID with a photo
- Proof of your address (mortgage statement, rental agreement, or utilities bill)
- Any other evidence you have of the identity theft (bills, IRS notices, etc.)
- A copy of the FTC’s Memo to Law Enforcement on identity theft
Ask for a copy of the police report.
3. Attach your FTC Identity Theft Affidavit to your police report to make an Identity Theft Report.
Additional information on Identity Theft Reports and identity theft in general, is available on the FTC’s website at www.identitytheft.gov. The Identitytheft.gov website also includes an online assistant to guide you through the steps to create your Identity Theft Report and a recovery plan to help you mitigate the possible damage caused by a data breach.
Document all communications in writing. Remember to document, in writing, and keep copies of any communications you have related to your identity theft.
Investor Bulletin: “Protecting Your Online Brokerage Accounts from Fraud”
FTC OnGuardOnline.gov webpage: “Tips for Using Public Wi-Fi Networks”
FTC IdentityTheft.gov webpage: www.identitytheft.gov
FTC’s informational webpage on Identity Theft Protection Services
Visit Investor.gov, the SEC’s website for individual investors.
Receive Investor Alerts and Bulletins from the Office of Investor Education and Advocacy (“OIEA”) by email or RSS feed. Follow OIEA on Twitter @SEC_Investor_Ed. Like OIEA on Facebook at facebook.com/secinvestoreducation.