I
Back to articles

Behaviour.

Security Essentials for Investing Accounts

I

Illuminvest

|10 min read

Your brokerage account is not like your social media account. If someone gains access, they are not posting embarrassing photos. They are potentially draining your life savings.

Investment accounts are high-value targets. They contain liquid assets that can be converted to cash and moved quickly. Once funds are transferred, recovery is difficult or impossible. The security measures that feel like minor inconveniences are the barriers between your wealth and those who want to take it.

This article covers the essential security practices for protecting investment accounts. Some are technical. Some are behavioural. All of them reduce risk.

This is general educational information, not personal financial advice.

The Threat Landscape#

Understanding what you are protecting against helps prioritise defences.

Credential Theft#

The most common attack vector is obtaining your login credentials. This happens through:

  • Phishing. Fake emails, messages, or websites that impersonate legitimate services and trick you into entering your password.
  • Data breaches. Credentials stolen from one service can be used to access others if you reuse passwords.
  • Malware. Software installed on your device that captures keystrokes or monitors activity.
  • Social engineering. Manipulating you or customer service representatives into revealing information.

Account Takeover#

Once credentials are obtained, attackers attempt to take control of the account. This may involve:

  • Changing contact details (email, phone) to prevent you from receiving alerts
  • Adding new bank accounts for withdrawals
  • Initiating transfers before security measures can intervene

SIM Swapping#

A SIM swap attack involves convincing your mobile carrier to transfer your phone number to a new SIM card controlled by the attacker. Once they have your number, they can:

  • Receive SMS verification codes intended for you
  • Reset passwords on accounts that use SMS-based recovery
  • Bypass SMS-based two-factor authentication

SIM swapping has been used in high-profile thefts from cryptocurrency and brokerage accounts.¹

Two-Factor Authentication#

Two-factor authentication (2FA) requires something you know (password) plus something you have (a second factor). Even if your password is stolen, the attacker cannot access your account without the second factor.

Types of 2FA#

SMS-based 2FA. A code is sent to your phone via text message. This is better than no 2FA but is vulnerable to SIM swapping.

Authenticator apps. Apps like Google Authenticator, Microsoft Authenticator, or Authy generate time-based codes on your device. These are not vulnerable to SIM swapping because the codes never travel through the mobile network.

Hardware security keys. Physical devices (e.g., YubiKey) that must be plugged in or tapped to authenticate. These are the most secure option and are phishing-resistant because they verify the legitimacy of the website before authenticating.

Biometrics. Fingerprint or face recognition, often used as a convenience layer on top of other methods.

Recommendations#

  • Enable 2FA on every investment account that offers it.
  • Prefer authenticator apps over SMS where available.
  • Consider hardware security keys for high-value accounts.
  • Store backup codes securely in case you lose access to your 2FA device.

If your broker does not offer 2FA, that is a significant security weakness worth considering in your broker selection.

Password Hygiene#

Passwords remain the foundation of account security. Weak passwords and password reuse are the most common vulnerabilities.

The Problem with Password Reuse#

If you use the same password for your email and your brokerage account, a breach of your email provider gives attackers access to your investments. Data breaches occur constantly; the only question is whether your credentials are among those compromised.

Strong Passwords#

A strong password is:

  • Long (at least 16 characters, preferably more)
  • Random (not based on words, names, or patterns)
  • Unique (used for one account only)

Human-generated passwords are rarely strong. "Password123!" is weak. "MyDog'sName2024!" is weak. "Tr0ub4dor&3" is weak despite looking complex.

Password Managers#

Password managers solve the problem by generating and storing strong, unique passwords for every account. You remember one master password; the manager handles everything else.

Reputable password managers include 1Password, Bitwarden, and Dashlane. Most browsers also offer built-in password management, though dedicated managers typically offer better features and cross-platform support.

Key practices:

  • Use a password manager for all accounts.
  • Generate passwords of 20+ random characters for financial accounts.
  • Use a strong, unique master password for the password manager itself.
  • Enable 2FA on your password manager.

Your password manager is now a critical security asset. Protect it accordingly.

Device Security#

Your devices are the gateway to your accounts. Compromised devices mean compromised accounts.

Keep Software Updated#

Operating system and application updates frequently include security patches. Delaying updates leaves known vulnerabilities open. Enable automatic updates where possible.

Use Reputable Security Software#

Antivirus and anti-malware software provides a layer of protection against known threats. Modern operating systems include built-in protection (Windows Defender, macOS security features) that is generally sufficient for most users.

Be Cautious with Public Networks#

Public Wi-Fi networks (cafes, airports, hotels) can be monitored or spoofed. Avoid accessing financial accounts on public networks. If necessary, use a reputable VPN to encrypt your connection.

Lock Your Devices#

Enable screen locks with PINs, passwords, or biometrics. Configure devices to lock automatically after brief inactivity. Encrypted storage protects data if a device is lost or stolen.

Separate Devices (Optional but Effective)#

Some investors use a dedicated device for financial activities only. This device is not used for casual browsing, social media, or other activities that increase exposure to malware and phishing. This is a high-friction approach but significantly reduces attack surface.

Phishing Awareness#

Phishing is the most common way attackers obtain credentials. Recognising and avoiding phishing attempts is essential.

