Several years ago in another state, our home was broken into while we were on vacation. We filed an insurance claim and within a few weeks, most everything was back to normal. For the rest of the time we lived there though, I always got a pit in my stomach coming home.
Last week, our digital house was broken into. Somehow, someone got my login info for my investment accounts and made some unauthorized trades. Having gone through both experiences, I can tell you that neither is fun. But being the victim of a digital crime sure beats being a victim in the physical world.
This would always be a big deal, but it was a bigger deal than just having our retirement accounts hacked since we also use our brokerage account as our primary checking account. Even though they don’t accept or disburse cash or have any locations near us, this works just as good as having a local bank or credit union. We rarely use cash for anything and if we need to get any, our ATM fees are reimbursed so I never care what the charge is to use a random gas station ATM.
One day I was in a series of all-day meetings and took the chance to check my phone during a quick break. I saw that I had a series of notifications, including two missed calls, a voicemail, and a notification that some stock orders had been executed in my IRA.
I normally would brush off the other alerts (I hate voicemail), but the stock trade didn’t seem right. We have some automatic investments set up, but it wasn’t the right time of the month for that to be happening. My wife has joint access to all of our accounts but doesn’t usually do any transactions outside of our checking account. And lastly, what the heck is USAK and why did my phone say that I was the proud new owner of 15,000 shares?!?
I quickly excused myself from the meeting and did some more research. The voicemail was from my brokerage firm letting my know that they had noticed some suspicious activity on my accounts. As a result, they proactively had frozen my account from any more online transactions. Their fraud team was already all over it before I even let them know that this was, in fact, fraud.
The suspicious activity involved selling off my S&P 500 ETF, and immediately using the proceeds to buy shares of a somewhat thinly traded stock. My first thought was that this was a part of a “pump and dump” scheme. So far, though, I haven’t seen any activity that looks like dumping. In fact, whoever placed the order got the shares for under $6.30 and they are up >6% since then. Even though that’s better than my ETF over the same period, I’m glad things are back to normal.
I’ve been primarily invested in ETFs for a while now, but this experience has gotten me to think about going back to traditional Index Mutual Funds. Since they only can be bought or sold once a day, it wouldn’t be possible for someone to do intra-day trading like this.
What If You Get Hacked
The first thing to do if you find yourself in this situation is to know your brokerage firm’s fraud policy. Most big firms will have a policy that essentially boils down to you not being responsible for fraud. Just don’t do something stupid like give a crazy ex-girlfriend your password since that could imply authorization.
Fidelity has a Customer Protection Guarantee, Schwab has a Security Guarantee, and Vanguard has an Online Fraud Pledge. Each of these pages gives some tips on how to avoid this from happening. I follow most of these steps, but no one is completely immune. If you’re with one of these firms, relax. Call them as soon as you can to get it resolved, but don’t freak out either.
When I called in, they made me answer some additional security questions before changing my username and password. Because there could be a virus on my computer, they wouldn’t allow online transactions until I told them all my computers had been professionally scrubbed.
I trust myself more than Geek Squad’s competence and they were okay with me doing my own virus scans. As it turns out, something nasty was discovered during a virus scan on one of our seldom used laptops but all our machines are now squeaky clean.
Because of this fraud, I had to spend about an hour on the phone and get new account numbers. They automatically set up the new accounts like the old ones, but we had to reestablish payments for our mortgage. I also had to reconfigure the new accounts in Mint and Personal Capital. We got a new checkbook over-nighted to us and I changed my direct deposit. The only remaining inconvenience is that we still don’t have a new debit card. I primarily use a credit card (that I pay in full every month) so this is fine.
In hindsight, this could have been MUCH worse. I’ve known people that have had this happen to in the past so I knew not to worry. I was surprised at how quickly it was resolved and how little was needed to prove that it was fraud. I hope you don’t ever have to go through this. But if you do, it isn’t as bad as you might think.