Bank robbers used to target banks because that’s where the money is.

But the real money these days is someplace else: Individual investors hold far more assets in stocks, mutual funds, and retirement accounts than they do in bank and credit union checking and savings accounts.

Meanwhile, it’s now easier and free to freeze your credit report—and we recommend you do that right now—to guard against identity fraud sparked by the massive data breaches in recent years at the Equifax credit bureau and elsewhere.

But even as banks, and credit-card issuers work to tighten security, a bigger but little-appreciated identity fraud threat is emerging: Identity thieves who steal your mutual fund assets, brokerage investments, and retirement savings.

One investor lost hundreds of thousands of dollars a couple of years ago after he unwittingly downloaded malware onto his computer, recalls Eva Velasquez, president and CEO of the Identity Theft Resource Center (ITRC), a nonprofit that helps identity fraud victims respond to an attack. The ruse was so sophisticated, you might fall for it yourself. Here’s how it worked:

The malware re-routed the victim from his investment account login page to the thief’s fake website, so the crook knew when the victim tried to log in. The imposter login screen captured the investor’s username and password but couldn’t let the victim actually log in to his account. At that point, the crook, posing as customer service, telephoned the victim to “help” fix the “problem.”

The fraudster used the victim’s stolen username and password to begin logging into the investor’s real online account. Security there texted a two-factor authentication code to the victim’s phone, and the crook asked the investor to read him the code. That finally opened account access to the criminal, who promptly wired stolen funds to his own account.

Unfortunately, while your credit accounts and bank deposits are largely protected from unauthorized transactions, your investment and retirement assets…maybe not so much. If someone hijacks your credit card number or uses your identity info to create bogus accounts and shops until your credit score drops, you’re usually not liable for those losses. But your investment accounts enjoy little-to-no regulatory protection from fraud losses, which can leave your life savings vulnerable in the age of identity fraud.

A rising threat.

That paints a giant bullseye on your assets. “Whenever you put a pile of money anywhere, bad guys will target that,” says Rick McElroy, security strategist at Carbon Black, a cybersecurity company that serves 33 Fortune 100 companies.

In an examination of 57 broker-dealers by the U.S. Securities and Exchange Commission (SEC) released in 2015, 88 percent had experienced cyberattacks, and about a quarter incurred losses of $5,000 to $75,000. In 2017, an SEC exam of 75 brokers, mutual funds, and investment advisors found “increased cybersecurity preparedness.” Nearly all brokers and the vast majority of funds conducted periodic risk assessments to identify threats. But the examiners also observed that a number of firms did not fully fix the threats that were discovered, and a few hadn’t installed critical security patches.

Attacks have increased, says David Kelley, surveillance director at the Financial Industry Regulatory Authority (FINRA), a non-profit authorized by Congress to regulate broker-dealers. Kelley says the fraudsters are getting a lot better in their trickery, but brokers are also doing more to protect their customers than they did even two or three years ago.

Investment companies don’t want to talk about it.

This may be the biggest financial fraud threat you’ve never heard about. And the financial services industry didn’t want to discuss it with us, either.

The Investment Company Institute (ICI), a trade group for mutual funds and other investment companies, declined to talk with Checkbook, and its reticence was characteristic of a spooky silence we found from much of the investment industry. We requested interviews with 15 leading online brokers to discuss the cybersecurity threat, how they’re protecting investors, and what consumers should do to protect themselves.

Although it was an opportunity for these firms to reassure investors and give them some peace of mind, all 15 firms declined, though four provided brief email responses.

Vanguard, for example, emailed us a statement, which said in part, “We are continually building stronger detection and interception capabilities, and our comprehensive fraud prevention efforts, online fraud policy, and account safeguards make ours one of the strongest programs in place in the investment management industry...However, it’s important to note that an investor’s first and best line of defense is themselves.”

Charles Schwab emailed a similar statement about its efforts, which include regular updates of security standards, adaptation of security and privacy policies to deal with new challenges, multiple behind-the-scenes authentication methods, and the importance of investors following safe online security practices. The statement also pointed to “the Schwab Security Guarantee...that Schwab will cover losses in clients’ Schwab accounts due to unauthorized activity.”

So, we searched the 15 firms' websites for language that might indicate whether they offer guarantees against fraud and theft. We also dug deeper into Schwab’s security guarantee, Vanguard’s online fraud policy, and other firms’ voluntary consumer fraud protection promises. Here’s what we found, along with advice about how to best protect your assets.

