It’s not just corporations that are facing an epidemic of cyber attacks — American retail investors are also struggling to contend with a surge in hackers taking over their investment accounts, regulators warn.
The Financial Industry Regulatory Authority, the brokerage industry’s self-regulatory body, said in a recent notice that it has “received an increasing number of reports regarding customer account takeover incidents, which involve bad actors using compromised customer information, such as login credentials, to gain unauthorized entry to customers’ online brokerage accounts.”
Ari Jacoby, chief executive and co-founder of cybersecurity firm Deduce, backed up this statement with data showing that account-takeover fraud increased by roughly 250% from 2019 to 2020. He told Security.org that account-takeover prevention is a $15 billion market that is “growing significantly year-over-year. “
FINRA points to two factors that are driving the increase in account-takeover attempts, with the first being rapid growth in use of online and app-based brokers, which enable hackers to break into brokerage accounts by using username and password data bought from darknet marketplaces. It becomes relatively easy for bad actors to discover their login credentials because many people use the same password combinations to access multiple accounts. The second factor is the COVID-19 pandemic.
“Customer account-takeovers have been a recurring issue, but reports to FINRA about such attacks have increased as more firms offer online accounts, and as more investors conduct transactions in these accounts,” FINRA said in its regulatory note. This trend was “in part due to the proliferation of mobile devices and applications, and the reduced accessibility of firm’s physical locations due to the COVID-19 pandemic.”
The Security and Exchange Commission has also been watching this phenomenon closely and holding brokerage firms accountable for not closely monitoring fraudulent activity. Last month, the regulator settled charges with GWFS Equities, a subsidiary of Great-West Lifeco Inc.
for failing to report suspicious activity reports related to increasing attempts by bad actors to take over customer accounts.
“Across the financial services industry, we have seen a large increase in attempts by outside bad actors to gain unauthorized access to client accounts,” said Kurt L. Gottschall, Director of the SEC’s Denver Regional Office in a statement. “By failing to file SARs and by omitting information it knew about the suspicious activity it did report, GWFS deprived law enforcement of critical information relating to the threat that outside bad actors pose to retirees’ accounts, particularly when the unauthorized account access has been cyber-enabled.”
The SEC also said GWFS was eager to cooperate with the regulator on fixing its reporting standards and that the firm was often able to stop takeover attempts on its own.
Timothy Newman and Kit Addleman of the law firm Haynes and Boone warned brokers in a blog post that the SEC’s order “is a reminder that cybercrime is ever-increasing and ever changing and “that makes it clear that even when [brokers] successfully thwart account takeovers, for example, they must still ensure they comply with reporting obligations.”
But most individual investors don’t have to wait for the SEC or FINRA to come to their rescue, because this sort of criminal activity is largely enabled by a lack of vigilance on the part of victims, including requesting that their broker send them suspicious login alerts and using two-factor authentication, according to Jacoby.
“Using the same username and password leads to [account takeover] fraud,” he said. “Using different usernames and passwords, or better yet, a password manager can help.”