This episode is extremely important for anyone who is saving money for retirement. If you are investing, even if you’re not trading, the information that I’m going to cover in this episode is going to scare the daylights out of you, but luckily there are steps that we can take to prevent massive, massive loss and fraud.
Passive traders, warning, your account, your trading account is going to be hacked. If not today, then it’s going to happen tomorrow. But at one time, your account is going to be hacked and money will be taken from your account unless you take strict, crazy actions to protect yourself. My E-Trade account was hacked for $15,000. That money was taken out of the account with no notice to me, no indication. I didn’t know anything was going on. Luckily, I figured it out. When I found out how they did it, my mind was blown how easy it was.
Now, let me tell you the whole story. Back in October of 2019 E-Trade limited what I could do with my account. Now, I have one account with E-Trade. I have had it with them … This account has been open for years and years. Before it was with another broker that got bought out by another broker named Option House. Option House then got bought out by E-Trade and recently E-Trade just announced that they’re being bought out by Morgan Stanley. So this account has been open for years and it has well over $100,000 in it. But I don’t use it for options trading. I’ve only bought some long positions in stocks and has just been sitting there. So this is not an account that I checked on a regular basis.
But back in October of 2019, they limited what I could do with the account. They sent me an email saying, “Your account is limited.” They made me call them to verify who I was. I didn’t know why. But when I called them, they finally told me that, “Hey, someone was trying to withdraw funds from this account from different places all over the world, from different countries.” So they wanted to make sure that it wasn’t me and that it was fraudulent. Now luckily, they had stopped those transactions and those withdrawals, but they wanted to place a limit on the account until I got in touch with them so they could verify.
Once they verified it was not me, we changed my password and everything was fine. Account was back up, no restrictions. Now again, this is an account that I only log into maybe once a month, if that. All right. Every other month or so I log in just to see how things are going. Now, in January of 2020, so that was October when they alerted me to the fraud. Three months later in January of 2020, I logged into the account just to see how things were going. By chance, I mean this was luck that I noticed this, on the side of the screen it has a little section, little widget or whatever it’s called, and it says recent activity.
On that recent activity thing, it showed ACH withdrawal. That’s all it said, ACH withdrawal and a date. I’m thinking to myself, “What is that? I didn’t withdraw any money. What could this have been? I don’t understand. What is this?” So I clicked on it, went to the ACH withdrawal page to see what was going on, where the money was going. It didn’t make any sense because I found several other withdrawals as well to different places, Discover card, Kohl’s, something called Gemini, a whole bunch of other vendors. I didn’t know what this was. Over the past two months, so over November and December, close to $15,000 was siphoned off in small amounts and then larger ones, so a couple hundred dollars, $300, and all round weird numbers.
It wasn’t $300. It was $315.42. And then there were larger ones. They started off as small amounts and then they got larger and larger. Every couple days there was another withdrawal. So I get on the phone with E-Trade to report this. I spoke to somebody in their customer service who filed a report and I had to tell him to stop all the withdrawals. So he’s taking my information, asking me, “You didn’t do this and you didn’t withdraw your Discover and you didn’t withdraw to Kohl’s?” I’m like, “No, I don’t have a Discover card. I don’t have a Kohl’s account. I don’t know what any of these vendors are. Stop the withdrawals.”
So he goes, “Okay. I will stop all the withdrawals to these vendors.” I’m like, “No, dude. You need to stop all withdrawals, not just to these vendors, to every single vendor out there. I want a complete pause on this account. I don’t want any money going in or out of this account any more until you figure out what’s going on and until I get my money back.” Because for some reason he couldn’t figure that out on his own. I don’t know. He told me he’s going to take over a week to investigate. If there’s fraud involved, which of course there is fraud involved, it could take up to 90 days to get my money back. 90 days. Now, the one thing I couldn’t figure out is how they got any money out of this account in the first place because just about every penny I had in there was already invested in a stock.
There was maybe a couple thousand dollars leftover in cash, but I didn’t have no $15,000 that these guys had taken out. I couldn’t understand it. So it wasn’t like I was out any money, but I’m sure that if I hadn’t reported it, then E-Trade would have come after me for that $15,000. A week later, the investigation’s going on. I’m going to wait back. Hopefully they have stopped it. Actually I kept logging in every day and I noticed that the ACH withdrawals were still happening. They weren’t approved, but whoever this scammer was, this hacker, they were still trying to withdraw money. But now it was getting stopped. It wasn’t happening any more. But they kept trying and they kept trying.
