Your Security is Our Priority
Market conditions and increased fraudulent activities pose unique security challenges to your firm. Fidelity Investments offers operational strength, advanced technology, regulatory advocacy, and investor knowledge to help deliver enhanced security and privacy to your firm and end investors. We are committed to using the latest technology to guard your information and accounts. But we can't do it alone. We need to work together, and it is important for you to enhance your security controls and measures by taking some actions on your own. See what we do to keep you safe, and what you can do to protect yourself.
- How to Protect your Firm
- How to Protect Yourself
- Report an online Security Issue
- Learn How to Recognize Phishing Emails
- Know How to Check That You Are On a Secure Site
- How To Be Cautious On Public Networks
How We Protect You
- Information Sharing - Fidelity works closely with our peers and law enforcement on the latest threats and security trends. Our membership in several industry groups allows us to meet with our peers and with law enforcement on a regular basis. We share information about the latest trends and threats in financial fraud and cybersecurity.
- Incident Response - Fidelity works closely with your firm and law enforcement to mitigate potential loss, develop evidence, and track fraudsters. If you suspect fraud or any type of cybersecurity incident, it is important to contact us immediately. The sooner we learn about the issue, the more likely we are to be able to help. Always contact your client service team if there is an issue.
- Strong Password Policy - Access to our websites is blocked after three incorrect attempts and users must re-authenticate to sign in again. This prevents fraudsters from attempting to "guess" your password, and prevents against "dictionary" style password attacks.
- Self-Service Password Reset - Users can authenticate by answering a security question to reset their password, and Fidelity employees do not generally have access to passwords, including temporary passwords.
- Complex Password - Our password policies require the use of complex passwords, including the use of upper-and lowercase letters, numbers and special characters. Passwords can be up to 20 characters in length.
Two Factor Authentication
- Security Tokens - Fidelity uses security tokens as a second factor of authentication when you sign in. The first factor is something you know — your password. The second factor is something you physically have — your token. While passwords can be stolen, and tokens can be lost, it is difficult for a fraudster to get possession of both.
- Risk-Based Authentication - Each sign in is evaluated based on both enterprise-wide and user-specific characteristics. Our system looks at trends and patterns and assigns a risk score to each sign in.
- Knowledge-Based Authentication - When the risk score goes above a certain threshold, or if there is a question about a sign in, we may ask for additional authentication in the form of a security question.
- System Timeouts - Timeouts protect your session if you are away from your machine.
- Ongoing Monitoring - Fidelity continually monitors its trading and money movement systems for suspicious activity.
- IP Address Restriction - Fidelity can restrict access to designated IP addresses so users must access our systems from the office.
How to Protect Your Firm
- Develop and Implement an Identity Theft Protection Program
- Proactively Prepare for a Compromise
- Actions to Consider
The identity theft "red flags rule," known as Regulation S-ID, was issued jointly by the SEC and the U.S. Commodities Futures Trading Commission (CFTC) and became effective in 2013. The rule requires any SEC or CFTC registered financial entity that directly or indirectly holds transaction accounts for its clients to develop and implement an Identity Theft Protection Program (ITPP).
All advisors, broker-dealers, and other financial institutions (as defined by the regulations) are required to develop and implement an identity theft protection program consisting of reasonable, board-approved compliance policies and supporting procedures to prevent, detect, and respond to any possible identity theft situations.
While Fidelity encourages all advisors, as part of their fiduciary responsibility, to remain vigilant for signs of fraud, we suggest that you consult legal counsel to gain a full understanding of the rules and regulations that apply to your firm, especially because current data protection and data breach notification laws vary from state to state.
Security compromises can occur despite the best efforts of all involved. Consider taking these proactive measures to prepare your firm for a potential problem — from outside criminals or employees within your firm:
- Create a detailed set of written procedures for reacting to fraud. This includes steps to take internally, as well as any client communications. Your procedures should also include the after-hours escalation processes through Fidelity and any other financial institutions you work with.
- Identify a point person responsible for carrying out the procedures. This person should be well versed in the procedures and able to escalate them in a timely manner when fraud occurs. Timely escalations are critical to any success you may have in recovering fraudulently disbursed funds.
