Ask a Question

Phishing Scams

What is Phishing?

Phishing is a type of online scam where criminals send deceptive emails, texts, or messages (including phone calls) that appear to be from a person or institution you trust, to access your personal information or accounts.

Phishing communications may appear legitimate, but they can be filled with malicious links, attachments, and other deceptive methods designed to steal your information. The communications may simply ask you to provide personal information or may ask you to access a fraudulent link or attachment. Criminals often present themselves as a reputable source with a time-sensitive request, for example, a trusted financial institution with an urgent request that you click a link to log in and update account information.

Phishing is typically used as a path to malicious actions, for example:

  • Account Takeovers – The criminal purports to be a trusted financial institution and asks you to log in to address some urgent task. The link, however, takes you to a fake website, and when you log in, the criminal takes the login credentials and accesses your account. (They can even trick you into letting them through 2 factor authentication protections, like SMS confirmation codes or IB Key). Once they have access to your account, the criminal can transfer funds from your account, sell your positions, engage in other unauthorized trading, and/or steal your account information.
  • Ransomware – The criminal sends a link that, once clicked, infects your computer with a virus, and the criminal demands payment to remove it.

    • Ways IBKR Help you Protect Yourself from Phishing

    IBKR is continuously adapting its controls to respond to emerging threats and has proprietary tools that attempt to thwart criminals if you fall victim to a phishing attack. These measures can assist IBKR in detecting account takeovers and can help mitigate the damage after a criminal has taken control of your account. You may even find that some of these measures slow you down when you are legitimately logging in and trading your account. However, IBKR makes no representation that these measures are perfect, and IBKR urges customers to undertake extreme vigilance.

    Ways You Can Protect Yourself

    NEVER SHARE YOUR LOGIN, PASSWORD and/or 2 FACTOR AUTHENTICATION WITH A THIRD PARTY.

    • Allowing a third-party to access and trade your account may violate exchange regulations and local laws.
    • Doing so is against the terms of your Customer Agreement with IBKR.

    Verify the sender.

    • If you receive a communication from an unknown number or have any suspicions about a communication that appears to be from a known contact, reach out to the sender separately to verify their authenticity.
    • With artificial intelligence, it’s easy and quick for cyber criminals to craft messages with perfect spelling and grammar.

    Always log in to the correct IBKR URL.

    • The safest method to log in to your IBKR account is to navigate directly to the IBKR website and login from the home page. Do not type in “IBKR access” or something similar into your search engine and log into the first site that you are provided. Cyber criminals can use sophisticated tools to make it so fraudulent sites appear in search results.
    • Cyber criminals often attempt to induce individuals to enter legitimate credentials into fake websites designed to look like the site of a trusted financial institution. For example, they may instruct you to urgently log in to update a tax form or some other account document, or to confirm your account was not hacked.
    • If you receive a message asking you to click on a link to log into your IBKR account – for any reason – carefully review the URL to ensure that it is the legitimate interactivebrokers.com URL. Cyber criminals often use creative naming conventions to make fraudulent websites appear legitimate (e.g., jpmorgann.com, interativebrokers.com).
    • If an email message includes a hyperlink, you can hover over the link (or right click it) to see the actual URL to ensure it is the correct IBKR URL and not a fraudulent site. Avoid clicking links (or opening attachments) in an email or text message you are not expecting.
    • If someone contacts you via call, text, or email, claiming to be from IBKR’s security department and asks you to visit a website and log in with your credentials to address a time-sensitive request (e.g., updating a tax document), this is fraud and you should report it to IBKR immediately. Cyber criminals can make the caller ID appear to be from IBKR, and with artificial intelligence, they can mimic the voices of someone you know and trust.

    If you are contacted by someone purporting to work for IBKR, remember:

    • IBKR does not cold call consumers to offer services or products.
    • IBKR does not ask for remote access to your computer or mobile device.
    • IBKR does not ask you to complete transfers of stock or money over the phone.
    • IBKR does not ask you to share login details, particularly when this is done by creating a sense of urgency (e.g. "we have detected a fraud/theft attempt on your account and need your log in details to stop/deflect it" or "we have been made aware of a crash in one of the products you currently hold and will help you sell it now before it loses X% of its value"). Never share your credentials with anyone.

    Other red flags.

    • Pay particular attention to urgent requests for money or personal information and odd wording or punctuation in the text of the message (although note that cyber criminals are sophisticated, so don’t assume a well written message is authentic).
    • Don’t answer the phone unless you recognize the phone number and are expecting the call (it’s easy for cyber criminals to “spoof” a phone number, and make it appear as though they’re calling from a reputable organization).

    If you suspect you have fallen victim to a phishing attack related to your Interactive Brokers account, report it to Interactive Brokers immediately.