Cybersecurity's Family Threat: Protecting Your Assets Starts at Home
Not all criminals are shady strangers lurking on the Internet. Some are much closer than you think (like family and friends), so don't let your guard down, even in your own home.
Cybersecurity isn’t AN issue, it is THE issue with respect to financial institutions. Government and financial institutions worldwide are facing constant assaults from all sides that seek to steal assets from banks and securities brokerage firms. But investors can advance their own security.
Most investors have online access to their brokerage accounts. This allows them to buy and sell securities from their own homes, with no direct interaction with a human being. Investors can order funds to be delivered to others to pay bills, or for any other reason. So here is a hypothetical phone call from an investor to her broker:
Brokerage Firm: “Good morning, Interplanetary Investments, how may I direct your call?”
Client: “This is Myra Mistletoe. My brokerage account has been hijacked and $250,000 has been taken out without my permission. I want that money put back. I never authorized any sales of my securities or withdrawals.”
Brokerage Firm: “One moment Ms. Mistletoe.”
Brokerage Firm: “Good morning Ms. Mistletoe, this is Jack Justice at the Cyber Security Desk at Interplanetary Investments. I understand that assets have been removed from your account without permission and you want those assets replaced by this firm.”
Client: “Of course that’s what I want.”
Brokerage Firm: “We will of course make a full investigation, and if we discover what happened to your assets we will let you know immediately. I should tell you that if the firm was negligent in allowing the assets to be removed from your account, Interplanetary Investments can and will replace them.”
Client: “Well, investigate quickly.”
Brokerage Firm: “The investigation will begin immediately. There is one thing you should know. We will work with criminal authorities on a matter of this magnitude, and before Interplanetary Investments replaces your assets, you will have to give the firm an assignment of your rights against all wrongdoers (meaning we will pursue lawsuits against the people who stole the money, and we will seek criminal charges against those people as well) and cooperate in any criminal investigation.”
Brokerage Firm: “Ms. Mistletoe? Are you still there?”
What just happened?
A fair number of client complaints end right there.
Why? Because a substantial number of such thefts involve a family member, or a close friend or a business associate, not a cybercriminal in North Korea or the Russian held-portion of Ukraine. A Web search for so-called “familiar fraud” yields evidence that a high percentage of identity theft is perpetrated by someone the victim knew. Most people do not want their relatives sent to prison. If they believe this was done by a family member, they often withdraw a claim against the brokerage.
What is the lesson here?
If your home office is typical of most home offices, anyone with regular access to your computer may be able to find your log-in codes or your password to the brokerage account and wreak havoc with you cash and securities. A financially desperate in-law, an addicted relative, or anyone else with a craving for instant cash is a person the criminal authorities may focus on and locate in their investigation. In many instances, the demand to replace assets in the account ends with the discovery of who committed the crime.
So what to do?
- Remove temptation. Don’t be an easy target. You already know how, so just do it. Don’t put your user name and password codes on a Post-it Note on the side of your computer screen.
- When using a financial institution website, don’t check the option on the logon page that automatically remembers your user name and password.
- Change those passwords to a non-intuitive phrase, or a limerick, or the chorus of a song you like, and then secure that data elsewhere.
- If you have any concerns that you could be at risk of becoming a victim, consider signing up for identity theft protection to assist you in recouping your assets should anything happen.
- Review your account statements religiously. If there is something missing, contact the brokerage firm immediately. Stop the bleeding. Put a freeze on any other outflows from the account.
If you do think assets have been removed without your consent, what then?
- Many brokerage firms have a “Report Fraud Here” message, or something similar, on the firm’s website that will walk you through the process.
- Remember that this is your money. It is important. You should make a paper trail the people you contacted, the documents you sent, and the people you sent them to.
- Write a chronological narrative of what you have discovered, everything you did, who you spoke to and what you said. Attach documentation as you add to the chronology. This will give you a consistent and logical narrative of what happened, and what you have tried to do.
- Say the following sentence three times: “Telephone calls are worth the paper they’re written on.” In a world with email, there is no excuse for not confirming a telephone conversation with an electronic summary of what both parties to the call said, and what they promised to do. Keep the notes for your own records, and send a copy of them to the brokerage firm to give them a full explanation of what happened.
I don’t want to minimize the threat from criminal elements who would steal your identity and your assets, without even knowing who you are. But I urge you to do things within your control to prevent a crime of opportunity by someone you let into your home, and give you a methodology for recovering your assets if the worst happens.
About the Author
President and CEO, Securities Investor Protection Corporation
Stephen Harbeck is President and Chief Executive Officer of the Securities Investors Protection Corp., a nonprofit created by Congress to offer protection to customers of failed brokerage firms. SIPC, as a matter of policy, disclaims responsibility for any private publication by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of SIPC or the author's colleagues on the staff of SIPC.