The use of social media platforms such as Facebook, YouTube, Twitter, and Reddit by investors is now commonplace. The Securities and Exchange Commission has warned that the use of such media platforms and apps comes with a larger risk of fraudulent conduct.

Recently, investor’s account numbers and passwords have been reported up for sale on the dark web.   CNBC has reported that “for just a few dollars, criminals are selling credentials for customers of E*Trade, Charles Schwab, TD Ameritrade, Robinhood Financial, and others.” This demand has only increased during the pandemic. Perhaps one reason that Robinhood and other trading platform users are victims of account hacking is because of their customers’ use of social media to tout their investment success. When investors publicly announce their investment success on a platform such as Reddit or Twitter, that investor draws attention from the hackers which may act like “online bait” to the hackers.

Hackers use this information to get access to an individual’s brokerage accounts, sell the securities, and transfer out the proceeds to their own fictitious accounts. Users of the Robinhood platform reportedly complained that hackers liquidated their investments and withdrew balances to payment apps. Customers complained that they had no way to contact a customer service representative via phone when they saw their accounts being depleted.

Robinhood Accounts are Vulnerable to Hacking

In October 2020, Bloomberg reported that access to more than 10,000 email login credentials allegedly tied to Robinhood customer accounts was available for sale on the dark web.  It has also been reported that the number of Robinhood-related emails for sale on the dark web outnumbers those for other brokerage firms by about 5-to-1 due in part to a belief that these accounts are easier to access. An internal probe by Robinhood found that 2,000 of its customer’s accounts had been hacked. While  Robinhood has acknowledged instances of hackers accessing its customer’s accounts,  it noted that these hacks did not stem from a breach of its systems.

To increase customer confidence in the security of their online platforms, some firms like Fidelity and E*Trade have offered fraud protection for the unauthorized use of customer’s brokerage accounts. Firms such as Robinhood have also beefed up their authentication systems sometimes asking for two-factor authentication to ensure the customer is the one accessing their account.

Beware of  Phishing Scams Designed to Get Access to Your  Private Information

In most cases, the hack happens outside of the brokerage firm and directly targets the individual investor. Potential hackers can find a wide variety of information to access someone’s brokerage account on the dark web using specific malware or software to access it. Another common way is by “phishing.” According to a FINRA Investor Alert,     phishing scams typically involve emails that falsely claim to be from brokerage firms, banks, credit card companies, Internet auction sites, electronic payment services, or some other service that you use. In other instances, the emails purport to be from government agencies. To appear genuine, these emails may use:
a) The names of real people.
b) Legitimate looking email addresses, such as support@[name of your financial institution].com.
c) Authentic looking logos and graphics.
d) Links to pages of a bona fide website.
e) Official looking fine print and references to laws.

Most of these emails attempt to lure you into providing sensitive personal information by requesting that you provide it in a reply email or by clicking on a link to a website that mimics a legitimate website and asks you to provide the information. Various “urgent” messages are also used to lower your guard, such as:
a) Your account will be shut down unless you update your information.
b) You need to verify your identity because your account appears to be being used by a third-party in violation of the law.
c) Security measures to protect your account from identity theft require you to verify your account information.
d) Due to a technical update you need to reactivate your account.
e) Recent changes in the law require users to identify themselves.

You should not click on an unfamiliar email because it could be phishing where the click enables a hacker to take over your computer and log in from there. In some cases, the phishers sell access to entire computers that have been compromised. 

FINRA has issued an Alert with  Seven Tips to Protect your Identity:

1. Beware of emails requesting personal information. Don’t reply to or click on a link in an unsolicited email that asks for your credit card, bank or brokerage account information, passwords or PINs, Social Security number or other types of confidential information, even if it looks like the email comes from a financial institution with which you do business. When in doubt, log onto the main website of your credit card, bank or brokerage firm at the normal Web address you use, or call your firm using a telephone number that you know or one from a previous account statement to inquire about whether the request for information is legitimate. Alternatively, you can obtain the main office address and primary telephone number for any brokerage firm through FINRA BrokerCheck. You also can visit the Anti-Phishing Working Group’s website to find out about some of the latest phishing attacks.

