Stopping The Stock Steal

Stopping The Stock Steal

Over the weekend, John, an attorney emailed me with a distressing question, “How can someone steal stocks from your portfolio? What protections do we have in place?”

The question emanated from a New York Times article (https://www.nytimes.com/2025/10/03/your-money/ira-vanguard-merrill-acats-fraud.html) dealing with ACAT fraud.

ACAT (Automated Customer Account Transfer) fraud is a clever form of identify theft. It begins with a perpetrator gathering enough information on you to open a new account, pretending to be you.

Once they have enough information, they start opening accounts at other firms.

In this case, the victim had a Vanguard IRA. But the perpetrator opened an account with the same name, tax ID number and birthdate at Merril Lynch. Once the second account was opened, they processed an ACAT transfer. Typically, they try to insert a different mailing address, email or phone number once the new fake account is established.

More interestingly, the criminal knew exactly what securities were in the victim’s portfolio. As such, they knew exactly what to transfer.

In the expedited electronic world we live in, ACAT transfers take place in under a week. As such, if a criminal knows you will be out of the country or on vacation, this is the perfect time to strike.

Fortunately, the victim was proactive. And Merril and Vanguard realized something was wrong and reversed the transfer. However, this was only after $120,000 in securities had been fraudulently transferred.

We have seen an increase in this type of fraud recently. Given this, how can the average investor protect themselves from a similar disaster?

  1. Whether dealing with one share of stock or an entire account, ask your broker what their procedures are for notifying you of an asset transfer. Some firms are very proactive, while others seem to get lost in the shuffle. Only keep your assets with a firm that will notify you of any asset transfer.
  2. Utilize Two-Factor authentication. Although a bit of a pain, this type of verification is necessary in today’s world. This uses two different types of independent verification to access an account. Often, this means inputting a username and password, but also requires a physical object you possess such as smart phone or hardware key to produce a random code that can only be used once and for a limited time.
  3. Account Lock Down. If desired, implement an account lockdown. Be careful as it does exactly what it says. It locks your account down completely. This limits your ability to do Roth Conversions, donate securities to charity, move money, etc.
  4. Freezing your credit prevents unauthorized account openings.
  5. Protect passwords using unique passwords for all sensitive accounts. Although this is commonsense, “123456” and “password” remain popular, yet dangerous passwords.
  6. Enable biometric security features like fingerprint or facial recognition.
  7. Don’t click on suspicious links. I know you’ve heard this a million times.
  8. Verbally verify disbursement instructions, especially when receiving requests via email.
  9. Regularly review account activity.
  10. Stay informed about the latest scam tactics.
  11. Ask your broker what insurance they have for your assets in the event of fraud or bankruptcy.
  12. Consider a Virtual Private Network (VPN) service for your phone. At a minimum, stay off unsecured free Wi-Fi such as at hotels, airports, and other common spots.

In thinking through this, a couple of observations are worth making.

Finding someone’s email, home address, date of birth and driver’s license number are quite easy to obtain. Getting a social security number is harder, but not impossible. As such, be very careful with this.

Opening a bank or brokerage account with a competent firm should be pretty difficult. However, many of the least experienced staff members start in the “new accounts” department. New accounts personnel are under pressure to open accounts as quickly as possible. Criminals prey upon this lack of experience and demand for speed.

My guess is the victim in question was not running proper cyber security on their email and account logins weren’t properly secured. Most likely, their statements with full holdings came to their hacked email.

If the victim was getting paper statements, they could be stolen from your mailbox. Other times account holders just toss them in the trash. Obviously, neither is wise. Make sure mail is delivered to a secure location.

Dave Sather is a Certified Financial Planner and the CEO of the Sather Financial Group, a fee-only strategic planning and investment management firm.

Print Friendly, PDF & Email