Updated Investor Bulletin: Protecting Your Online Investment Accounts from Fraud
April 26, 2017
The SEC’s Office of Investor Education and Advocacy is issuing this Investor Bulletin to help investors protect their online investment accounts from fraud. As with all web-based accounts, investors should take precautions to help ensure that their online investment accounts remain secure. These online security tips can help.
Pick a “strong” password, keep it secure, and change it regularly. Select a strong password for your online investment account. A strong password is one that is not easy to guess and generally uses eight or more characters that include symbols, numbers, and both capital and lowercase letters. A strong password should not use words found in a dictionary, or personal information such as a name or birthday. Make sure you secure your password and never share it via electronic messaging (such as e-mail or text messages) or over the phone. In addition, you should change your password regularly.
Use two-step verification or “two-factor” authentication, if available. Your investment firm may offer or require a two-step verification process for access to your online account. Two-step verification is a practical way to add further security to your account by requiring a second factor to your username and password sequence. With a two-step verification process, each time you attempt to log into your account from an unrecognized computer, your investment firm sends a unique code to either your e-mail or mobile device. Before you can gain access to your account, you must enter this code and your password.
Add biometric safeguards, if available. Your brokerage firm or investment adviser may offer biometric safeguards for your online investment accounts, especially for access to these accounts through mobile devices. Biometric safeguards for an investment account may include fingerprint, facial or voice recognition, or iris scanning. These safeguards may be used with or instead of a password to access your investment accounts. Contact your brokerage firm or investment adviser to determine if they offer these safeguards for your investment accounts.
Use different passwords for different online accounts (i.e., brokerage, banking, retirement, or other similar financial accounts). Avoid using the same password for different online services, particularly for financial accounts. Using a single password for different online financial accounts is the equivalent of using a single key for your car, house, and mailbox – if the key is lost or stolen, you potentially give away access to everything. While using multiple passwords increases the difficulty of managing passwords, it significantly improves security.
Avoid using public computers to access your online investment accounts. Try to avoid accessing your online investment accounts on a public computer. If you must use a public computer to access your account, remember:
- Avoid using public computers that require you to enter personal information in order to gain access.
- Never walk away from a public computer while using it to look at investment or other financial account information. Leaving data up on a screen and walking away can enable potential onlookers to obtain your sensitive information.
- Disable password saving, and delete history files, caches, cookies, and temporary Internet files.
- When finished, log out of the account completely by clicking the “log out” button on the investment account website to terminate the online session.Closing or minimizing a browser application or window does not necessarily log you out of the account.
- Always change any passwords you use on a public computer.
Use caution with wireless (or “Wi-Fi”) connections. If you use a wireless connection to the Internet (including a wireless home network) to access your online investment accounts, make sure your computer or mobile device is secure and has current software updates, anti-virus software and a firewall enabled. You can learn more about security issues relating to wireless networks on the website of the WiFi Alliance at http://www.wi-fi.org/discover-wi-fi/security.
If you access your account on a public wireless connection, such as at a coffee shop or airport, you should use extra caution. It is very easy to “eavesdrop” on Internet traffic, including passwords and other sensitive data, on a public wireless network. If you use a public wireless network, remember:
- Do not type your password unless the website you are accessing uses a secure connection. The easiest way to determine whether a website is secure is to look in the address bar. If the page’s web address begins with “https” instead of “http,” then it is a secure connection.
- Turn off file sharing. With some operating systems, by default all of your local files are wide open to any other device connected to the same network. Make sure this feature is turned off when accessing information over a public wireless network. You can usually find instructions for turning file sharing on and off in your operating systems’ help menu.
- Make sure the settings on your computers and mobile devices will not automatically connect to any available Wi-Fi connection.This will protect you from security risks in public spaces.
Be extra careful before clicking on links sent to you. You should always verify that e-mails containing links regarding your investment accounts come from legitimate sources. Clicking on a malicious link could:
- Link to a website designed to trick you into providing sensitive account information that can be used to steal your money or identity.
- Cause malicious software (e.g., computer viruses, worms, Trojan horses, or spyware) to automatically infect your computer and allow fraudsters to obtain sensitive account information.
To guard against dangerous links, remember the following:
- Do not click on a link that was sent to you by a business or entity you do not know. Perform an online search for the business or go directly to the business’s website to determine if the link is legitimate.