- Train your team. Conduct internal training to ensure that all professionals in your organization understand what needs to happen if an incident occurs.
- Familiarize yourself with all available resources. Take stock of the types of resources available through the financial institutions and third-party vendors you work with to protect your firm and your clients against cyber fraud.
Technologies are constantly evolving — including those used by criminals. Ask yourself: Are your security policies and procedures keeping up? Consider the following precautionary measures to help combat the growing threat of data security compromises:
- Educate clients on proper third-party wire requests. Help clients understand the right practices involved in wire transactions — for their good and yours. For example, faxes, voice mail messages, and emails should not be used to verify wire transactions. Client education and awareness about your third-party wire requests may help make these types of money movement controls more acceptable to your clients and actually encourages them to play an active role in protecting their personal information and assets.
- Limit employee access to sensitive client data to secure networks and devices. For example, public computers in locations like hotels or cybercafés have unknown virus protection and are highly susceptible to attacks; they should not be used to access confidential firm or client data.
- Establish, and regularly update, an employee education program on cybersecurity. Use this program to keep all firm personnel abreast of the latest trends in cybersecurity and firm policies and procedures. You may also want to make cybersecurity a regular agenda topic for team meetings and have a plan in place to train new employees.
- Make sure user IDs and passwords are kept current. Delete the sign in credentials of former employees, and periodically review the levels of access granted to current employees. As a further level of protection, consider making it a policy to regularly reset employee passwords. Don't give broad-based entitlement to anyone who doesn't need it.
- Limit authorizations to move money. Be careful who in your organization you authorize to issue money movements — and consider keeping this number limited.
- Know the security level on each of your systems. Make sure your use is appropriate for the level of security available.
- Maximize your system's security tools to identify suspect transactions ASAP. If a transaction is unusual or not typical for a client's historical profile, you should immediately contact the client to verify the transaction.
- Review client account balances and transactions at least monthly. If you see transactions that are unusual or atypical for a client's historical profile, that should trigger an immediate phone call to the client to verify the transaction. Also, be sure to review any account profile changes. If anything seems unusual, verify the changes directly with the client.
- Keep the most up-to-date antivirus and antispyware software on all devices (PCs, laptops, tablets, and smartphones). Consider setting antivirus software to run regularly, which could help detect viruses on the machine, as well as the presence of keystroke capture malware. Simply running a periodic virus scan may not offer protection between scans.
- Consider cyber fraud insurance. This policy typically covers accounts that are compromised by employees and non-employees, although they do not cover monies that are fraudulently wired out. Alternatively, consider reviewing any Errors and Omissions policies to understand your coverage for cyber fraud and to ensure that your coverage aligns with your firm's risk profile. For additional information about steps you can take to protect yourself and your clients from fraud, visit
- Regularly Update Your Operating System and Applications
- Use Anti-Virus Software
- Use Anti-Spyware and Anti-Adware Software
- Use a Personal Firewall
- Exercise Caution When Using Wireless Networks
Applications and operating systems that are installed on your computers may have vulnerabilities. These issues can be found by malicious actors, who can then take over your system or network by exploiting those vulnerabilities. Most major software companies regularly release updates or patches to their operating systems to repair security problems. A large percentage of these patches and upgrades repair security problems that have been found in the software.
You can minimize your exposure to unintentional downloads by keeping your computer up to date with the latest security patches. Some websites, such as Microsoft® and Apple®, offer the ability to scan your computer for missing updates. It's good practice to go to your software vendor's website at least monthly to check for new upgrades and patches. For the best protection, set up your computer to receive updates automatically whenever possible.
Apply patches for vulnerabilities as soon as they are released by the vendor. Upgrade as new versions of applications, software and operating systems become available. Delaying or ignoring patches for vulnerabilities considerably increases the chance of systems being exploited. This is particularly important in particular Internet/public facing systems (VPN, web, email servers).
