FICS Editors' Note

The editors of Fidelity Interactive Content Services (FICS) selected this content because it offers valuable information for investors.

Could you be a target for cybercrime?

Understanding the potential threats can help keep your online accounts safe.

  • Facebook.
  • Twitter.
  • LinkedIn.
  • Print

Key takeaways

  • Understanding the many forms of cybercrime may allow you to better defend yourself.
  • Use 2-factor authentication for all online financial accounts.
  • Maintain updated industry-standard operating systems and software.
  • Do not use public Wi-Fi for your finances or other sensitive items.

You've likely spent a good deal of time thinking about investment risk. But have you stopped to think about more personal security issues, such as the safety of your online financial transactions and information stored on your computers? While most people recognize that online fraud or cybercrime is a potential threat, few know how or why they may be at risk. Cybercrime can take many forms, and understanding who the enemies are and how they commit crimes may allow you to better defend yourself.

The "Bad Guy"

Economic cybercriminals pose the greatest online risk to your family's personal financial data and assets. Make no mistake, many of these thieves are highly skilled and sophisticated. They may be individuals or coordinated groups that use technology to steal. For most of us, cybercrime can best be described as an extension of traditional criminal activity focused on personal financial data and monetary theft.

How do cybercriminals operate?

Indiscriminate targeting

In some cases, cybercriminals cast a wide net with "phishing" scams, among others, and hope the sheer quantity of potential victims will yield sufficient economic benefit (see "The makings of a cybercrime," below, for more details on how cybercriminals attack).

Specific victim targeting

A growing and more concerning trend is the specific targeting of high-net-worth individuals. In many of these cases, criminals spend a great deal of time and effort identifying a worthwhile target and then developing a victim profile based on public and private information—such as property records, credit information obtained via hacking, and posted details on social networks—with the goal of stealing assets from financial accounts.

Although the actual criminal act can take several forms, the basic steps are often similar. Below is a relatively common scenario:

  • Step 1: The thief sends an email with a link or attachment to the victim that appears to come from a known party. The targeted victim then clicks the link or attachment, which includes malicious software (malware) that infects the victim's computer.
  • Step 2: The thief uses installed malware to steal login credentials to the victim's financial accounts or to remotely control the victim's computer. This will generally allow the thief to log in as the victim.
  • Step 3: With access to accounts, the thief changes the victim's profile at the financial institution and/or impersonates the victim and moves money to criminal accounts at a different institution.

That's the bad news. The good news is that with some simple steps, you can improve your defenses and reduce your vulnerability to this type of crime.

Steps you can take to help keep your online accounts safe

1. Use 2-factor authentication and strong, unique passwords for each site

Treat your computing devices as you would your front door—restrict access and use tough security measures. Passwords are the keys to your online financial information. If cybercriminals find them, they can unlock the doors to your bank accounts, investment accounts, and your personal information. Unfortunately, a significant amount of malicious software trolls the internet looking specifically for account credentials (IDs and passwords). With an inadvertent click on what appears to be a legitimate link or the opening of an attachment designed to look legitimate, this software can be loaded on your machine and be ready to take your "keys."

Go for 2
Adding an additional layer of security when you access your accounts, called 2-factor authentication, is a strong defense against this type of attack. Fidelity and many other financial firms now offer 2-factor authentication. It requires you to enter a unique security code, randomly generated and sent to your phone or other mobile device, in addition to your standard login. While not completely foolproof, 2-factor authentication raises the bar for cyberattackers trying to access your accounts. You might also consider it for nonfinancial sites—Google, Apple, Microsoft, Facebook, Amazon, and Twitter all offer 2-step authentication options.

Go long and stay strong
You've probably heard this before, but it bears repeating: Never use names, birth dates, Social Security numbers, or any personally identifiable letters or numbers as your password. Use a different password for every application and website and change them often. Why? The dangers of password reuse. Every year there are data breaches and more sets of credentials (user IDs and passwords) leaked onto the internet. It is common practice these days for criminals to collect these credential dumps and try these user IDs and passwords at financial sites, email providers, mobile phone providers, social media sites, and others. If a Fidelity customer were to use the same password here that they used on another account, and that other account was breached, their Fidelity account could be at risk.