- Do not click on a link that was sent to you by a business that you have an existing account with. Investors should confirm the legitimacy of the link by either going directly to the business’s website or calling the business with a confirmed telephone number.
Special tips for using mobile devices:
Many mobile devices, such as smartphones or tablets, have software applications (apps) that allow users automatic access to their online investment accounts. Unauthorized access to these mobile devices could compromise these accounts. If you have a mobile device that is linked to your online investment accounts, consider the following tips:
- Secure your mobile devices. Turn on your mobile device’s password protection and automatic locking features. These features will automatically lock your mobile device after the device has been inactive for a specified period of time. Once locked, a user must enter a password before accessing the mobile device. Some mobile devices also feature biometric safeguards for accessing a locked device, such as fingerprint and facial recognition. Consider using these additional safeguards if they are available on your mobile device.
- Turn off automatic Wi-Fi settings. Make sure your mobile device’s Wi-Fi settings will not automatically connect your mobile device to any available Wi-Fi connection. This will help protect you from security risks in public spaces.
- Enable remote location and device wiping apps. These apps allow you to locate a lost mobile device, or remotely wipe all data from a lost or stolen mobile device.
- Install anti-virus or anti-malware protection. Just like your computer, do not forget to protect your mobile devices from the growing number of virus and malware threats targeted at mobile devices.
- Automate your mobile device’s software updates. Make sure your mobile device’s operating software and apps remain up-to-date with the latest software fixes and security patches.
- Check your privacy settings. Most mobile apps have privacy settings for users which let you determine how much and what types of information are shared and stored. Always choose the least amount of data-sharing possible. For financial and investment apps, make sure your apps do not automatically save your account username and password.
Special tips for storing personal financial information in the Cloud (online data storage services):
EXERCISE CAUTION BEFORE STORING ANY PERSONAL FINANCIAL INFORMATION IN THE CLOUD. You should consider keeping documents containing your sensitive personal financial information (e.g., account numbers, passwords, and PINS) stored offline. If you decide to store any personal financial information in the cloud, carefully consider the following tips:
- Research the provider. Check the reputation and background of any cloud service provider before uploading any of your personal financial information to a cloud account. You can find background information on cloud service providers through general online searches, press articles, online review websites, and social media. Carefully consider both positive and negative feedback on the cloud service provider before opening any account for cloud services.
- Look for two-step verification. Many cloud service providers offer a two-step verification process, as described above, to access the information stored in your cloud account. This two-step process provides an extra layer of security to the information stored in your cloud account.
- Verify Encryption. Verify that the cloud service provider encrypts all of the information you store in your cloud account. Encrypting information in the cloud helps to safeguard your information if it is stolen from your cloud account.
- Carefully review the provider’s security policies. Read and understand the cloud service provider’s security policies for any information you store in your cloud account.
Regularly check your account statements and trade confirmations. Always remember to check your investment account statements and trade confirmations for any suspicious activity. For example:
- Check for any discrepancies, such as misspelled names or inaccurate account information (e.g., address, phone number, e-mail address, or account number).
- Confirm that you authorized all of the transactions that appear in your account statements and trade confirmations.
- If you see any mistakes or unauthorized transactions, contact your investment firm in writing immediately. Your written complaint may be the only way to prove that you complained to the firm about the mistakes or unauthorized transactions. Also, remember to keep written records of any communications you have with your investment firm regarding these mistakes or unauthorized transactions.
For additional educational information for investors, see the SEC’s Office of Investor Education and Advocacy’s homepage the SEC’s Investor.gov website. For additional information about safeguarding online investment accounts, also see:
- SEC Investor Alert: “Identity Theft, Data Breaches and Your Investment Accounts”
- Investor.gov: “Protect Your Social Media Accounts”
- SEC Publication: “Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information”
- FINRA Investor Alert: “Keeping Your Account Secure: Tips for Protecting Your Financial Information”
- FINRA Investor Alert: “Cybersecurity and Your Brokerage Firm”
- FINRA Investor Alert: “Protect Your Online Brokerage Account: Safety Should Come First When Logging In and Out”
- FTC OnGuardOnline.gov webpage: “Tips for Using Public Wi-Fi Networks”