Cyberattack! How should you protect yourself? (Part 2)

Are Your Investment Accounts Safe?

With the recent data breach at Equifax, some 143 million Americans have been made vulnerable. Among the information stolen include names, birthdays, social security numbers, and addresses. With this information out in cyberspace, could a fraudster gain access to your investment accounts or retirement accounts? The answer is…it is unlikely.

Charles Schwab

Despite how technically advanced a system may be or how many safeguards are in place, data breaches can happen. Equifax has extremely sophisticated security protocols and yet hackers were still able to exploit a vulnerability in their system. To put clients’ minds at ease, Schwab offers the Schwab Security Guarantee. This guarantee covers 100 percent of any losses in any Schwab account due to unauthorized activity. With the exception of 529 college savings plan accounts, the Schwab Security Guarantee covers all Schwab accounts (individual retirement accounts, non-retirement taxable accounts, Schwab Bank accounts, and Schwab retirement plan accounts).

To qualify for the guarantee Schwab does require that you report any unauthorized transactions within a “timely manner.” If you suspect any fraudulent or unauthorized activity within your Schwab accounts, immediately contact your financial advisor or contact Schwab directly at 888-3-SCHWAB.

In addition, to qualify for the guarantee Schwab requires that you take reasonable steps to safeguard your account access information. Account access information includes payment devices (credit cards, debit, cards, and checks), account login credentials (account ID and password), or any additional information Schwab may use to authenticate your identification. If Schwab determines that you shared your access information or that the unauthorized activity was caused by your negligence, Schwab may revoke the guarantee and hold you responsible.

To learn more about the Schwab’s guarantee, visit the Schwab Security Guarantee webpage.

Charles Schwab Security Measures

If you have Schwab web access, your username and password were not among the information breached. Even if you were one of the 143 million Americans who have been compromised, a fraudster would still need to know your username, password, and your security questions to log into your Schwab account. Additionally, Schwab will lock down your account if there are too many failed attempts to log in. If a fraudster was somehow able to guess your login information and get past the initial security checkpoint, the account is still being monitored. Schwab uses pattern analysis and other sophisticated analytical tools to detect any suspicious activity that maybe occur in your account. Certain sensitive transactions, such as money transfers, security transactions, changes to personal information, are flagged and you, as the account owner, would be sent an alert.

Are you still protected if a fraudster calls Schwab to access your account rather than attempting to use The answer is yes. If a fraudster were to call Schwab and attempt to withdraw money from your account, he or she would first be required to answer a series of security questions to validate that he or she is the account owner. When your account was established at Schwab, you were required to set up a series of security questions. Even if a fraudster had your social security number, date of birth, etc., Schwab would not initiate any transactions if he or she did not know your security questions. Again, certain transactions are flagged and Schwab would alert you to any transactions for authentication.

Schwab also offers an additional security layer for call-ins. In addition to Schwab’s normal security protocol, you can also activate Voice ID or set up a verbal password. Voice ID uses biometrics to identify your unique voice. To authenticate that you are the account owner, Schwab would ask you to recite a previously set up phrase, such as “At Schwab my voice is my password.” If your voice or phrase does not match, Schwab will not allow access to your account. A verbal password works in a similar way; in order to access your account, a fraudster would need to know the verbal password.

If you are worried that your identity has been compromised, I highly recommend you take steps to protect yourself.

  1. Change your passwords. For sensitive websites, such as financial institutions, make sure that you use unique passwords for each account. Do not use a generic password for all of your accounts.
  2. Consider getting a security token. Schwab can issue you a security token that provides you a random generated code. The token will produce a new code every 30 seconds. To log into, you would enter your username, password, and the random code produced from your token. Without the token, there is no way to access the account. This is called two-factor authentication.  
  3. Make sure all of your contact information is up-to-date. If there is a breach or unusual account activity, Schwab needs up-to-date information so that they can contact you.
  4. Consider activating Voice ID or set up a verbal password.

To learn more about how Schwab protects client accounts, the SchwabSafe website is a great resource.


Similar to Charles Schwab, Fidelity offers a Customer Protection Guarantee. Fidelity states that it will reimburse their clients for any financial losses due to unauthorized activity within accounts held by Fidelity. Account types covered by this guarantee include the following: retirement accounts (IRA, Roth IRA, etc.), non-retirement accounts (Individual Taxable Accounts), and individual workplace retirement accounts (401(k) plans, profit sharing plans, 403(b) plans, and 457 plans). This guarantee does not apply to 529 college savings plan accounts.