What constitutes a good password? The most important factor is length (at least 12 to 14 characters is best), but complexity also makes passwords more unique. Use a combination of letters, numbers, and special characters and stay away from dictionary words or common combinations of words. It's also best to avoid common substitutions within words, like replacing the letter "o" with a zero. It's just too obvious. A string of uncorrelated words with numbers and special characters is best. Importantly, when selecting a password, don't rely on free password strength checkers—they often miss the mark.

Install a password manager
These days, most of us have dozens of passwords covering multiple devices and everything from social media to subscription services, e-commerce, banking, and Wi-Fi. Remembering all these passwords, and changing them frequently, just isn't sustainable. Fortunately, there's an app for that. Password manager apps generate and store all your passwords in a secure environment. They'll even auto-fill login information for stored sites. Many now sync your passwords across all your devices and automatically generate new ones on a regular schedule. The cost of state-of-the-art password managers is negligible—especially when compared with the convenience and security they provide.

2. Install industry-standard systems and software, keep them up to date, and perform regular backups

One of the smartest things you can do to keep your financial information safe is to use modern, industry-standard operating systems and keep them up to date. Credible vendors have teams of cybersecurity specialists dedicated to fixing vulnerabilities in their current systems, and they are always on the lookout for new ways cybercriminals can hack into their products to access users' computer files or install malicious software.

Updating your systems is easier than it used to be
Today, most operating systems let you set your update preferences to automatically install patches as soon as they are available. That goes for software too, including antivirus protection. Don't forget to update your mobile phones and tablets, and the apps installed on them. You can set update preferences to do this automatically, but many devices need to be plugged into your computer for a complete upgrade. It's a good idea to connect your mobile devices to your computer at least once a week so these updates can be downloaded and installed properly.

You can never have too much backup
Backing up your data is good system hygiene. It prevents your information from being lost forever and immunizes you from ransomware attacks. In this increasingly common scheme, criminals lure you into clicking an email link that downloads malware and blocks your access to the computer. The perpetrators can hold your hard drive hostage, demanding a hefty ransom to unblock it. If your system data is backed up elsewhere, it eliminates any leverage the scammers have, neutralizing their threats.

Backups are most effective when done in a continuous, real-time environment. Savvy users employ redundant methods—typically a USB-connected external storage device in tandem with an encrypted cloud-based service. External storage offers more immediate data retrieval, while cloud-based services can store much more data. Also, in the event of a flood or fire, both the computer and external storage device may be lost, but offsite backups to a cloud-based service would be safe.

Don't forget to include mobile devices in regular backups. This can be done via a cloud-based service, but a full backup may require connecting to a computer. By syncing up your photos and home movies to your computer, they will then be included in regularly scheduled backups, keeping them secure.

3. Use caution when linking to financial accounts or e-commerce sites through email

Cybercriminals are getting smarter about making their phishy emails look legitimate. These emails mimic those of financial institutions, complete with logos and convincing signature lines. Searching Google and social media sites makes it easy to personalize these emails with your name and subject lines like "Your recent transaction with us." All of this is designed to lower your guard so you'll be more apt to click a link to a fraudulent version of your provider's website. This allows the scammers to download malicious software onto your computer or gain access to your passwords and usernames.

The best offense is a good defense
Use caution when linking to your financial institution via email. Instead, go directly to your provider's website by using a link you've saved in your "Favorites" menu. That way, you'll be sure you arrive at a legitimate website. Always look for the "https" prefix in the site's address. This indicates that the connection to the site is encrypted to protect your sensitive data from prying eyes.

4. Always access your accounts from a secure Wi-Fi location

Your home Wi-Fi network comes with built-in security, but it's not foolproof. Your network provider supplies you with a router ID and password, but these are default settings. Cybercriminals know the defaults for major network providers. If you're using these settings, your "secure" home Wi-Fi network may not be as secure as you think.