Scrutinize fraud loss protection policies.

On six websites, we did not find any descriptions of policies that might protect your assets from theft. Five of the companies didn’t respond to our findings, which we had sent to their press officers. However, T. Rowe Price told us via email that it does have a protection policy and sent us the web link to the hard-to-find page after we requested it. But even when we Googled the firm’s name and the exact title of the Account Protection Program, it still failed to show up in our search results.

Unfortunately, even among the firms that do promise protection, we found they still might not make you whole if there’s a problem. For Vanguard, you must have “followed the steps described in the Your Responsibilities section,” to qualify for coverage, its policy says. The Ameriprise, Fidelity, and TD Ameritrade policies cover you for unauthorized activity occurring “through no fault of your own.” And T. Rowe Price’s policy says “The Account Protection Program does not apply if you do not follow the security best practices outlined above.” There are 33 such requirements, and some of the other firms’ require that you jump through even more hoops to be eligible for coverage.

This can become a major gotcha. For seven of the firms we checked, we counted a whopping 29 to 85 specific security practices scattered across various web pages, easily missed by even a diligent investor committed to meeting his or her part of the bargain. Investors who are more casual or careless about their security obligations or who naively assume they’ll get the benefit of any doubt haven’t got a prayer here.

That’s a problem, because this entire hodgepodge can reasonably be interpreted as the full list of requirements that must be met to get reimbursement.

In fact, Vanguard’s policy says exactly that: “At a minimum, in order for this protection to apply, you must take the following steps.” That statement refers to a table that looks like a manageable five sections of Your Responsibilities. Nine bullet points in those sections make things a little more intimidating. But within that brief text are links that lead to four more lengthy web pages, which themselves contain links to six more pages and document dump of thousands of words. What individual investor could possibly follow so many rules, which apply to all of his online activities, all the time?

We asked Vanguard whether investors must meet every one of the 29 requirements we counted, a majority of them, or only certain key requirements. “We review each potential fraudulent case on an individual basis, taking steps when appropriate to protect investors from loss,” Carolyn Wegemann, a Vanguard spokeswoman, replied via email.

Schwab spokesman Pete Greenley also told us that “Each instance of alleged unauthorized activity is reviewed on a case-by-case basis.” But he also assured us that the “guidance” that Schwab gives investors to better protect themselves from fraud “are not requirements to qualify for protection under the Schwab Guarantee.”

However, the Security Guarantee on Schwab’s website explicitly states that if you share your account access information with “anyone,” Schwab “may hold you responsible if we determine that you shared this information, or unauthorized activity was caused by your...gross negligence.” The policy also states that “reimbursement under the guarantee requires your timely reporting of unauthorized activity to Schwab.” Nevertheless, Schwab actually spelled out the lowest number of requirements for coverage among the seven firms we found with protection policies.

We organized this chaos into a standardized to-do list and culled out the repetitive tips. Across the firms with protection policies, we identified an avalanche of 179 distinctly different to-do’s. And here’s the rub: Your human brain can’t robotically comply with so many requirements every minute, but your computer or mobile device logs your every misstep.

“When the consumer makes a claim, the investment company and its insurance company will do a forensic analysis of your computer to see what happened,” says Rick McElroy, a security strategist at Carbon Black, a cybersecurity company. “They’ll make a copy of your drive which shows everything you’ve ever done on the computer.”

The insurance company will verify that you’ve followed all the requirements, and “you won’t get a payout if you somehow broke the insurance policy requirements,” says McElroy.

Only Schwab answered our question on this point, which was emailed to all the firms. “Schwab does not require clients to provide their computers/mobile devices for forensic analysis in conjunction with a fraud loss claim,” Greenley replied.

Meet your obligations under the protection policy.

To qualify for and maintain coverage under your firm’s protection policy make sure you find, understand, and religiously comply with any and all of your obligations. There are the nine requirements and recommendations most commonly mentioned by the seven firms with protection policies:

