The SEC’s Office of Investor Education and Advocacy is issuing this Investor Bulletin to help individual investors protect their online investment accounts from fraud. Investors should always take steps to safeguard their personal financial information (e.g., social security number, financial account numbers, phone number, e-mail address, or usernames and passwords for online financial accounts). These online security tips can help ensure that your online investment accounts remain secure.
Consider using a “strong” passphrase, instead of a password, if available. Passphrases are passwords that consist of a series of words strung together that create a phrase. Some investment accounts allow the use of passphrases, which generally require a longer character count than a password. A strong passphrase should consist of random words, using characters that include symbols, numbers, and both capital and lower case letters. A strong passphrase should not use common phrases from literature, music, or other media. A strong passphrase also should not use personal information such as your name or birthday, or only words found in a dictionary. As with passwords, make sure you secure your passphrase, never share it via electronic messaging or over the phone, and change it regularly.
If you can’t use a passphrase, pick a “strong” password, keep it secure, and change it regularly. Select a strong password for your investment account. A strong password is one that is not easy to guess and generally uses twelve or more characters that include symbols, numbers, and both capital and lowercase letters. A strong password should not use words found in a dictionary, or personal information such as a name or birthday. Make sure you secure your password and never share it via electronic messaging (such as e-mail or text messages) or over the phone. You should change your password regularly.
Use two-step verification or “multifactor” authentication, if available. Your investment firm may offer (or require) a two-step verification process for access to your account. Two-step verification is a practical way to add further security to your account by requiring a second factor to your username and password/passphrase sequence. With a two-step verification process, each time you attempt to log into your account from an unrecognized computer, your investment firm sends a unique code to either your e-mail or mobile device. Before you can gain access to your account, you must enter this code and your password.
Turn “on” account alerts. One of the easiest ways to protect your online investment account and monitor it for fraud is to turn “on” account alerts. Depending on how your online account works, these alerts will send you an e-mail and/or text message when certain activities occur in your account. Some examples of these alerts include:
- Account logins
- Failed account login attempts
- Password changes
- Personal information changes (address, e-mail or phone number)
- Securities transactions (placing orders to buy or sell investments)
- Transfers of money or securities in or out of the account
- Adding or deleting an external financial account where you can transfer money or securities to or from (e.g., bank account, investment account)
The availability and types of account alerts vary depending on your investment firm. Contact your investment firm to find out which online account alerts are available and how you can turn them “on” for your account.
Add biometric safeguards, if available. Your brokerage firm or investment adviser may offer biometric safeguards for your online investment accounts, especially for access through mobile devices. Biometric safeguards for an investment account may include fingerprint, facial or voice recognition, or iris scanning. These safeguards may be used with or instead of a password/passphrase to access your investment accounts. Contact your investment firm to determine if they offer these safeguards for your accounts.
Use different passwords for different accounts. Avoid using the same password for different online services, particularly for financial accounts. Using a single password for different online financial accounts is the equivalent of using a single key for your car, house, and mailbox – if the key is lost or stolen, you potentially give away access to everything. While using multiple passwords increases the difficulty of managing passwords, it significantly improves security.
Avoid using public computers to access your investment accounts. Avoid accessing your investment accounts on a public computer, such as in a hotel business center or a library. If you must use a public computer to access your account, remember:
- Avoid using public computers that require you to enter personal information in order to gain access.
- Never walk away from a public computer while using it to look at investment or other financial account information. Leaving data up on a screen and walking away can enable potential onlookers to obtain your sensitive information.
- Disable password saving, and delete history files, caches, cookies, and temporary Internet files.
- When finished, log out of the account completely by clicking the “log out” button on the investment account website to terminate the online session. Closing or minimizing a browser application or window does not necessarily log you out of the account.
- Always change any passwords you have used on a public computer.
Use caution with wireless (or “Wi-Fi”) connections. If you use a wireless connection to the Internet (including a wireless home network) to access your online investment accounts, make sure your computer or mobile device is secure and has current software updates, anti-virus software, and a firewall enabled. You can learn more about security issues relating to wireless networks on the website of the Wi-Fi Alliance at http://www.wi-fi.org/discover-wi-fi/security.
If you access your account on a public wireless connection, such as at a coffee shop or airport, you should use extra caution. It is very easy to “eavesdrop” on Internet traffic, including passwords and other sensitive data, on a public wireless network. If you use a public wireless network, remember:
- Do not type your password unless the website you are accessing uses a secure connection. The easiest way to determine whether a website is secure is to look in the address bar. If the page’s web address begins with “https” instead of “http,” then it is a secure connection.
- Turn off file sharing. With some operating systems, by default all of your local files are wide open to any other device connected to the same network. Make sure this feature is turned off when accessing information over a public wireless network. You can usually find instructions for turning file sharing on and off in your operating systems’ help menu.
