Updated Alert: Steps for Identity Theft and Data Breach Victims

April 23, 2026 In accordance with the President’s Executive Order on Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens dated March 6, 2026, the SEC’s Office of Investor Education and Assistance is issuing this Updated Investor Alert to provide investors with important steps to take regarding their investment accounts if they become victims of identity theft or a data breach.  Investors should always take steps to safeguard their personal financial information (e.g., Social Security number, financial account numbers, phone number, e-mail address, or usernames and passwords for online financial accounts).

Fraudsters may trick investors into giving access to their investment accounts. For example, fraudsters may purchase online ads for well-known investment professionals/firms and direct investors to imposter websites that the fraudsters control – when an investor tries to login, fraudsters steal their login credentials (e.g., user name, password, multi-factor authentication code, or one-time passcode). Fraudsters then use the login credentials to access the investor’s account on the real website for the investment professional/firm. In some cases, fraudsters pose as law enforcement or offer to deposit recovered funds, tricking investors who have already been victims of scams into providing their account information, threatening victims with prosecution unless they pay a fine, or fraudulently offering to help victims recover lost funds if they first pay an advance fee .  If you think your personal financial information may have been compromised, here are some important steps to take immediately.

Contact your investment firm and other financial institutions immediately. If you think your personal financial information has been stolen, contact your broker-dealer, investment adviser or other financial professional immediately to report the problem and ask what steps you should take to protect your account. Once fraudsters have taken control of your investment account, they may reset your password to lock you out, transfer funds, or steal personal information.  They also may execute trades, including buying shares of stock within your account (or in another account after liquidating your holdings) to conduct pump-and-dump schemes.

Change your online account passwords or passphrases. Immediately change the password or passphrase for any investment or financial accounts associated with the compromised personal financial information.  Always remember to use strong passwords or passphrases that are not easy to guess.  Strong passwords should consist of at least 12 or more characters that include symbols, numbers, and both capital and lowercase letters.  Strong passwords should not use words found in a dictionary, or personal information such as a name or birthday.  Strong passphrases should consist of random words, using characters that include symbols, numbers, and both capital and lowercase letters.  Strong passphrases should not use: (1) common phrases from literature, music, or other media; (2) personal information such as your name or birthday; or (3) only words found in a dictionary. To help keep your accounts safe in the future, remember to change your passwords and passphrases regularly.

What are passkeys? Some investment account websites have started using what is known as a “passkey.”  Passkeys are not passwords.  They do not have to be remembered, reset when you forget, and, more importantly, are not subject to being stolen.  Instead, if you opt into using a passkey, the investment account stores a “private key” on your device which is paired with the investment account.  Not all investment account websites or devices support passkeys, however.

Close compromised accounts. If you notice any unauthorized access into your investment account, you should ask your investment firm to close the account and move the assets to a new account.  You should consult your investment firm about the best way to handle closing an account.

Activate two-step or “multi-factor” verification, if available. Your brokerage firm or investment adviser may offer (or require) a two-step verification process for gaining access to your online accounts.  With a two-step verification process, each time anyone attempts to log into your account through an unrecognized device (i.e., a device you have not previously authorized on the account), your investment firm sends a unique code to either your e-mail or mobile phone.  Before anyone can gain access to your account, they must enter this code and your password.  Activating this added layer of security may help reduce the risk of unauthorized access to your accounts by identity thieves.  Some investment firms also offer the use of a third-party authenticator app.  You download the app to your device.  When you sign into your investment account, a unique code can be provided in the authenticator app or you may be asked to confirm your sign-in in the authenticator app.

Monitor your investment accounts regularly for suspicious activity. Closely monitor your investment accounts for any suspicious activity.  Look out for any changes to your account information that you do not recognize (e.g., a change to your address, phone number, e-mail address, account number, or external banking information). You should also confirm that you authorized all of the transactions that appear in your account statements and trade confirmations.

Turn “on” account alerts. One of the easiest ways to monitor your online investment accounts for fraud is to turn “on” account alerts.  Depending on how your online account works, these alerts will send you an e-mail and/or text message when certain activities occur in your account.  Some examples of these alerts include:

• Account logins
• Failed account login attempts
• Password changes
• Personal information changes (address, e-mail or phone number)
• Securities transactions (placing orders to buy or sell investments)
• Transfers of money or securities in or out of the account
• Adding or deleting an external financial account where you can transfer money or securities to or from (e.g., bank account, investment account) The availability and types of account alerts vary depending on your investment firm. Contact your investment firm to find out which online account alerts are available and how you can turn them “on” for your account.

If you find any suspicious activity, immediately report it to your investment firm.  Please remember to document any conversations with your investment firm in writing and provide a copy to your investment firm.

Place a credit freeze or fraud alert on your credit file.

Credit Freeze

A credit freeze stops any new creditors from accessing your credit file until you remove or temporarily lift the freeze from your credit file.  Since most businesses or financial firms will not open new credit or financial accounts without checking your credit report, a freeze can stop identity thieves from opening new accounts in your name, but it does not stop them from taking over existing accounts.