A virus is malicious software that is installed on the system, usually by accident or through trickery, that does harm to the system and affects its normal operation. Up-to-date anti-virus software protects your computer against current virus threats. Most commercially available virus protection programs offer automatic and emergency updates. Regularly scan all your files using the latest anti-virus updates. For the best protection, set up your anti-virus software to scan every file you open. You can also schedule your software to run periodic scans.
Spyware is software that is loaded on your system that monitors your Internet activity, and adware is software that is loaded on your system that will track your browsing habits and pop up with ads promoting different products and websites. These programs automatically install themselves, often without your knowledge or permission and should be avoided for privacy and security reasons. Spyware programs run on your computer and can gather private information such as passwords/PINs and credit card numbers, deliver unwanted pop-up advertising as you surf the Web, and monitor your browsing patterns. Free software is widely available on the Internet, but may contain malicious software programs. Before you agree to download a software program, make sure you know and trust the company offering the software, and read the user agreement. Make sure to keep your computer updated by running your anti-spyware and anti-adware software regularly.
Firewalls serve as protective barriers between your computer and the Internet, preventing unauthorized access to your computer when you are online. They can be software programs or physical devices. Firewalls are often included in security software suites such as Norton Internet SecurityTM and McAfee® Internet Security Suite. Operation systems, such as Windows may also include firewall software. Some ISPs offer firewall software or hardware to their clients. Be sure to set up a firewall between your computer and the Internet.
The default configuration of most wireless home networks is not secure. Contact your wireless software vendor for specific information about enabling encryption and strengthening the overall security of your wireless home network.
Taking a few simple precautions when using wireless hotspots can help protect your computer:
- Install a firewall on all network computers
- Disable your wireless connections when you're not using them
- Configure your wireless software to not connect to hotspots automatically
- Use reputable encryption software
- If you are unsure of the security of a wireless hotspot, don't use it for conducting confidential business, such as accessing your work email or financial information
Wireless technologies are continuously changing. Consult the manufacturer of your network hardware to ensure you have the most up to date security technology.
- Protect Your Passwords/PINs
- Use Strong Authentication
- Protect Yourself from Phishing Scams
- Don't Open Unexpected Email
- Don't Email Personal or Financial Information
- Check that Web Forms Are Secure
- Sign out of Websites and Close your Browser
When creating your user accounts, make sure that you create strong sign in credentials and passwords to make your passwords/PINs as hard to guess as possible. Avoid obvious numbers, such as a birth date or an anniversary, which would be easy to guess.
What is a strong password? A strong, or complex, password is one that meets the following requirements:
- It is not the same as your sign on name.
- It has a minimum of eight characters.
- It uses a mixture of uppercase and lowercase characters.
- It uses a mixture of letters, numbers, and symbols.
Passwords should be changed frequently and never divulge your passwords/PINs to anyone, including family or friends.
By enforcing multi-factor authentication, especially for privileged accounts and remote access (e.g. VPNs), you dramatically reduce when and where stolen credentials can be reused by an adversary. Create, enforce, and maintain strong password policies across your firm. The use of strong password policies must be mandated for all users and is especially critical for administrator accounts and service accounts.
Cyber criminals try to gain your personal information via deceptive means such as legitimate looking emails with fake web links, phone numbers, and attachments. This method of email fraud is called phishing. Avoid opening links or attachments in an email you are not expecting. Phishing emails will often ask you for personal information in an effort to obtain access to your financial assets and identity. Responding with sensitive information (like account numbers, passwords or social security numbers) is never a good idea.
Be cautious of email and attachments — even if they look like they're from a friend. Unless you are expecting them or know what they contain, never open them.
Most email is not secure or encrypted and should not be trusted to send personal or financial information. Legitimate companies seeking information normally send written requests on company letterhead. You should be cautious of and verify any requests you receive that ask you to email personal or financial information.
When on a website avoid entering personal and financial information. If you do need to enter sensitive personal information look for forms that may encrypt data and that the web address is running in a secure mode as this may provide some enhanced protection of your information. Some websites or forms on websites may encrypt information, which may be identified by a padlock icon in your browser's status bar (at the bottom of the browser window), and the prefix "https" in the address in the browser's address bar that references the site is running in secure mode.
