As many of us spend more and more time online, cyber criminals continue to lurk in the background, devising plans to steal your personal information. While financial institutions have an obligation to safeguard your personal financial information, you have an important role to play. This is especially true as FINRA has received an increasing number of reports regarding customer account takeover incidents and theft of personal financial information.
What is a customer account takeover?
A customer account takeover occurs when fraudsters steal customer information, such as usernames and passwords, to gain unauthorized access to personal accounts, including online financial accounts. FINRA has also received reports of attackers using synthetic identities, a type of fraud where real and fake information are combined to create a new identity. The real information used in this type of fraud is often stolen and then used to open a fraudulent account, benefiting the fraudster.
How do account takeovers happen?
Sometimes an account takeover starts with a phishing email that appears to come from a legitimate firm, asking for information your financial institution would never request through email—such as confirmation of an account number, password, credit card number, or Social Security number. Other times, cybercriminals engage in sophisticated social engineering attempts, perhaps calling you and pretending to be a representative from your financial institution as a ruse to obtain your personal information or account details. In still other instances, account takeover attempts result from data breaches or the sale of stolen customer login credentials on the “dark web.”
Some identity thieves send instant messages, text messages, emails, or freeware infected with malicious software that captures your keystrokes to steal your usernames and passwords. And others still rely on the old-fashioned method of "dumpster-diving" to recover your discarded account statements or other records that haven't been properly shredded.
What are the signs of a problem?
It is critical that you monitor your accounts to ensure any problems are quickly identified and your financial institution is notified immediately. This means regularly checking your accounts and reading your statements. Signs that there may be a problem can include the following.
Unfamiliar or unauthorized transactions, money movement, or deposits
Missing funds or securities
Incorrect or unauthorized updates to account information, such as a change of address, email, or phone number
Unexpected notification from your firm indicating a change to your account that you did not request
Missing account statements
Unfamiliar accounts or creditors on your credit report
If you think your personal information has been stolen or your account has been compromised, immediately notify the firm for the affected account, as well as your other financial institutions. Your financial institution will need time to determine what happened and may need your help in identifying family members or others who might have access to your account.
In the meantime, be sure to change your username and password for the breached account, and any other account that may have used the same login information. You may also want to place a fraud alert on your file with each of the credit bureaus.
Be Proactive: Safeguard Your Accounts
To protect yourself and deter cybercriminals from accessing your personal financial information, take the following steps to secure your financial accounts.
1. Watch What You Click. With phishing getting more and more sophisticated, the best way to protect yourself from a malicious link is to make sure you don't click on any. Even if you feel 100 percent sure the link in question is valid, the only way to know 100 percent that you are safe is to not click. Instead of clicking—or responding or downloading an attachment—go straight to your financial firm's website or use their app to confirm they sent the information.
2. Use Strong Passwords. Do not share your passwords with others, do not store them on your computer, use a different password for each of your accounts, and change your passwords regularly. To keep track of and protect your multiple passwords, consider using a password manager—an application that protects online accounts by suggesting and saving individual, strong passwords for each account. Password managers are offered by well-known mobile devices and storage providers.
3. Enable Multi-factor Authentication. Multi-factor authentication (MFA) is a key control to significantly reduce the likelihood that a cybercriminal can take over a customer account. Unlike single-factor authentication (e.g., a password), MFA uses two or more different types of factors—such as a password and a code sent by text message, or a physical identifier, such as a fingerprint, voice, or facial recognition. Enabling MFA will provide added protection if your account password is ever stolen.
4. Maintain Computer Security. Security software packages with anti-virus, anti-spam, and spyware detection features are a must if you engage in online financial transactions. For computers, be sure to use up-to-date security software and configure the software for automatic updates and patching. For all devices, install security updates as soon you receive a security update notification. Check your computer hardware and software provider's websites for tips to check and improve the security of your system.
5. Use Your Own Device—and Secure It. If possible, avoid using public computers or devices that are not yours to access your financial accounts. Public computers may contain software that captures passwords and PINs, which others can then access. If you do use another computer, be sure to delete your "Temporary Internet Files", or "Cache," and clear your "History" after you log out of your account. And be sure to use strong passwords, pass-phrases, or biometrics to protect not only your mobile devices but also your financial apps.
6. Be Cyber Safe When Using Wi-Fi. Many public hotspots, such as wireless networks in airports, hotels, and restaurants, reduce their security settings so it is easier for individuals to access and use these wireless networks. However, this also increases the possibility that someone could intercept your information. Some hackers will even create their own public networks with familiar-sounding names to lure in unsuspecting internet-seekers. Red flags to watch for include slow connections or networks that don't ask for you to agree to their terms of service. If accessing your financial accounts through a wired connection is not an option, do your best to balance the security risks of wi-fi. Wait until you can access a trusted, encrypted network. And when using wi-fi at home, secure your network with the strongest available encryption and a strong password.
7. Review All Correspondence from Your Financial Institutions. This bears repeating. Review your account activity and monthly account statements thoroughly as soon as they are available. Be sure your financial institution has your current contact information and that you are regularly receiving statements. If you see a mistake or unauthorized activity in your account, contact your financial institution immediately.
If you suspect your identity has been stolen or want additional resources on identity theft, visit the Federal Trade Commission’s IdentityTheft.gov resource. You can also report concerns about your investment accounts to FINRA, the SEC, and your state securities regulator.
FINRA is dedicated to investor protection and market integrity. It regulates one critical part of the securities industry – brokerage firms doing business with the public in the United States. FINRA, overseen by the SEC, writes rules, examines for and enforces compliance with FINRA rules and federal securities laws, registers broker-dealer personnel and offers them education and training, and informs the investing public. In addition, FINRA provides surveillance and other regulatory services for equities and options markets, as well as trade reporting and other industry utilities. FINRA also administers a dispute resolution forum for investors and brokerage firms and their registered employees. For more information, visit www.finra.org.