Investor Bulletin: Protecting Your Online Brokerage Accounts from Fraud
Feb. 3, 2015
The SEC’s Office of Investor Education and Advocacy is issuing this Investor Bulletin to help investors protect their online brokerage accounts from fraud. As with all web-based accounts, investors should take precautions to help ensure that their online brokerage accounts remain secure. These online security tips can help.
Pick a “strong” password, keep it secure, and change it regularly. Select a strong password for your online brokerage account. A strong password is one that is not easy to guess and generally uses eight or more characters that include symbols, numbers, and both capital and lowercase letters. A strong password is not based on common words, phrases, or personal information such as a name or birthday. Keep your password in a safe place and out of plain sight. Never share your password on the Internet, by e-mail, or over the phone. In addition, you should change your password regularly.
Use two-step verification, if available. Your brokerage firm may offer or require a two-step verification process for access to your online account. With a two-step verification process, each time you attempt to log into your account your brokerage sends a unique code to either your e-mail or cell phone. Before you can gain access to your account, you must enter this code and your password.
Use different passwords for different online accounts (i.e., brokerage, banking, retirement, or other similar financial accounts). Avoid using the same password for different online services, particularly for financial accounts. Using a single password for different online financial accounts is the equivalent of using a single key for your car, house, and mailbox – if the key is lost or stolen, you potentially give away access to everything. While using multiple passwords increases the difficulty of managing passwords, it significantly improves security.
Avoid using public computers to access your online brokerage account. Try to avoid accessing your online brokerage account on a public computer. If you must use a public computer to access your account, remember:
- Log out of the account completely by clicking the “log out” button on the brokerage account website to terminate the online session. Closing or minimizing a browser application or window does not necessarily log you out of the account.
- Delete history files, caches, cookies, and temporary Internet files.
Use caution with wireless connections. If you use a wireless connection to the Internet (including a wireless home network) to access your online brokerage account, make sure your computer is secure and has current anti-virus software and a firewall enabled. You can learn more about security issues relating to wireless networks on the website of the WiFi Alliance at http://www.wi-fi.org/discover-wi-fi/security.
If you access your account on a public wireless connection, such as at a coffee shop or airport, you should use extra caution. It is very easy to “eavesdrop” on Internet traffic, including passwords and other sensitive data, on a public wireless network. If you use a public wireless network, remember:
- Do not type your password unless the website you are accessing uses a secure connection. The easiest way to determine whether a website is secure is to look in the address bar. If the page’s web address begins with “https” instead of “http,” then it is a secure connection.
- Turn off file sharing. With some operating systems, by default all of your local files are wide open to any other device connected to the same network. Make sure this feature is turned off when accessing information over a public wireless network. You can usually find instructions for turning file sharing on and off in your operating systems’ help menu.
Be extra careful before clicking on links sent to you. You should always verify that e-mails containing links regarding your brokerage account come from legitimate sources. Clicking on a malicious link could:
- Link to a website designed to trick you into providing sensitive account information that can be used to steal your money or identity.
- Cause malicious software (e.g., computer viruses, worms, Trojan horses, or spyware) to automatically infect your computer and allow fraudsters to obtain sensitive account information.
To guard against dangerous links, remember the following:
- Do not click on a link that was sent to you by a business or entity you do not know. Perform an online search for the business or go directly to the business’s website to determine if the link is legitimate.
- Do not click on a link that was sent to you by a business that you have an existing account with. Investors should confirm the legitimacy of the link by either going directly to the business’s website or calling the business with a confirmed telephone number.
Secure your mobile devices. Many mobile devices, such as smartphones or tablets, have software applications that allow users automatic access to their online brokerage accounts. Unauthorized access to these mobile devices could compromise these accounts. If you have a mobile device that is linked to your online brokerage account, make sure that the device is password protected in case it is lost or stolen.
Regularly check your account statements and trade confirmations. Always remember to check your brokerage account statements and trade confirmations for any suspicious activity. For example:
- Check for any discrepancies, such as misspelled names or inaccurate account information (e.g., address, phone number, e-mail address, or account number).
- Confirm that you authorized all of the transactions that appear in your account statements and trade confirmations.
- If you see any mistakes or unauthorized transactions, contact your brokerage firm in writing immediately. Your written complaint may be the only way to prove that you complained to the firm about the mistakes or unauthorized transactions. Also, remember to keep written records of any communications you have with your brokerage firm regarding these mistakes or unauthorized transactions.
For additional educational information for investors, see the SEC’s Office of Investor Education and Advocacy’s homepage and the SEC’s Investor.gov website. For additional information about safeguarding online brokerage accounts, also see:
- SEC Publication: “Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information”
- FINRA Investor Alert: "Cybersecurity and Your Brokerage Firm"
- FINRA Investor Alert: “Protect Your Online Brokerage Account: Safety Should Come First When Logging In and Out”
- FTC OnGuardOnline.gov webpage: “Tips for Using Public Wi-Fi Networks”