To place a freeze on your credit file, contact each of the following national credit bureaus:

| Experian | Transunion | Equifax |
| 1-888-397-3742

www.experian.com | 1-800-680-7289

www.transunion.com | 1-800-525-6285

www.equifax.com |
Each of the credit bureau’s websites provides specific details you will need to add or manage a freeze to your credit file.  A freeze will stay on your credit file until you either remove or temporarily lift it. You can add, remove, or temporarily lift a freeze to your credit file online, by phone, or through the mail for free.

IMPORTANT: YOU WILL NEED TO REMOVE OR TEMPORARILY LIFT A CREDIT FREEZE TO OPEN ANY NEW CREDIT OR FINANCIAL ACCOUNTS

Fraud Alert

Placing a fraud alert in your credit file provides notice to potential creditors (e.g., banks and credit card companies) that you may have been a victim of fraud or identity theft and will help reduce the risk that an identity thief can use your personal financial information to open new accounts. Contact any of the three credit bureaus listed above and ask them to add a fraud alert to your credit file. You only need to contact one of the credit bureaus to add the alert to your credit file at all three credit bureaus.  The credit bureau you contact will notify the other bureaus about the alert.  The fraud alert will last for one year, and can be renewed annually.  Requesting a fraud alert and renewing the alert are both free.

Active duty members of the military may elect to add an “active duty alert” to their credit file. Active duty alerts last for one year and can be renewed annually.

If you have been a victim of identity theft, you may also consider placing an extended fraud alert in your credit file.  An extended fraud alert is similar to a regular fraud alert except that it lasts for seven years.

For additional information on alerts and freezes, please visit the Federal Trade Commission’s (FTC) webpage on credit freezes and fraud alerts, and the FTC’s identity theft website at www.identitytheft.gov.

Monitor your credit reports. After you place an initial fraud alert in your credit file, you are entitled to obtain a free copy of your credit report from each of the credit bureaus. Check each of your reports for signs of fraud, such as an unknown account, a credit check or inquiry to your credit file that you do not know about, an employer you have never worked for, or unfamiliar personal information.

Consider creating an Identity Theft Report. If a breach in your personal financial information results in identity theft, you may want to consider creating an identity theft report. An Identity Theft Report helps you deal with credit reporting companies, debt collectors, and business that opened accounts in your name.  You can use the report to:

• Get fraudulent information removed from your credit report
• Stop a company from collecting debts that result from identity theft
• Place an extended fraud alert on your credit report
• Get information from companies about accounts the identity thief opened or misused. Creating an Identity Theft Report involves three steps:

1. Report the identity theft to the FTC by completing the FTC’s online complaint form at https://identitytheft.gov/Assistant# or by calling the FTC at 1-877-438-4338, and obtain an FTC Identity Theft Affidavit.  If you decide to use the FTC’s online complaint form at Identitytheft.gov, please remember to either create an online account with the FTC to save your Identity Theft Report, or print out and save your completed form before leaving the Identitytheft.gov since you will be unable to retrieve it once you leave the website if you do not create an account.

2. Contact your local police department about the identity theft and provide them with:

• A copy of your FTC Identity Theft Affidavit
• A government-issued ID with a photo
• Proof of your address (mortgage statement, rental agreement, or utilities bill)
• Any other evidence you have of the identity theft (bills, IRS notices, etc.)
• A copy of the FTC’s Memo to Law Enforcement on identity theft Ask for a copy of the police report.

1. Attach your FTC Identity Theft Affidavit to your police report to make an Identity Theft Report.

Additional information on Identity Theft Reports and identity theft in general, is available at Identitytheft.gov. Identitytheft.gov also includes an online assistant to guide you through the steps to create your Identity Theft Report and a recovery plan to help you mitigate the possible damage caused by a data breach.

Document all communications in writing. Remember to document, in writing, and keep copies of any communications you have related to your identity theft.

Additional Resources

Updated Investor Alert: Don’t get “ished” – Tips to Protect Your Investment and Financial Accounts from Phishing, Smishing, and Vishing Scams

Updated Investor Bulletin: Protecting Your Online Brokerage Accounts from Fraud

FINRA Investor Alert: Customer Account Takeovers: What They Are and How to Protect Yourself

FTC’s Online Privacy and Security website

FTC’s Identitytheft.gov

FTC’s What To Know About Identity Theft

Call OIEA at 1-800-732-0330, ask a question using this online form, or email us at Help@SEC.gov.

Visit Investor.gov, the SEC’s website for individual investors.

Receive Investor Alerts and Bulletins from the Office of Investor Education and Assistance (“OIEA”) by email or RSS feed.

This Updated Investor Alert represents the views of the staff of the Office of Investor Education and Assistance. It is not a rule, regulation, or statement of the Securities and Exchange Commission (“Commission”). The Commission has neither approved nor disapproved its content. This Updated Investor Alert, like all staff statements, has no legal force or effect: it does not alter or amend applicable law, and it creates no new or additional obligations for any person.

Featured Content

Jumpstart Your Child's Financial Future

Learn how to enroll in a Trump Account today!

Use Financial Tools and Calculators

Access RMD, compound interest and savings goal calculators plus other financial tools.

Learn About Tax-Advantaged Accounts

401(k) plans, IRAs, HSAs, 529 plans, Trump Accounts, and others offer tax benefits.

Test Your Investing Knowledge

Participate in National Financial Literacy Month by taking our financial independence investing quiz!