2. Leave suspicious websites. If you think a website is not legitimate, leave it immediately. Legitimate firms typically offer customers a number of ways to contact them.

3. Keep your personal and financial information secure online. Here are a few simple steps that you can take to make your information more secure when you go online:
a) Keep your computer system up to date with the latest security patches.
b) Use anti-virus and spyware detection software and be sure to update this software regularly, as new viruses and Trojan Horse programs appear frequently.
c) Use personal firewall software. Firewall software should thwart intruders from getting access to your PC over a network.
d) Consider installing a Web browser toolbar to help protect you from known fraudulent websites. These toolbars alert you to known phishing websites.
e) Never download software or files from an unknown source.
f) Change your passwords on a regular basis. Never send your password to anyone in an email. Try not to write down your password, but if you must, put it in a safe place.
g) Avoid emailing personal or financial information.
h) Read your firm’s policies on online security. Review other tips and security instructions that may be offered to better protect your access.
i) Before submitting personal or financial information through a website, look for the locked padlock image on your browser’s status bar or look for “HTTPS://” [note the “s”] at the beginning of the Internet address. While a padlock image or “HTTPS://” does not mean that the website is authentic or secure—indeed both can be forged—the absence of either the padlock or the https:// does mean that the site is not secure.
j) Log off of any secure legitimate website after completing a transaction.
k) Be careful when using Internet kiosks or other people’s computers. Since you don’t know what security precautions have been taken, you may be putting your confidential information at risk.

4. Know who you are doing business with. Before you open an account with a brokerage firm, use FINRA BrokerCheck to make sure the brokerage firm and broker are properly registered and to verify the phone and address information you receive from the firm or broker. Investments are a major financial undertaking and should be afforded the same degree of investigation and caution as any other major purchase you might make.

5. It is a good idea to check your credit report every year. To guard against identity theft, look for accounts you did not open and any unexplained transactions. You can obtain free copies of your credit report annually from each of the three major credit bureaus online at www.annualcreditreport.com or by calling (877) 322-8228. You may also contact the credit bureaus directly as follows:

Equifax
(800) 685-1111
www.equifax.com

Experian
(888) 397-3742
www.experian.com

Trans Union
(800) 888-4213
www.transunion.com

6. Review your account statements. This is your last line of defense. If you are victimized, the sooner you catch it, the better. Regularly review your online account information for unauthorized trades, cash withdrawals, or any other unrecognized activity; do the same as soon as you receive each monthly or quarterly statement. If you have moved, make sure to update your postal address with all of the firms where you have accounts. If you receive your statements by email and change your Internet service provider or otherwise change your preferred email address, make sure to update your email address with all of the firms where you have accounts. Immediately report any suspicious activity to your firm.

7. Act quickly if you believe you’ve been scammed. If you believe that you’re a victim of one of these scams, you need to act quickly. For example, you may only have 60 days to report a loss or theft of funds through an electronic funds transfer to limit your liability.

HAS YOUR ONLINE ACCOUNT BEEN HACKED?
YOU MAY HAVE LEGAL RIGHTS.

CONTACT US TODAY FOR A FREE CONSULTATION

If you or a loved one have suffered investment losses as a result of your online account or app being hacked, or any other type of investment fraud or broker negligence, contact the offices of Investment Fraud lawyer Melanie Cherdack for a free consultation. Because she has been in the trenches as a former Wall Street attorney, Melanie Cherdack and her team of experienced attorneys have seen just about every type of investment fraud or investment scam. While almost every investment carries a degree of uncertainty and risk, you may have been unnecessarily exposed to such risk. Former Wall Street securities attorney Melanie S. Cherdack and her team of lawyers represent individual and institutional investors who are unwitting victims of investment fraud and broker negligence. She heads up a group of attorneys who represent investors across the United States. Contact us by filling out our online contact form, or calling 844-635-1609 or 305-349-2336.