ASIC investor alert: rise in stolen shares from identity theft
The Australian Securities and Investments Commission (ASIC) has issued a warning to investors to be on high alert after a “significant increase” since August 2024 in reports of stolen shares from individuals whose identification has been compromised.
Data breaches are an already all-too-familiar element of the online landscape, and recent figures show the Office of the Australian Information Commissioner was notified of 527 breaches between January and June 2024, a 9% increase on the second half of 2023. The top 5 sectors notifying of data breaches were health service providers, Australian government, finance (including superannuation), education and retail.
Such data breaches can expose enough of your sensitive personal information or credentials to enable your identity to be stolen. For example, your full name, birthdate, home or email address, tax file number, driver licence, passport and even your biometrics (fingerprints or facial images) could be obtained in a data breach and made available online.
ASIC advises individuals who’ve been caught up in past data breaches to be aware of the strong possibility of identity theft, and to take measures to ensure the security of their personal information. ASIC also notes, importantly, that identity data can be stolen from offline sources, for example through theft of physical mail.
ASIC further warns that fraudsters have been using stolen personal data to impersonate individuals when creating new share trading accounts and bank accounts. Using illegally obtained security reference numbers or holder identification numbers, they are able to take control of and then trade or sell the individuals’ shares and transfer their funds. Victims often don’t realise their shares have been transferred or sold until they receive a confirmation letter from a share registry or the Clearing House Electronic Subregister System (CHESS).
Protect your investments
As fraudulent activity using stolen identification grows increasingly sophisticated, ASIC advises investors to be vigilant and to:
- review your share portfolios, as well as your other investment accounts like super and managed funds, regularly – you’ll be quicker to detect unauthorised activity if you’re checking in on your accounts;
- use passphrases instead of passwords for your online accounts – passphrases, which are combinations of random words or unpredictable phrases, are often easier for you to remember and harder for machines to crack than passwords;
- use multi-factor authentication where available to add more security to prove your identity – multi-factor authentication requires a combination of proofs of identity (options may include biometrics, authenticator apps, email, SMS or physical tokens);
- prevent mail theft by checking your letterbox frequently and locking it; and
- keep your contact details current with your stockbroker, share registries and financial services providers.
Take action
If you receive unexpected notifications or something just doesn’t look right with your accounts, you should act swiftly:
- if you notice unauthorised activity on your accounts, contact your bank, stockbroker or the share registry and change your passphrases or passwords;
- if you receive an unexpected new bank card or unexpected correspondence (eg an update on how your shares are held, a notification of sale of your shares or the creation of a new account, or confirmation of a change in contact details), don’t ignore it – ASIC advises that you contact the correspondence sender using the contact details from the organisation’s official website, not those from the letter/email (which could be fraudulent);
- if your identity has been compromised, contact IDCARE – they can help you formulate a response plan; and
- report any incidents to Scamwatch.