So a week later I get an email from my other broker, Ameritrade, that one of my accounts there had been hacked. Now this, to me, is more scary because I have several accounts at Ameritrade. So I get on the phone with them. I’m like, “What’s going on?” They told me the account. I mean that account doesn’t have any money in it. It should have been shut down years ago. I think it has two cents in it, that’s why they kept it open. But somebody was trying to hack into that account. Luckily, it didn’t have any money and they stopped it. Were the two incidents related? I don’t think so. Probably not, because if they can hack into one Ameritrade account, what’s to stop them from hacking into all the other ones?
This was an account that we didn’t even use, so that was interesting. But the E-Trade investigation, okay, this is the crazy part. This is how they stole the money. The E-Trade people discovered that the scammers had gotten a hold of my account number, not my password, not my username. They only had my account number. They only needed my account number and the E-Trade routing number to steal money. Now, the E-Trade routing number, you can go online and Google it and you’ll figure it out. That’s not hard to do. Now, think about it. If a scammer, the only thing they need is your account number, I mean, how many people do we share our account numbers with?
They’re on our tax returns. They’re on our bank statements maybe. They are on our mortgage applications or credit applications. I mean I never considered that as top secret information. I didn’t give it out to anybody, but it’s not top secret. But if that’s all they need to steal money without even us being notified, this is a serious, serious security flaw in my books. What the hell? This scammers, they didn’t even have to log into my account. All they did was they used the account number and the routing number and they set up payments to all of their different accounts. So Discover was an account that they had. Kohl’s was an account that they had.
All the other stuff were other debit cards or credit cards or whatever, these accounts that they had, they were able to set up ACH withdrawal payments from my account to pay off their accounts. Again, like I said, these withdrawals continued to happen even after I reported the fraud. No money was taken out, but they kept trying. It was like set on autopilot. Guess what happened after that? E-Trade told me that they were powerless to stop it. They could not stop these people from trying to take money out. The only thing they could do was shut down the account, transfer everything I have to a new account with a new account number.
Wow. So not only is the scam easy to do, but the company can’t even stop it unless they give me a new account. Thankfully, they agreed that it wasn’t my fault and I wasn’t doing fraud and so the money was returned. Actually, it wasn’t even my money because I didn’t have any money left over in the account. It was margin money that was taken out. So since I didn’t have that much cash in my account, the withdrawals were actually made with margin. Not only if I hadn’t reported this, E-Trade would have been charging me interest on top of the fraud. Right now as I record this today, it’s past mid-February and I still have no access to this account. They told me they were going to shut down the old account, move everything over to a new account, and then everything will be fine.
So yes, they have done that. I can log in to the account, but I can’t see anything. I can’t see my positions. I can’t trade anything. I can’t buy anything, can’t sell anything, can’t do anything. Luckily, I only had long-term stock positions in this account. The markets have been moving higher. So I’m okay. But if I had options in this account or if the market started dropping, I would be powerless to do anything because I can’t even see my positions. They won’t let me do anything. There’s only one person in the company that has the ability to do anything. I’ve called their customer service several times and said, “I need access to my account.” They’re like, “Well, your account is in security and only this one person can help you.” I’ve emailed that person, left messages.
Sometimes she calls me back or emails me back and says, “We’re still working on it. We’re still working on it.” I have no time or ETA or knowing anything when this is going to be done. When am I going to get my account back? Pretty much it’s being held hostage for whatever reason. So I’m basically powerless. That is never a good position to be in. Now, the thing that makes this even worse, and this is why up till now you guys are thinking, “Oh wow. That’s really bad, Allen, that happened to you. It’s not going to happen to me. I got a really cool password.” Well, remember, they didn’t need my password. They don’t have my password. They never had my password. They never logged into the account. They did it with an ACH and my account number.
Let’s say that you’re hiding your account numbers. Okay, great. You have different passwords. That is great. But let’s say somebody does hack into your account. The companies that hold your trading accounts and your investment accounts and your retirement funds, if there is fraud and you lose money from that, somebody takes money out or whatever, they are not required to make you whole. I’m going to say that again. The investment accounts, like your stock broker or your mutual fund company, they are not required by law to give you your money back if you lose money due to fraud.
Now, there is a website called Consumers’ Checkbook that looked into the largest firms and many of them don’t even have a fraud protection policy. While some of them do say that they will cover fraud 100%, you have to live up to their guidelines which, in the case of Merrill Lynch, with Merrill Lynch, means you have to satisfy 85 different requirements, 85 different requirements. You have to be able to check off every single one of those things that you have done those in order for them to live up to their fraud protection policy and make you whole. So no, Molly, your money is not safe. Okay?
