The Investment Account Intrusion

The following story is based on actual events. Names, locations and timelines may have changed to protect the victim’s identity.

Isaac had always been careful about his online security and wary of suspicious emails or links. But even the most cautious person can fall victim to a well-crafted scam.

One morning in October, Issac checked his email over a cup of coffee. Among the usual newsletters and work-related messages, one stood out - a notification from his investment dealer. The subject line read: "Important Security Alert: Account Suspended. Immediate Action Required."

The email warned him that suspicious activity had been detected in his self-directed account, and for security reasons, it had been suspended. The message included a link: "Click here to reset your password and regain access to your account."

His heart skipped a beat. He had never received an alert like this before.

In a panic, Isaac quickly clicked the link. After choosing a new password, he clicked the ‘Reset’ button. However, he did not receive confirmation that his password had been reset and only got an error message. As Isaac had to get to work and didn’t want to be late, he decided to try again later.

A few days later, Isacc remembered he needed to reset his password and opened the original email. As he was about to click on the ‘Reset’ button again, Isaac noticed something strange. He took a closer look at the email address of the sender and compared it to previous emails he had received from his investment dealer. To his dismay, Isaac realized that they were not the same and the email he’d received was from someone pretending to be his investment dealer.

Isaac called his investment dealer right away. They confirmed they had not suspended his account or sent him any email asking him to reset his password. They also informed him that two days earlier, a sell order had been placed from his account for two of his stocks. These had settled for $20,000 and a transfer had then been initiated to a bank account that did not belong to Isaac. The investment dealer immediately helped Isaac to reset his online password and placed a fraud alert on his account. They also strongly recommended he reset his email account password.

The investment dealer said they would try to help Isaac by contacting the other bank to see if the transfer could be reversed. A couple of days later, the investment dealer regretfully informed Isaac that the funds had already been withdrawn from the fraudulent bank account and the transfer could not be reversed. Isaac’s money was gone.

How to Protect Yourself

In the investment industry, this kind of scam is called an account intrusion - involving fraudsters and scammers gaining access to investment accounts. With the rise in online and do-it-yourself investing, CIRO has seen a recent uptick in this kind of scam. From our internal surveillance and voluntary reporting of cybersecurity issues at our dealer members, account intrusions seem to happen similar to Isaac’s story. Ensuring you have multi-factor authentication, malware and antivirus protection on your device and a secure (non-public) wifi connection are a great way to start practicing safety. Stop and think before you click!

Visit our Cybersecurity Checklist for Investors for tips and tricks about protecting your accounts.

The Investigation

Investment dealers often conduct thorough investigations following breaches and account intrusions like Isaac’s in order to help protect other investors from future attacks. The dealer explained to Isaac that an anonymous third-party had gained access to his self-directed account through his email account, likely after he clicked on a malicious link. The unauthorized access was traced to an IP address abroad.