  • Check your account balances and activity regularly—we recommend weekly. Most firms didn’t specify how regularly, but T. Rowe Price said monthly while TIAA said at least weekly.
  • Immediately report unauthorized activity.
  • Beware of phishing scams. Thieves try to trick you into giving them your login credentials by sending emails, texts, instant messages, or online pop-ups that look like they are from your brokerage or mutual fund, asking you to click a link or supply your user ID and password. So never click links or attachments in emails, text messages, instant messages, or windows that pop up on your computer screen. Access your online investment company account only by typing the legitimate link into the internet address bar, by bookmarking the known legitimate site on your browser and using that link, or by using the company’s official app.
  • Create and use a strong username, password, and security questions that are not used for any other sites.
  • Never share usernames, passwords, personal identification numbers, account numbers, and answers to security questions with anyone.
  • Don’t respond to email or text messages requesting personal and financial information, especially if you suspect they are fraudulent.
  • Use up-to-date security software on your computer (antispyware, antivirus, firewall, antispam) and keep the operating system and web browsers for your computers and phones up to date.
  • Don’t use public WiFi or unfamiliar hotspots, especially for conducting financial transactions; use only trusted, password-protected networks.
  • We now also recommend that you not share your investment account user IDs, passwords, and other login credentials with third-party aggregation websites and apps like Mint, Quicken, and Yodlee. If one of these sites gets hacked, your investment firm's protection policy may decline to cover the loss by pointing to this sharing. For example, Merrill Edge's policy states: "We will consider that you have authorized all transactions or actions initiated by an aggregation website using access information you provide, whether or not you were aware of a specific transaction or action."

Obsessively follow other smart online security practices.

Satisfying your firm’s requirements can be daunting, but the rules are usually smart security practices that everyone should follow anyway. Here are 13 more good practices you should follow, which were also mentioned by at least some of the investment companies:

  • To prevent hacking of your home network, use a router with WPA or WPA2 privacy protocol (instead of WEP) and change its factory default administrator password and SSID to unique, strong codes that only you know.
  • Browse with vigilance; look for the lock or “s” secure website symbols in your browser’s address bar.
  • File an affidavit or police report to document a theft.
  • Never share personal information on social networks, such as your date of birth, mother’s maiden name, home address, phone number, or SSN.
  • Use the ‘Remember my user ID’ feature on many browsers to automatically log in; fake sites won’t be able to insert your ID and someone who steals your computer should be locked out without your fingerprint or computer pass code.
  • Activate automatic updates on your security software.
  • Regularly update your computer software, mobile device apps, internet browser, and operating systems to keep them current with any security patches and bug fixes. Familiarize yourself with these programs’ security and privacy settings and set them to the strongest protection levels.
  • Don’t forget that your mobile device is a computer. Keep its operating system up to date, use security software if available, and don’t use unsecured public WiFi or hotspots. Turn off Bluetooth when not in use.
  • Turn off your email service’s preview pane, which allows some viruses to execute, even if you don’t open the email.
  • If you’re the chief IT officer of your family, make sure you give security training to your less-knowledgeable spouse and kids who share your computer and mobile device networks.
  • Pay attention to paper in today’s digital world. Opt for e-delivery of bank, credit card, and other financial statements and correspondence, and promptly open and review all such material. Shred discarded financial papers using a cross-cut shredder. Stop advertisers from mailing you paper prescreened offers of credit and insurance, which ID thieves can steal from your home mailbox, by opting out at
  • Identify fraudulent telemarketing solicitations instantly by listing your phone numbers with the National Do Not Call registry. After you’ve done that, if you do receive telemarketing calls or texts, you’ll know they’re bogus.
  • Dispose of old computer and mobile device hardware by performing a factory reset or removing and destroying storage drives and devices.

When shopping for an investment company, look for key security features and practices.

Most mutual fund companies and online brokers have systems to detect and prevent fraud, encrypt their communications with you, and apply identity authentication rules and practices to make sure only the real you gains access to your account. Here are standouts to look for:

  • Multi-factor authentication for log-ins (which involves texting one-time-use codes to your phone or use of biometric identifiers such as voice, face, and fingerprint recognition).
  • Transaction alerts—text messages or emails that report certain account activity to you.
  • A secure messaging system for sending and receiving sensitive information.
  • Extended Validation certificates, which display a green address bar to identify trusted sites.
  • This year, Fidelity is rolling out Fidelity Access, a more secure way to use aggregation websites and apps without the need for you to share your username and password, which could cause you to unwittingly run afoul of the "no-sharing credentials" requirement.
  • We also like the feature at Dodge & Cox, which lets you turn off online trading privileges and set your online account to "view only" status, and the option at Invesco, which allows you to block online access to your account information.

Finally, take advantage of any free security tools offered by your investment firm. Fidelity and E*Trade offer a free Symantec VIP Access two-factor security app; TD Ameritrade offers free downloads of Symantec Security Check and TrendMicro Housecall monitoring and malware scanning tools; and Merrill Edge and TIAA offer free Trusteer Rapport security software.