What to Do If Your Online Brokerage Account Is Hacked

When you hold your money in a bank account or process transactions using a credit card, there are legal protections in place to offer zero-liability protection. This means that if you experience unauthorized transactions due to fraud, as the account owner, your money isn’t on the line. You’ll be reimbursed for the damages, and your account will be reinstated as if nothing happened.

Unfortunately, for investors, there is no such policy. The Securities Investor Protection Corp. is the closest equivalent to the FDIC, which insures U.S. bank accounts. However, the Securities Investor Protection Corp. doesn’t have any protections in place to cover money and securities lost due to hacking. 

Given that most brokerage accounts are protected by a simple username and password, hacking and cyber-attacks are on the rise. This leaves many investors wondering what would happen to their accounts if they got hacked—and what to do about it.

We’ll answer those questions below. Let’s dive in! 

Your first step if you suspect you’ve been hacked is to check your specific brokerage’s policy around fraudulent activity. Most of the common brokerages do cover 100% of losses that arise due to unauthorized activity, but they differ in what they consider to be “unauthorized activity.” Start by learning what your brokerage requires for the situation to be considered a true hack. 

Here are a few common policies:

Charles Schwab

The policy[1]: “Schwab will cover 100% of any losses in any of your Schwab accounts due to unauthorized activity. To ensure your protection under this guarantee, it is your responsibility to safeguard your account information and report any unauthorized transactions to us as quickly as possible.”

What it means for you: Your losses will be reinstated provided that you report the unauthorized activity in a timely manner—although it’s unclear what Schwab considers to be “timely.” If you’ve granted access to your account, losses that occur will not be covered, which likely means that common phishing attempts that trick you into providing your credentials will not be reimbursed.

Vanguard

The policy[2]: “We’ll reimburse you the full amount that we determine was taken from your Vanguard account in an unauthorized online transaction on vanguard.com. If there’s evidence you neglected to reasonably safeguard your account, further investigation may be necessary to determine whether we can issue a reimbursement.”

What it means for you: Your losses will be reimbursed as long as you took reasonable action to safeguard your account. It’s unclear what Vanguard considers to be “reasonable action,” but this likely means that you’re not covered in situations where you grant access to your account through legitimate or illegitimate means (like phishing).

Fidelity

The policy[3]: “Fidelity will reimburse you for losses from unauthorized activity in covered accounts occurring through no fault of your own. You must frequently check your account information and promptly review correspondence, account statements, and confirmations as they are made available to you, but no later than 30 days after that information is posted to your account or delivered to you.”

What it means for you: Your losses will be reinstated provided that you report the unauthorized activity within 30 days of it posting to your account. Fidelity also doesn’t cover situations in which you have provided your account information to another person, which likely means that common phishing attempts that trick you into providing your credentials will not be reimbursed. 

E*TRADE

The policy:[4] “We offer the E*TRADE Complete Protection Guarantee, which protects your privacy, your assets, and every transaction you make. Complete fraud protection: $0 liability for unauthorized use of your account.”

What it means for you: E*TRADE’s language is slightly vaguer but suggests a similar outcome as the other top brokerage firms. Again, it’s unclear exactly what the company considers to be unauthorized use, and it likely doesn’t cover scenarios in which you have provided your account information.

You’ll notice that there are clear themes throughout these policies. In order to protect your assets, you should take care to do three things diligently. 

• First, you should take every precaution to protect your own account. Set up a strong password or passphrase that you don’t repeat on any other platforms or accounts. If your brokerage offers two-step verification, enable that feature for an added layer of protection. Then, turn on account alerts for activities like account logins or password changes. While you might get a few more texts and emails due to your own legitimate activity, these barriers are significant in the event that you do get hacked. 
• Second, review your account activity on a regular basis—at least every 30 days. Look at your account balances, executed and pending trades, and account deposits or withdrawals. If anything looks suspicious, report it right away—even if you don’t have a complete understanding of the situation yet. The brokerage team will work with you to get to figure out what happened, and you’re more likely to be reimbursed if you submit your claim right away. 
• Lastly, use common sense to avoid risky situations for your accounts. Try not to log into your brokerage accounts on public devices or use unfamiliar Wi-Fi networks. In some cases, these networks are disguised to look like they belong to a nearby business. By logging into your account through the network, you’ve just given hackers access to your account. 

Common sense should also apply to your response to email inquiries and phishing attempts. Don’t ever provide your account login information to someone else. Brokerage firms will not ask for this information as they have other methods to verify your identity. If you’re asked for other sensitive information, you can always contact your brokerage’s customer service department directly and ask them to verify the communication. If they can’t confirm that they’ve been trying to reach you, ignore the outreach entirely. 

By following these steps, you’ll be on the right track to recover any lost assets and protect yourself from future hacks. When in doubt, take any additional precaution you can—you won’t regret it.