If you’re one of the millions of investors who plays the stock market, you’re probably hooked on the convenience and the lightning speed of online trading. Unfortunately, so is another group – hacker-traders who are hijacking consumer brokerage accounts and exploiting them for financial gain.
How could it happen? Because online trading involves conducting securities transactions in real time, stopping identity theft is far more challenging than it is for other financial institutions. Credit card companies and banks can put a transaction or an account on hold while they investigate suspicious activity. But if online brokerage firms do that too often, they would risk losing a huge number of customers.
Hacked Email Account Lead to Vanishing Investor Funds
In January, the FBI issued a warning that law enforcement agencies and financial regulators are seeing a disturbing trend. Cybercriminals are executing unauthorized financial transactions from victims’ compromised brokerage accounts. The illegal transactions are combined with telephone denial of service (TDoS) attacks in which a victim’s phone line is flooded with spam-like calls preventing the brokerage firm from verifying that he made the transaction. One Florida man filed a police report stating that almost $400,000 disappeared from his online brokerage account while he was targeted by a TDoS attack.
According to the FBI, the cybercriminal typically sends an email to a brokerage firm requesting the account balance. After that, he sends another email asking that a wire transfer be initiated on his behalf, claiming that a family emergency is preventing him from conducting business as usual.
The FBI says several reports indicate that cybercriminals have changed the victim’s email settings, blocking email from his financial institution by sending it to the spam filter. That prevents the victim from finding out that the fraudulent transaction has taken place. And it leaves more time for it to clear the account without being detected.
Last month, the private watchdog group FINRA (Financial Industry Regulatory Authority) also issued a consumer alert that some brokerage firms had released investor funds despite failed attempts to verify the instructions by phone. That kind of lax security means investors needs to take responsibility for stopping identity theft when the trade online.
FINRA recommends that investors watch for warning signs that their email account has been hacked. They include spam from people in your contacts folder and a barrage of bounced email messages from people you don’t know.
How One Hacker Traded His Way To Huge Profits with Other People’s Money
FINRA’s warning came one day after the Securities and Exchange charged a 34-year-old trader in Latvia with hacking into online stock trading accounts 159 times. The hacker-trade allegedly manipulated stock prices on securities by making unauthorized purchases and sales of stocks listed on the New York Stock Exchange and the NASDAQ exchange, walking away with nearly $875,000. According to the SEC complaint, Igorz Nagaicev’s online trading scheme may have cost investors more than $2 million.
How did Nagaicev do it? The SEC says that, between 2009 and 2010, he set up trading accounts with eight unregistered brokerage firms – four in the U.S. and four abroad – which allowed him to buy stocks anonymously in the U.S. securities market. Then Nagaicev moved on to investor’s accounts that he’d hijacked, buying shares of the stock he already owned without the investors knowing it. That artificially inflated the price of the stock which allowed him to sell it at a profit. The transactions were always executed the same day, usually within minutes of each other. And they were responsible for over 50% of the stock’s trading volume.
The SEC also charged the four unregistered brokerage firms in the U.S. with failing to implement safeguards that would have caught the hacker’s illegal stock trading scheme sooner.
“Individuals with brokerage accounts need to be vigilant about recognizing the telltale signs of online identity theft,” according to Lisa Phifer, President of Core Competence, which focuses on network technology and security. Phifer says unsolicited password change notices or email messages confirming trades that didn’t take place are both tip-offs that your account may have been hijacked.
According to Phifer, although the SEC complaint against Nagaicev does not allege how he hacked into victimized brokerage accounts, the close timing of FINRA and FBI alerts suggests that email involvement may be suspected. FINRA's alert notes there have been instances in which hackers trawled saved email messages and contacts to steal identities and other account details.
“But there’s also the risk of disclosing the very same information any time email is sent unencrypted over a WLAN or public Wifi hotspot,” says Phifer. “Always safeguard financial account-related email – both when it’s stored and when it’s sent.”
Stopping Identity Theft Means Investing in Your Online Security
- Use virus, spyware and malware protection programs and update them regularly.
- Only do business with a registered brokerage firm with strong online security measures in place to protect customers
- Use long strong account passwords. That means a combination of at least eight upper and lower case letters, numbers and symbols that are difficult for hackers to decipher.
- Watch out for phishing emails or emails that look like they’re legitimate but direct you to other websites. If you’re not sure they’re from your online brokerage company, don’t click on any links.
- Never respond to any email asking for information about your online account
- Don’t leave your computer unattended when you’re logged into your account. Always log off and close your browser when you’re finished.
- Check your online trading account often to make sure there are no unauthorized transactions.
- Disable file sharing on your computer and secure your personal financial information on backup drives.
- Don’t conduct online stock trading or any other financial transactions at Wifi hotspots.
- Protect your investments by using VPN software like PRIVATE WiFi™. VPNs safeguard your online security by encrypting the data traveling to and from your computer. That makes it invisible to hackers.
- If you suspect your email account has been hacked, immediately notify your brokerage firm and other financial institutions. Change the user name, password and PIN for your brokerage and email accounts. If you believe you’re a victim of online identity fraud in your brokerage account, notify FINRA at: http://www.finra.org/Investors/ProtectYourself/p118628
Has your online brokerage account been hacked using your email account; or has it been hacked another way? If it has, we’d like to hear what happened to you. Drop us a line and share your story.