Home networks now connect computers and smartphones to thermostats, TVs, refrigerators, and residential security systems. Each device is a potential weak spot in your Wi-Fi network. As your home becomes more dependent on the internet, so does your exposure to a network breach.

When setting up your home network, consider changing the default network ID and passwords. Consider installing an intrusion detection or intrusion prevention system, as well as an applications-based firewall, to further secure your network.

Beware of public Wi-Fi
Everyone loves free Wi-Fi, but unsecured public wireless access points are easy to intercept, providing an opportunity for attackers to snoop on your online activity. A safer alternative is to use only secure Wi-Fi networks. If you use your laptop or mobile devices while traveling, purchase a subscription to a paid hotspot provider in which the networks are password protected and have additional levels of security.

5. Consider using a dedicated device for online banking

One of the best ways to secure your online financial information is to dedicate one device exclusively for banking and financial use. Many cyberattacks come from malware installed while you're web surfing and reading emails. Eliminating those activities from a dedicated banking computer goes a long way toward keeping your financial information out of harm's way.

Help us help you
A dedicated banking device also helps financial institutions keep your accounts secure. Most, including Fidelity, monitor client accounts for fraudulent logins from unauthorized computers and will alert you if there is suspicious activity in your account. When Fidelity surveyed client login patterns, we found many users logging in from multiple devices. One or two were common, but some clients routinely logged in from a seemingly random assortment of systems, making it difficult for an institution to distinguish a legitimate login from a fraudulent one. By using one device for all transactions, an illegitimate login stands out, and the institution will be able to move quickly to alert you and secure your account.

6. Understand your computing environment and consider whether you need help

If you have a complex computing environment, a comprehensive cyber-risk assessment may be an appropriate step in protecting your personal information. Individuals with complicated online footprints may want to consider implementing additional systems (e.g., intrusion prevention and detection, firewalls).

Because cyberthreats evolve almost as fast as technology itself, consider retaining a firm to provide ongoing system surveillance, support, and maintenance. These services include everything from monitoring your home internet traffic and blocking outside threats, to educating family members about smart social media practices, safe web surfing and e-commerce protocols.

A good risk assessment will be specific to each person and should consider questions like:

  • How many computers, mobile devices, tablets, TVs, home security systems, and appliances are connected to your home Wi-Fi network?
  • Are they shared across personal and home office use?
  • Do non-family members regularly in your home have access to your Wi-Fi network or computing devices?
  • What backup procedures are in place for each device?
  • Are you or other household members active on social media like Facebook, Twitter, or Pinterest?


No one wants to spend time thinking about all the bad things that can happen, but it's important to understand potential threats to your assets and take measures to eliminate them. When it comes to protecting your financial accounts from cyberthreats, practicing good system hygiene and making a few changes in your user habits will significantly improve your online security. Clients can play a key role in helping Fidelity detect fraud. They can help us help them by maintaining a general awareness of their accounts, including staying alert to emails regarding password resets and account changes, and periodically logging in and checking for unusual transactions and activity.

Fidelity uses sophisticated security measures to protect our customers. We also make many additional security tools available for customers to utilize, including 2-factor authentication and transaction alerts. Of course, we also provide a Customer Protection Guarantee for fraudulent activity. Make sure to visit Fidelity's online customer security site to explore some of these features, and learn more about what Fidelity is doing to help keep your assets safe.

  • Facebook.
  • Twitter.
  • LinkedIn.
  • Print
Please enter a valid e-mail address
Please enter a valid e-mail address
Important legal information about the e-mail you will be sending. By using this service, you agree to input your real e-mail address and only send it to people you know. It is a violation of law in some jurisdictions to falsely identify yourself in an e-mail. All information you provide will be used by Fidelity solely for the purpose of sending the e-mail on your behalf.The subject line of the e-mail you send will be " "

Your e-mail has been sent.

Your e-mail has been sent.