If you suspect any fraudulent or unauthorized activity within your Fidelity accounts, contact Fidelity immediately at 800-544-6666.

To learn more on Fidelity’s guarantee, visit the Customer Protection Guarantee webpage.

Similar to Schwab, Fidelity also employs a host of sophisticated security protocols to keep accounts secure. A few of these Fidelity security measures include: two-factor authentication, voice authentication, encryption, secure email, customer verification procedures, fraud detection, and Firewalls.

To learn more on Fidelity’s security measures, visit the Our Security Measures webpage.


Vanguard also offers to reimburse any assets that were fraudulently taken from your account. Vanguard does state that at minimum, you must take the each of the steps below to qualify for this protection.

  1. Review your accounts regularly.
  2. Take steps to protect your user name, password, and other account related information.
  3. Take steps to protect your computer (up-to-date security patches, antivirus, etc.)
  4. Do not reply to e-mail requests for personal or financial information.
  5. Cooperate with Vanguard in the investigation.

To learn more about Vanguard’s fraud policy, visit Vanguard’s Online Fraud Policy webpage.

Vanguard accounts covered by this protection include individual retirement accounts, brokerage accounts, and participant accounts in retirement plans. 529 college savings plan accounts are not covered by this protection.

If you suspect any fraudulent or unauthorized activity within your Vanguard accounts, contact Vanguard immediately at 877-223-6977 or send an email to

Similar to Charles Schwab and Fidelity, Vanguard also employs sophisticated security protocols to keep accounts safe. A few of these security measures include: encryption, “Green bar” reassurance, logon protection; customer verification procedures, and fraud monitoring.

To learn more about Vanguard’s security measure, visit Vanguard’s Security webpage.

Are Your Bank Accounts Safe?

When it comes to your bank accounts, it pays to know your rights and responsibilities. Although each bank has their own rules and regulations regarding unauthorized transactions, federal law requires each bank at minimum to abide by the Federal Reserve Bank’s Regulation E. Reg E provides a set of regulations that governs Electronic Fund Transfers (EFTs). In regard to identity theft and unauthorized EFTs, Reg E provides customers with zero liability if an unauthorized transaction is reported within 60 days after the transmittal of your monthly statement. If the unauthorized transactions is not reported within 60 days, a bank is not required to refund the transaction.

Although, Reg E does provide relief in regard to unauthorized transactions, dealing with such an event is still extremely inconvenient. Additionally, each bank has their own procedures for investigating the incident which can cause delays in your refund being processed. If you are worried that your bank information may have been compromised, I encourage you change your online password, change your PIN, and know your banks procedures for dealing with unauthorized transactions.

The chart below was published by the Federal Reserve and provides some insight into consumer liability for unauthorized transfers under Reg E.

Are Your Credit Cards Safe?

Credit card fraud is a serious issue. In 2014, approximately 31.8 million Americans reported their credit cards had been compromised, according to Javelin Strategy and These numbers are staggering. On a more positive note, the federal government has enacted numerous laws to protect consumers from this growing threat. One such law is the Fair Credit Billing Act. This law was enacted to protect consumers from unjust billing practices, such as unauthorized transactions. Under the Fair Credit Billing Act, your maximum liability for unauthorized credit card transactions is $50. In addition, most major credit card companies have adopted a Zero Liability Policy, which goes beyond the requirements of Fair Credit Billing Act. Under a zero liability policy, you are not liable for any fraudulent charges.

There are a few stipulations (1) to receiving this liability protection:

  1. You must report the unauthorized transaction no later than 60 days after receiving your statement.
  2. You must not be behind on your credit card payments.
  3. You must take reasonable care to protect your identity.
  4. You must be willing to file a police report.
  5. The credit card must have been issued in the United States.

To dispute a fraudulent transaction, the Federal Trade Commission instructs you to write a letter to the creditor and mail it to the address for billing inquiries. The FTC has provided a sample letter to report these transactions. The letter must be received by the creditor within 60 days of the statement date. The creditor must respond that it has received the letter within 30 days of receiving and the dispute must be resolved within 90 days.

So, are your credit cards safe? The answer is…as safe as they can be. But in the off chance that your credit card is compromised, you are not liable.