So what do you do? What can you do about it? Well, I have a list here. I’m going to give you a list. Hopefully you can listen to this. When you are sitting down, you can write these down or look on the show notes. But what you need to do is you need to have a different username and a strong password for each account. That you already know. You probably don’t do it, but you already know this. Different user name and a strong password for each account, because this is money. This is important. This is not like we’re trying to log into Facebook or something simple. Every single website in the world requires you to have a login now.
I mean if you’re an OptionGenius member, you have to have a login and a password to log into your Option account. Now, if somebody takes your password and logs into your account, they’re not going to be able to mess you up. They can’t do anything to you. They can’t hurt you in any way. But these accounts, it’s like a vault. It’s a gold mine. It’s just sitting there. The money’s sitting there and the hackers know this. The hackers are not going after the banks any more. They’re going where the money is easy and the money is easy in mutual fund accounts and investment accounts and IRAs and 401ks. That’s where the money’s easy. So you have to be very careful.
Number two, you need to add something called two-factor authorization to all accounts. This is like a second password. Some sites, what they’ll do is they’ll text you a code before you can log in. So you type in your name, your password, and then they text you a code to your phone which you enter in and then they get in. That way only if you have your phone can you access your account. Some other companies, they use third-party apps. So they make you download a new app on your phone. There’s one called Google Authenticator. E-Trade, they use an app called VIP Access. That is also two-factor authorization. You have to download a special app and then that app will give you a code. If they don’t text it to you, they’ll make you download an app that’ll give you a code that you have to enter in when you log in. That’s the only way you can log in.
Now, of course you have to use your phone. If you lose your phone, it becomes a big headache because your phone number is tied to the account. There’s a whole process about that. But it’s better than just leaving it open. Number three, you got to check your accounts at least once a month. Now, this you can do and hopefully you’re all doing it once a month. I track my balances on a spreadsheet now as a backup. So every month I go into all my accounts, I’ve decided, and I’m going to put in my balance, boom, boom, boom, boom, boom. Any time there’s a balance from month to month, if the balance changes a lot, I’m going to investigate. Okay, make sure it wasn’t fraud. It’s just, yeah, my securities are going up and down. All right. That’s fine as long as there’s no money going out.
Number four, when you get an email from your broker, they’ll email you, “Your options are expiring,” or, “This is going on. We have a message for you. We need you to log into your account for whatever reason. There’s new policies or something or other.” Don’t click on any links in the email. If your broker sends you an email or a text message or whatever and says, “Hey, we need you to log into your account.” Say, “Okay, thank you.” Go into your internet browser. Type in the name of your broker, whatever it is, broker.com, etrade.com. Ameritrade.com. Go to their website and log in from there. Do not click a link in an email or a text message or any other communication because scammers and hackers send emails that look like they come from your broker, but they will take you to a fake website that looks like the real website.
You’re going to try to log in there and they’re going to grab your login information. So that’s number four. Number five, do not log into your account on public WiFi. Do not use public wireless Internet. So if you’re sitting at the airport, if you’re at the hotel, don’t do it. You can use it for your phone if you want to and check your email or check your whatever messages, Facebook and emails and news or whatever. But do not log in to any accounts that are sensitive. If you have to log into those, use your own cellular data plan if you have to. Number six, obviously, do not share your login information with anybody. Do not share your account number if you don’t have to.
If you have a mortgage application and they need to know what money you have and what assets you have, write down, okay, I have E-Trade account and two digits of the account number. They don’t need to know your account number. Nobody needs to know your account numbers. Even E-Trade doesn’t ask you for your account number when you log on. They only ask for part of it. It’s like a Social Security number. Do not give out and do not leave it laying around. Shred all of your statements if you get them in the mail. If you don’t need them any more, shred them or keep them under lock and key. Keep them safe. Keep the information safe.
Number seven, this was a new one to me. Do not give your investment details to sites that help you track sites like Mint or Quicken or Personal Capital. These are basically websites that tell you, “Hey, you can track all of your accounts just on our site. You can track all your bank accounts. You can track all your investment accounts and you can see how you’re doing.” Well, guess what? If these sites are hacked and they lose your information, your investment, your stockbroker doesn’t have to cover the loss because you knowingly gave your login information to a third party and that third party got hacked.