Be aware that sensitive information may still be stored within the browser, even after you sign out of a website. If you leave a computer unattended after you have signed into a website, someone may be able to use the browser's Back button to view your personal information. To avoid this, sign out and close your browser to minimize any security risk. You may also choose to delete encrypted pages and/or temporary Internet files from your computer's hard drive or disk (clear your cache), or set your browser to not save encrypted pages to disk (in your browser's security or advanced settings).
- Protect Your Personal Information
- Know the Warning Signs of Identity Theft
- Act Quickly If You Suspect Identity Theft
Identity theft is a growing problem online because of the increasing amount of information available about individuals online. It can take years of persistent work to follow all the administrative steps needed to regain your good name and credit score.
Identity thefts are categorized according to what the thief does with your data:
- Financial identity theft: Obtains credit, buys things with your credit cards, empties your bank accounts
- Identity cloning: Uses your information to assume your identity in daily life, such as using your social security number for employment
A few simple steps can go a long way. For example, shred documents containing personal or financial information instead of simply throwing them away. Also, be absolutely sure you know who you're dealing with before giving any personal or financial information. OnGuard OnlineTM, (
Here are some tips for avoiding identity theft:
- Never enter your full social security number online except when securely signed into a site that has a legitimate need for it, such as when paying your taxes or filing for government assistance. Ask companies and government agencies you do business with if you can create an alternate customer identifier.
- Don't use the same username and password at multiple sites. When hackers break into the server at any of those sites and steal client data, the first thing they do is to try all those account names and passwords at other sites, knowing that most consumers are careless and use the same data everywhere.
- Monitor your credit report regularly so you will notice if new credit is opened in your name. Each of the three major credit reporting bureaus provides one free report per year to each consumer. Stagger your requests throughout the year so you are getting a fresh credit report every four months.
- Monitor Your Financial Statements and promptly read any account or credit card statements or correspondence when they arrive. Make sure there are no changes or transactions you did not initiate. If a bill arrives unusually late or not at all, call the company.
- Use strong passwords on every online account you have.
- Limit the amount of information you provide about yourself online. Every bit of information you provide online is more ammunition for an identity thief. For example, you might want to rethink including your home address and phone number on social networking sites (and that includes professional ones like LinkedIn too).
- Don't participate in online offers of free stuff or sweepstakes entries in exchange for providing information about yourself. There may be a 1 in 100,000 chance you'll win something, but there's a 1 in 1 chance that any information you provide here will be sold to online advertisers, and after you get in their databases, that information can be sold to anyone who has the money to buy it — including sophisticated identity theft networks.
- Use only one credit card when you buy things online. That way, you only have one card you have to closely monitor to make sure the number is not being used fraudulently. Don't use debit or ATM cards online because there is limited consumer protection available if the number is stolen and used fraudulently.
Identity theft warning signs include:
- Unauthorized charges or withdrawals
- Not receiving renewed credit cards, bills, or other mail
- Receiving credit cards for which you did not apply
- Notices for changes you did not initiate
- Denial of credit for no apparent reason
- Calls or letters about items or services you didn't buy
Although it could be a simple error, never assume a mistake has been made that will automatically be corrected. Follow up with the business or institution
If you suspect that your personal information has been used wrongfully, immediately:
- Review your credit reports
- Place a fraud alert on your accounts
- Close any accounts opened or used fraudulently
- File a report with the police
- File a complaint with the U.S. Federal Trade Commission (FTC)
- Call your Investment Representative or Broker Dealer to secure your accounts
If your account is blocked or compromised
Call us at 800-523-5518 (Advisors)
Contact your Home Office (Broker Dealers)
Think you received a suspicious email? Report it.
Phishing messages have evolved drastically; and are often difficult to recognize. They can incorporate realistic company logos and graphics, provide links to the real company's privacy policies, and even include authentic-looking legal disclaimer language at the bottom.
If you suspect you have received a phishing email:
- Do not forward the email to other associates
- Contact your Client Service Team
Contact your Client Service Team
If you suspect your account has been compromised or you see unauthorized activity on your account, contact your client service team immediately. They will investigate and advise you on what steps need to be taken to protect your account.