How Phishing Works#

Attackers create convincing imitations of legitimate communications. An email that appears to be from your broker links to a website that looks identical to the real login page. You enter your credentials, and they are captured.

Modern phishing is sophisticated. Emails may use your real name, reference real transactions, and include legitimate-looking logos and formatting. The differences are often subtle.

Red Flags#

  • Unexpected requests. Your broker asking you to "verify your account" or "confirm your details" without context.
  • Urgency. "Your account will be suspended unless you act immediately."
  • Suspicious sender addresses. The display name might say "CommBank" but the email address is support@commbank-verify.com (not a legitimate domain).
  • Unusual links. Hover over links before clicking. Does the URL match the legitimate site exactly?
  • Attachments. Unexpected attachments, especially executables or documents with macros.

Safe Practices#

  • Never click links in emails to access financial accounts. Instead, navigate directly to the site by typing the URL or using a bookmark.
  • Verify requests independently. If you receive an email asking you to do something, call the institution using a phone number from their official website (not from the email).
  • Check URLs carefully. Before entering credentials, verify the URL is correct and uses HTTPS.
  • Report phishing attempts. Forward suspicious emails to the institution being impersonated and delete them.

Spear Phishing#

Targeted attacks use information about you specifically. An email that references your actual broker, recent trades, or account balance is more convincing. This information may come from data breaches, social media, or prior interactions.

The more valuable the target, the more sophisticated the attack. Treat personalised communications with increased, not decreased, scepticism.

SIM Swap Protection#

SIM swapping exploits weaknesses in mobile carrier security. Protecting against it requires action with your carrier.

What to Do#

  • Set a PIN or password with your carrier. Most carriers allow you to require a PIN for account changes. This makes it harder for attackers to impersonate you.
  • Ask about SIM swap protection. Some carriers offer enhanced verification or alerts for SIM changes.
  • Consider porting your number to a carrier with better security. Security practices vary; research your carrier's track record.
  • Minimise reliance on SMS-based 2FA. Where possible, use authenticator apps or hardware keys instead.

Signs of a SIM Swap in Progress#

  • Your phone suddenly loses service in an area where it normally works.
  • You receive notifications about account changes you did not request.
  • You cannot send or receive calls or texts.

If you suspect a SIM swap, contact your carrier immediately and monitor your financial accounts.

Monitoring and Alerts#

Detection is the second line of defence. If prevention fails, you want to know quickly.

Enable Account Alerts#

Configure your broker and bank to send notifications for:

  • Logins from new devices or locations
  • Password or email changes
  • New payee or bank account additions
  • Transactions above a certain threshold
  • Any withdrawal or transfer

Review these alerts promptly. A notification you did not expect may indicate compromise.

Regular Review#

Periodically review your account activity, linked bank accounts, and security settings. Look for anything unfamiliar.

Credit Monitoring (Optional)#

In Australia, you can place a credit ban with credit reporting agencies, preventing new credit applications in your name. This is useful if you are concerned about identity theft extending beyond investment accounts.²

If Something Goes Wrong#

Despite all precautions, incidents happen. Knowing what to do reduces damage.

Immediate Steps#

  1. Change passwords immediately for the affected account and any accounts using similar credentials.
  2. Enable or strengthen 2FA if not already active.
  3. Contact the institution to report the incident, freeze the account, and reverse unauthorised transactions where possible.
  4. Check other accounts for signs of compromise, especially accounts linked to the same email or phone.

Reporting#

  • Report to the institution directly.
  • Report to ASIC if the incident involves market manipulation or licensed entities.³
  • Report to the Australian Cyber Security Centre (ACSC) for cyber incidents.
  • Report to police for significant financial crimes.

Documentation#

Keep records of everything: dates, communications, screenshots, reference numbers. These are essential if you need to pursue recovery or make insurance claims.

Summary#

Investment accounts are high-value targets for attackers using credential theft, account takeover, and SIM swapping. Two-factor authentication is essential; authenticator apps or hardware keys are preferable to SMS. Password managers enable strong, unique passwords for every account. Device security includes keeping software updated, avoiding public networks for financial activities, and locking devices. Phishing awareness requires treating unexpected communications with scepticism and never clicking links to access financial accounts. SIM swap protection involves setting carrier PINs and minimising SMS-based 2FA. Account alerts provide early warning of suspicious activity. If compromise occurs, act immediately: change credentials, contact institutions, and report to relevant authorities. Security is not a one-time setup; it is an ongoing practice.

Sources#

  1. Federal Bureau of Investigation. (2022). SIM swapping. https://www.ic3.gov/Media/Y2022/PSA220208
  1. Office of the Australian Information Commissioner. (2024). Credit reporting. https://www.oaic.gov.au/privacy/credit-reporting
  1. ASIC. (2024). Report misconduct to ASIC. https://asic.gov.au/about-asic/contact-us/how-to-complain/report-misconduct-to-asic/
  1. Australian Cyber Security Centre. (2024). Report a cybercrime. https://www.cyber.gov.au/report-and-recover/report

Illuminvest provides general educational information only and does not provide personal financial advice. The content on this site is not intended to be a substitute for professional financial advice.

Back to all articlesView your progress