Brokerage account hacked — 7-step emergency checklist 2026
You got an SMS „Login from Russia successful“? Suspicious trades in your account? A weird email from „your broker“? Take a breath. Act systematically. This checklist walks through the first 30 minutes, what must be reported (broker, FTC/BaFin, police, credit bureaus), and your rights vs the broker. At regulated brokers, the bank is liable in most cases — if you document the steps correctly.
First 30 minutes — the 7 mandatory steps
- Lock the account immediately. Schwab/Fidelity/Vanguard: call the security hotline (numbers below). Trade Republic / Scalable: in-app account freeze. Account lock stops all further trades and withdrawals.
- Lock linked bank accounts. If the attacker has access to the linked checking account, withdrawals could be triggered. Call your bank’s fraud line.
- Reset password + 2FA from a clean device — not the smartphone/computer that may be compromised. New unique password, fresh 2FA setup.
- Screenshot all suspicious activity. Login history, unauthorized trades, statements, emails. Document everything before lockdown — needed as evidence for insurance and bank reimbursement.
- Police report. File at your local police department or via FBI IC3 (ic3.gov in US). Reference number is required for bank reimbursement claim.
- Bank claim. File a written complaint with broker support, subject „Suspected unauthorized account use“. Include police reference, screenshots, request „immediate freeze and reimbursement“.
- Regulator filing. US: FTC at reportfraud.ftc.gov + SEC at sec.gov/tcr. EU: BaFin at meldepflicht-online.bafin.de. Forces the broker to take security measures and adds to enforcement data.
Under EFTA / Reg E (US) and § 675u BGB (EU): for unauthorized account use the broker is liable for the full loss, BUT the customer is on the hook for gross negligence. Examples of gross negligence: password on a sticky note, deliberately clicked phishing link, gave 2FA code to a fake „support agent“. If you weren’t grossly negligent, the broker pays.
Security hotlines — major brokers
| Broker | Security/fraud hotline | 24/7 |
|---|---|---|
| Charles Schwab | 1-888-3-SCHWAB | ✓ |
| Fidelity | 1-800-544-6666 | ✓ |
| Vanguard | 1-800-662-2739 | ✓ |
| Interactive Brokers | 1-877-442-2757 | ✓ |
| E*TRADE | 1-800-387-2331 | ✓ |
| Robinhood | chat in app (no phone) | chat 24/7 |
| Trade Republic (EU) | chat in app (no phone) | chat 24/7 |
| EU central card-block hotline | +49 116 116 | ✓ |
Top hack vectors 2026
- Phishing emails / SMS with „your account will be locked, click here“ — most common vector (60–70 % of all hacks). Phishing SMS often look identical to the real bank, with logo and correct phone number.
- SIM swapping — attacker calls your mobile carrier, claims to be the SIM owner, gets a new SIM issued. Then intercepts SMS-2FA codes. Defence: set a PIN with your mobile carrier.
- Browser malware — trojans manipulate banking page content (man-in-the-browser). Defence: use only official apps, regular antivirus scans.
- Public-WiFi attack — attacker on same network captures credentials. Defence: VPN for any banking login on public WiFi.
- Recovery email hack — attacker takes over your email, requests password reset at the broker. Defence: separate email only for banking, with its own 2FA.
Pros & cons of „moving brokers“ after a hack
- Cost basis + tax-loss carryforward stay intact
- No new tax events (no forced sale)
- Broker is now sensitized, more secure than before
- Saves transfer overhead (5–15 working day freeze)
- If trust is irreparably damaged
- For repeated security incidents at the same broker
- For very large balances ($>500k) for multi-broker diversification
- Switch to a broker with stronger 2FA (e.g. hardware tokens)
Future prevention
- Hardware 2FA (YubiKey, Solo). SMS-2FA is vulnerable to SIM swapping. Hardware token is the only truly secure 2FA. Effectively mandatory above $50k account balance.
- Separate email for banking only. Never used for newsletters, shopping, social media. Enable 2FA on this email too.
- PIN at your mobile carrier. Free measure, blocks SIM swapping. Call AT&T, Verizon, T-Mobile, set „account PIN“ or „port-out PIN“.
- Password manager (1Password, Bitwarden). Unique long passwords per account. Never memorize manually.
- Quarterly login audit. Check all banking accounts: login history, linked devices, authorized apps. Remove anything suspicious immediately.
- Multi-broker strategy above $500k. 50/50 across two reputable brokers — a hack only exposes half.
FAQ
Will I really get my money back?
In most cases yes. US: under Reg E (Electronic Fund Transfer Act), the broker is liable for unauthorized transactions if reported within 60 days, with consumer liability capped at $50–$500 by report timing. EU: § 675u BGB regulates unauthorized payment transactions. Important: police report + written claim to broker within reporting deadlines. Reality check: major brokers (Schwab, Fidelity, Vanguard) typically pay within 2–8 weeks. Crypto-style brokers (Robinhood) more variable.
What is „gross negligence“ in a hack?
Examples: password on a sticky note next to the computer. Gave 2FA code to a fake „support agent“ on the phone. Deliberately clicked a phishing email and entered credentials. Banking app on rooted/jailbroken devices. The broker must prove gross negligence — if it can’t, broker pays in full.
What about losses from crypto-exchange hacks?
Worse position. Crypto on exchanges (Coinbase, Binance, Kraken) is not a segregated asset, no SIPC coverage. After a hack, recovery depends on the exchange’s discretion. Coinbase has reimbursed in some cases (insurance), Binance variable. Hardware-wallet hacks: no reimbursement — own responsibility.
Should I also notify credit bureaus?
Yes, in the US: place a fraud alert at one of the three credit bureaus (Equifax, Experian, TransUnion — they share alerts). Free, valid 1 year. Consider a credit freeze if the attacker has personal data. EU: contact Schufa via meineschufa.de — request a self-disclosure to spot suspicious entries.
Is this more likely at neo-brokers than at full banks?
Statistically not measurable. Neo-brokers (Trade Republic, Robinhood) are app-only and rely on SMS-2FA — more SIM-swapping risk. Full brokers (Schwab, Fidelity) offer additional methods (push-TAN, hardware token, voice verification). For large balances a full broker with hardware-token support is the more robust choice.
How do I prevent it best?
Five layers: (1) Hardware token (YubiKey 5C — $55) instead of SMS-2FA. (2) Separate email for banking only with own strong password. (3) PIN at mobile carrier. (4) Multi-broker strategy above $500k. (5) Trust-the-anomaly principle — at any odd login, freeze first, ask later.
Broker security, multi-broker strategy, insolvency protection
After being hacked once, you know: security isn’t a luxury. The BMI broker compare shows which brokers offer hardware 2FA and what protection mechanisms exist.
- Best recurring-investment broker — security and 2FA of top brokers
- Broker bankruptcy guide — how segregated-asset protection works
- Stock search — rebuild after damage
- Tax optimizer — loss-offset for forced-sold stocks
Try TradingView Free for 30 Days
Plus get a discount on your first subscription through this link.