By Sarah Morgan
The theft of customer data at Morgan Stanley (MS) earlier this month is just one more in a long list of reasons for investors to make sure they know and trust the people managing their money. By now, most of us are pretty clear on what to do to prevent or deal with unauthorized charges on a credit card. But, if you've been saving and investing for years, your brokerage account probably represents a lot more of your worth than a credit card thief could charge at a store.
So how do you keep your investment accounts secure? What protections and recourse do you have if your accounts are compromised? Here are six things to keep in mind:
1. Beware What You're Buying
The first danger to your investment account is, well, you -- and your ability to know a scam when you see one. According to a study prepared for the Financial Industry Regulatory Authority Investor Education Foundation, 84 percent of Americans have been solicited with a potentially fraudulent investment offer. While people tend to be understandably reluctant to admit that they've fallen for a scam, 16 percent of Americans have invested in a pitch that follows a common pattern for frauds, and 11 percent own up to having lost money in one of these "investments." So it's a good idea to learn some of the red flags, and familiarize yourself with some of the most common types of investment fraud, such as pre-IPO investment scams and high-yield investment programs.
2. Know Your Protections
All brokerage firms in the U.S. (with a few exceptions, such as people who only sell variable annuities) are required to be members of the Securities Investor Protection Corp. SIPC provides insurance to protect your account -- up to $500,000, including up to $250,000 in cash -- in the event that the brokerage fails. But that's it: they only cover losses in the event that a firm fails and your assets go missing. If you lost money because you bought into a scam, you're out of luck -- as investors in Bernie Madoff's infamous Ponzi scheme learned to their chagrin (victims got back the amounts they put into the scam through the Madoff Victim Fund, but there was no reimbursement for the fake profits they thought they were earning). SIPC insurance also does not protect against simple theft or hacks.
3. Stay Cyber-Secure
FINRA recommends using your own computer to access your financial accounts -- not a shared computer and never a public one. Always log out completely when you're done. If anyone else has access to your computer, don't let your browser remember your passwords. And be very careful connecting to your account over a wireless network. "Public Wi-Fi is just that -- it's public," says Michael Kaiser, executive director of the National Cyber Security Alliance. Hackers could potentially lurk on the network and capture information that way--or set up a spoof network that looks like, say, your hotel's Wi-Fi, but is actually set up to capture your data. Using a VPN "provides a lot more security," Kaiser says, and a mobile data connection is more secure than a Wi-Fi connection.
Two-factor authentication is one way to add another layer of security--there are many ways to do this, but the basic idea is to create a second step to the log-on process beyond entering a password, like entering a code that's texted to your phone, or using your fingerprint to unlock your phone, for example. This type of setup is becoming more and more common, but it's not yet available everywhere, says Susan Grant, the director of consumer protection at the Consumer Federation of America. If your investment accounts don't already offer this, asking your brokerage if it can set it up, Grant says.
4. Understand the Risks
Hacks do happen. In fact, FINRA has even warned brokerage firms that some hackers have been able to wire money out of investors' accounts just by getting access to their email accounts, and then emailing the firm instructions to wire money to an offshore account. Some firms targeted by that scam did try, and fail, to confirm the instructions by phone--and then wired the money. In general, however, if you use the best security available to you, by creating a unique, strong password (for both your email and financial accounts) and using two-factor authentication, you'll make your account difficult enough to access that crooks may simply move on to an easier target. "Everything can be hacked," Kaiser says, but for the most part, "crime is opportunistic."
5. Make a Post-Hack Game Plan
If you do notice unauthorized activity on your account, your first step should be to contact the financial institution, says Charles Rotblut, vice president of the American Association of Individual Investors. Most brokerage firms' policies say that they will reimburse investors for any losses due to unauthorized activity. Make sure you're documenting what happened and what you're doing to respond. You should also report the incident to the major credit reporting bureaus and ask them to place a fraud alert on your file. You'll have to close your accounts and open new ones, and change your online passwords. You'll also want to contact the police. "Having a police report on file can help" as you move through the process of filing all these necessary claims, Rotblut says. You can also file reports with the Federal Trade Commission to help it detect identity theft trends and with FINRA to help it spot new types of scams.
6. Know Who You're Dealing With
Unfortunately, the bottom line is that in a situation like what happened recently at Morgan Stanley, where an employee goes rogue, "there's absolutely nothing that the investor can do to protect him or herself," Grant says. "To a certain extent you have to trust, and you're being asked to trust, the entity for safely storing and disposing of your information," she says. Be aware of that when you're choosing a firm to work with. Check individuals and firms out using FINRA's BrokerCheck reports, which include information about past customer complaints or disciplinary actions. And, of course, keep tabs on your account (safely, from your own secure computer) and inform your financial institution right away if you spot a problem.
Sarah Morgan is a contributing writer at SigFig. Nearly a million people use SigFig to track, improve and manage over $300 billion in investments.
By Sarah Morgan