Whenever you suspect Fraud
Update your antivirus software
Run an antivirus scan on your system to check that your computer is not infected with a virus. Make sure that your system and anti-virus software are up-to-date.
Change all your passwords
Change your account password and security questions immediately. Do this for your Fidelity account, your email accounts, and other online accounts.
Phishing messages have evolved dramatically over the few years, and they are often difficult to recognize. Creators often incorporate realistic company logos and graphics, provide links to real companies' privacy policies, and can even include realistic legal disclaimers. Make sure the organization that is represented is one you trust. Never respond to an email or fill out any requests for information on a website unless you're confident in its authenticity and security.
To help determine if an email is part of a phishing scam, ask yourself the following:
- Do I have a relationship with this company?
- Would I expect this company to contact me this way?
- Would I expect this company to use this tone or make this request?
- Are there other red flags, such as incorrect dates or poor grammar?
If you are at all unsure, contact the company by phone.
Some other pointers about suspicious emails
- When in doubt — Don't click! Type the company's address into your browser and sign in as you normally would.
- To check a link in an email, hover over it. The true destination will be displayed. If the domain (whatever is immediately before .com) is not what you expect — Don't click. Fraudsters often slightly change the name of a company to direct you to a malicious site — using FidelityInv.com instead of Fidelity.com, for example.
- Never open links or attachments from an unexpected email.
- If a suspicious link was accidentally opened, NEVER enter personal information or sign in credentials on the resulting page.
- Do not email personal or financial information
- Most email is not secure or encrypted and should not be trusted as a way to send personal or financial information.
How to Report a Phishing Scam
If you suspect you have received a phishing email:
- Do not forward the email to other associates
- Contact your Client Service Team
If you are about to enter personal or financial information on a website, you must be able to identify whether or not that site is secure.
Look at your browser's address bar.
If the address starts with "https://" that means the site has an added layer of security that creates an encrypted connection between the web server and your browser. This additional layer allows private information to be transmitted securely.
Note that web pages intended for browsing may not have this level of security, and that is ok. You should, however, look for "https" on all pages that require you to sign in and/or enter any sort of sensitive information.
Another indication that a website is secure is a padlock icon next to the URL in the navigation bar.
Never enter personal information unless you are sure the website is legitimate and encrypted.
Not every network is secure. Many public networks and Wi-Fi hotspots don't require a WPA or WPA2 password when you connect. If no password is required, it is likely not a secure network
If you use an unsecured network to sign in to an unencrypted site — or a site that uses encryption only on the sign-in page — you are potentially exposing your sensitive data and sign-in credentials to everyone on that network, including scammers.
The best way to protect yourself;
Avoid using public, unsecured networks and Wi-Fi hotspots. If you must get online, here are a few precautions you can take:
- Use a virtual private network (VPN). VPNs encrypt traffic between your computer and the Internet, even on unsecured networks.
- Disable wireless connectivity when not in use.
- Consider finding a secure public network nearby. Since so many establishments provide internet connectivity, it is very possible that a more secure network is just a short walk away.
- Use personal firewall, which serves as a protective barrier between your computer and the Internet and prevents unauthorized access to your computer when you're online.
- Look for https at the start of the web address. Make sure that https exists on every page, not just the sign-in page.
- If you are still unsure of the security of a public network, don't use it for conducting confidential business, such as accessing your work email or personal/financial information.
For a comprehensive list of Security Terms, you can visit the SANS security resource glossary:
The FBI has the Internet Crime Complaint Center (IC3), which allows the public to stay informed about internet related criminal activity. The public can also report incidents to the FBI through this site.
FINRA releases a report on Cybersecurity Practices, it can be found here:
CERT has an article on configuring your web browser for safer Internet surfing:
Please note the products, services, companies and websites (collectively "the resources") referred to in this document are provided solely for informational purposes and are only a representative sample of some of the many resources available to you. This is not an endorsement or representation about the effectiveness, reliability or availability of such resources. Please conduct your own research to determine what available options are best suited for your particular needs.