- Make sure the settings on your computers and mobile devices will not automatically connect to any available Wi-Fi connection. This will protect you from security risks in public spaces.
Update your devices and check your privacy settings.
- Make sure the software and software application (apps) on all your mobile devices and computers remain up-to-date with the latest software fixes and security patches.
- Most software and apps have privacy settings for users which let you determine how much and what types of information are shared and stored. Always choose the least amount of data-sharing possible. For any software and apps (including internet browsers), make sure they do not automatically save your account username and password.
Be extra careful before clicking on links sent to you. You should always verify that e-mails or text messages containing links regarding your investment accounts come from legitimate sources. Clicking on a malicious link could:
- Link to a website designed to trick you into providing sensitive account information that can be used to steal your money or identity.
- Cause malicious software (e.g., computer viruses, worms, Trojan horses, or spyware) to automatically infect your computer or mobile device and allow fraudsters to obtain sensitive account information.
To guard against dangerous links, remember the following:
- Do not click on a link that was sent to you by a business or entity you do not know. Perform an online search for the business or go directly to the business’s website to determine if the link is legitimate.
- Do not click on a link that was sent to you by a business you use or know. Investors should confirm the legitimacy of the link by either going directly to the business’s website or calling the business with a confirmed telephone number.
Many mobile devices, such as smartphones, tablets or laptops, have apps that allow users automatic access to their investment accounts. Unauthorized access to these mobile devices could compromise these accounts. If you have a mobile device that is linked to your investment accounts, consider the following tips:
- Secure your mobile devices. Turn on your mobile device’s password protection and automatic locking features. These features will automatically lock your mobile device after the device has been inactive for a specified period of time. Once locked, a user must enter a password before accessing the mobile device. Some mobile devices also feature biometric safeguards for accessing a locked device, such as fingerprint and facial recognition.
- Turn off automatic Wi-Fi settings. Make sure your mobile device’s Wi-Fi settings will not automatically connect your mobile device to any available Wi-Fi connection. This will help protect you from security risks in public spaces.
- Enable remote location and device wiping apps. These apps allow you to locate a lost mobile device, or remotely wipe all data from a lost or stolen mobile device.
- Install anti-virus or anti-malware protection. Just like your desktop computer, do not forget to protect your mobile devices from the growing number of virus and malware threats targeted at mobile devices.
EXERCISE CAUTION BEFORE STORING ANY PERSONAL FINANCIAL INFORMATION IN THE CLOUD. You should consider keeping documents containing your sensitive personal financial information (e.g., account numbers, passwords, and PINS) stored offline. If you decide to store any personal financial information in the cloud, carefully consider the following tips:
- Research the provider. Check the reputation and background of any cloud service provider before uploading any of your personal financial information to a cloud account. You can find background information on cloud service providers through general online searches, press articles, online review websites, and social media.
- Look for two-step verification. Many cloud service providers offer a two-step verification process to access the information stored in your cloud account. This provides an extra layer of security to the information stored in your cloud account.
- Protect your documents with encryption and/or passwords. Verify that the cloud service provider encrypts all of the information you store in your cloud account. Encrypting information in the cloud helps to safeguard your information if it is stolen from your cloud account. As an extra safeguard, consider either encrypting or adding password protection to sensitive documents before uploading them to a cloud service. Check the software and apps used to create various documents to see if they provide you with tools to encrypt or add password protection to documents. If not, you may also find third-party software and apps that provide these tools.
- Carefully review the provider’s security policies. Read and understand the cloud service provider’s security policies for any information you store in your cloud account.
Regularly check your account statements and trade confirmations. Always remember to check your investment account statements and trade confirmations for any suspicious activity. For example:
- Check for any discrepancies, such as misspelled names or inaccurate account information (e.g., address, phone number, e-mail address, or account number).
- Confirm that you authorized all of the transactions that appear in your account statements and trade confirmations.
- If you see any mistakes or unauthorized transactions, contact your investment firm in writing immediately. Your written complaint may be the only way to prove that you complained to the firm about the mistakes or unauthorized transactions. Also, remember to keep written records of any communications you have with your investment firm regarding these mistakes or unauthorized transactions.
Investor Alert: “Identity Theft, Data Breaches and Your Investment Accounts”
Investor Bulletin: “Protect Your Social Media Accounts”
FINRA Investor Alert: “Keeping Your Account Secure: Tips for Protecting Your Financial Information”
FINRA Investor Alert: “Cybersecurity and Your Brokerage Firm”
FTC OnGuardOnline.gov webpage: “Tips for Using Public Wi-Fi Networks”
Visit Investor.gov, the SEC’s website for individual investors.
Receive Investor Alerts and Bulletins from the Office of Investor Education and Advocacy (“OIEA”) by email or RSS feed. Follow OIEA on Twitter @SEC_Investor_Ed. Like OIEA on Facebook at facebook.com/secinvestoreducation.