So your broker, as far as your broker’s concerned, it’s their fault. They didn’t get hacked and so they don’t have to cover the loss. I hope you understand that because a lot of people use these sites, Mint, Quicken, Personal Capital, and there’s a whole bunch of other ones. They might make it easy for you to track all your credit cards, all your bank statements, all your investments in one spot. But if they get hacked and your personal information, your login and your password gets stolen and somebody uses that to log into your investment accounts and take money out, your broker is not liable and is not responsible and might not make you whole.
Number eight, again, shred all documents if you don’t need them. We already said that one. Now unfortunately, things are only going to get worse. If you haven’t been hacked yet, you will be hacked because thieves go to where the money is and there is more money sitting in mutual funds, 401ks, HSA plans, and investment account than ever before. It is not as secure as the bank. If you have a checking account or a savings account, it’s guaranteed by the government up to a certain amount. If somebody hacks you or the bank goes out of business, your money is protected by the government, not so with your retirement funds. There is no government agency that is going to back you up if there is fraud because it is very expensive to keep these hackers away and to keep refunding customers’ money.
Only the larger companies, the very big companies, can afford the top-of-the-line security that they need to keep these hackers out. Even then, they still get hacked. E-Trade, big company, right? They just got bought for $31 billion. That’s what they were worth. They got hacked easily. So be very, very careful, especially if you use a smaller firm. Check what their fraud prevention is. Some of them say if there’s fraud, they’ll back you up 100%, like Merrill Lynch. But you have to live up to 85 different requirements, which is insane. The best thing to do is to protect yourself from being hacked in the first place.
Like I said, I already gave you eight different things that you can do. Make sure you get that two-factor authorization in place. Make sure you have strong passwords, different different passwords for different accounts. That’s the easiest thing you can do. Check your accounts on a regular basis. Make sure there’s no money going out, and just be careful. Be mindful of what’s going on. I’m going to leave some links in the show notes for more information on this, on what are the things you guys can do to protect yourself. But like I said, if it happens to you, it’s a pain in the butt. Because it happened several months ago and I still have no access to my account and I didn’t do anything wrong.
I don’t know how they got my password or my account information. They didn’t get my password. I don’t know how they got my account information, my account number. Maybe they just guessed it randomly. I don’t know. E-Trade couldn’t figure that out either. The only thing they could do is give me a new account. Okay. Well, how long before that happens again? I mean I still haven’t decided if I’m going to move my funds away from E-Trade because of this. Probably I am. But every other broker is the same thing. They all have similar systems. I wish I could go to Ameritrade, but my Ameritrade was hacked. Luckily, nothing happened there.
So yeah, I’m taking a lot more precaution than I was doing before because I mean, imagine you get hacked and your bank says, “Well, hey. We not going to cover you.” What? For me, it was $15,000. For other people that could be a lot more or less. It doesn’t matter. It’s still hard-earned money that we’ve made. We try. We work hard. We invest. We trade. We do our best. And then the money’s just sitting there and it’s just gone. They have no idea how to catch these people. They’re sitting who knows where. Maybe they’re in Russia. Maybe they’re in some other country. They’re just hacking, hacking, hacking.
Nobody can find them. And even if they know where they are or who they are, our government can’t do anything. Our government’s not going to go after them if they’re in some country that’s on good terms with the U.S. So there’s nothing really we can do about it to stop it, except to protect our accounts a little bit more. I hope that you follow the recommendations laid out in this episode. I hope this episode is a wake-up call. I hope I can grab you by the shoulders and shake you and say, “Look, it happened to me. It can happen to you. It can happen very easily to you.” Please be careful please. It’s going to happen.
It’s the same thing with identity theft. It hasn’t happened to me, thank God, but it has happened to other people I know. It’s a matter of time before somebody hacks into my email or somebody guesses my Social Security and steals a credit card or does something. That’s just the nature of the world we live in. The more that we go into electronics and the more we get away from real money, which we don’t even use that much any more. Everything is online. Everything is on computers. We’re just sitting ducks. That’s exactly what your investment account is. It’s a sitting duck for hackers and scammers. So put some walls around your duck. Put some safeguards in place. Be as stringent and careful as you can. Hopefully, it doesn’t happen to you.
I always tell you to trade with the odds in your favor. Well, this time we need to protect yourself. I don’t know if we can ever put the odds in our favor in terms of protecting our accounts, but we need to do as much as we can. So with that said, I hope this never happens to you and I hope I get my account back soon. Until then, may the markets be great. Thank you.