In August 2024, Fidelity Investments disclosed that attackers accessed 77,099 customer accounts by exploiting the new account creation process. Names, Social Security numbers, and driver’s license information were exposed. A few months earlier, a hacker was sentenced to three years in prison for hijacking Charles Schwab brokerage accounts through credential stuffing—using username and password combinations leaked from other breaches.
Your clients read these headlines. And when something suspicious happens with their accounts, they call you.
At Adelia Risk, we help wealth management firms prepare for exactly this moment. Account takeover fraud hit $2.9 billion in losses in 2024, with financial services seeing a 122% year-over-year increase in attacks. Americans 60 and older—the core demographic for many RIAs—lost $4.9 billion to elder fraud in 2024.
Here’s what we’ve learned working with RIA clients over the years: by the time you’re getting that panicked phone call, you’re already in damage control mode. The breach happened. The attacker got in. Now you’re helping your client pick up the pieces. This client account compromise response guide will help you do that effectively—but the harder truth is that most of these incidents are entirely preventable. We’ll come back to that.
Verify the Caller First
This sounds counterintuitive when someone is panicking, but attackers sometimes impersonate frightened clients to trigger account changes. It’s a social engineering tactic that exploits your instinct to help.
When the call comes in, acknowledge the urgency: “I hear you, and we’re going to handle this. First, let me call you right back at the number we have on file—this protects both of us.”
Use your firm’s callback verification. Hang up and call the client at a phone number you already have on file—not one they just gave you. JPMorgan’s guidance on callback verification emphasizes that this single step prevents a surprising number of social engineering attacks.
Yes, this feels awkward when someone is upset. Do it anyway. A legitimate client will understand once you explain why.
The First 60 Seconds Set the Tone
When you call Mrs. Henderson back and confirm it’s really her, two things are happening at once. She’s scared and looking to you for reassurance. And you need information to understand how bad the situation is.
Most advisors instinctively want to jump into problem-solving mode. Slow down. The first minute matters more than you think.
Start documenting now. Date, time, client name, everything they tell you. Your notes may become part of a regulatory inquiry, insurance claim, or legal proceeding. Write down what questions you asked, what guidance you provided, and what actions were taken.
Lead with Compassion
Fraud victims—especially older clients—often feel ashamed. They think they should have known better. Research from financial institutions shows that leading with blame or skepticism causes victims to shut down and withhold details you need.
Start with something like: “Thank you for calling me. You did nothing wrong—these criminals are professionals. We’re going to work through this together.”
That single sentence accomplishes three things: it validates their decision to call you, removes the shame, and establishes that you’re on their side. Now they’ll tell you what actually happened.
Ask the Right First Questions
With the client calmer and talking, you need to quickly understand the scope:
“Which accounts do you believe are affected?” Get a list: email, brokerage, banking, credit cards.
“Are you still logged in anywhere right now?” If the attacker is actively inside, the client should log out of all sessions immediately.
“Have you seen any transactions you didn’t make?”
These questions give you the information you need to prioritize next steps.
Understanding What Actually Happened
Before you start telling the client to change passwords, you need to understand the scope of the account takeover. Rushing into fixes without assessment can actually make things worse.
The Email Question Changes Everything
Ask which accounts the client believes are affected. Get a list: email, brokerage, banking, credit cards.
Here’s the key insight: if their email is compromised, assume every account that uses that email for password resets is also at risk. Email is the master key. Attackers know this. They often target email first, specifically because it gives them access to everything else.
If the client says “just my Schwab account,” ask follow-up questions. How do they think the attacker got in? Did they click a link in an email? Enter credentials on a website that looked like Schwab but wasn’t? If phishing was involved, the email account needs scrutiny.
Check for Money Movement
Ask directly: “Have you seen any transactions you didn’t make? Have you received any confirmation emails for transfers you didn’t request?”
Speed matters here. The FBI runs something called the Financial Fraud Kill Chain, and they report a 66% success rate at freezing fraudulent wire transfers when they’re reported quickly. If money has moved, this becomes urgent.
Signs the Attacker Is Still Inside
Ask whether the client has received password reset emails they didn’t request, “new device login” alerts they don’t recognize, or been locked out of any accounts.
These signals tell you whether you’re dealing with a past breach that’s been contained or an active intrusion where the attacker is still inside. If the attacker still has access, everything you do next needs to happen faster.
The Right Order for Securing Accounts
Most people’s instinct when they’ve been hacked is to change every password immediately. That’s actually a mistake—and it’s why a structured client account compromise response matters. Order is everything.
Email First, Always
The email account controls password resets for everything else. If the attacker still has access to email, they can intercept reset links for banking, brokerage, and every other account tied to that address.
Have the client change their email password immediately. Then enable two-factor authentication. For clients who aren’t tech-savvy, explain it simply: “It’s a second lock on the door. Even if someone has your password, they also need a code from your phone to get in.”
But there’s a step most people miss. Have the client check their email settings for forwarding rules. Go to Settings > Forwarding and look for any rules they don’t recognize. Attackers routinely set up auto-forwarding so they continue receiving copies of the client’s emails even after the password changes. This is one of the most common persistence mechanisms, and it’s invisible unless you look for it.
Then Financial Accounts
Once the email is secured, move to brokerage and bank accounts. Change passwords—unique passwords for each, never reused. Enable two-factor authentication, preferably app-based (like Authy or Google Authenticator) rather than SMS, which can be intercepted through SIM swapping.
The Backdoors Most People Miss
Here’s something that isn’t in most client account compromise response guides: attackers often connect compromised accounts to third-party aggregation tools before they lose access.
Think about budgeting apps like Mint, or the data aggregators that power them like Yodlee. Once connected, these tools can view account balances and transaction history even after passwords change. The attacker creates a backdoor that persists through all your security improvements.
Have the client go to Security Settings > Third-Party Access (the exact location varies by platform) and revoke anything they don’t actively use. If they reconnect their legitimate budgeting app later, fine. But right now, close every door.
While you’re reviewing settings, check beneficiary designations. We’ve seen cases where attackers add themselves as contingent beneficiaries—it’s a long-game play, but it happens. Also, verify the trusted contact person on file hasn’t been changed to someone the client doesn’t know.
Beyond the Breached Accounts
Account compromise often leads to broader identity theft. The following identity theft recovery steps protect your client beyond the initial breach. The attacker who got into your client’s Schwab account probably saw 1099s, account statements, and enough personal information to cause problems far beyond that single account.
Credit Freezes Are Non-Negotiable
Have the client place credit freezes at all three bureaus. This is different from a fraud alert. A credit freeze actually blocks new account openings entirely. Fraud alerts just ask creditors to verify identity—and many don’t do it thoroughly.
Credit freezes are free to place and lift. The numbers:
Equifax: 800-349-9960
Experian: 888-397-3742
TransUnion: 888-909-8872
The FTC has detailed instructions if the client wants to do this online instead.
The Database Most People Forget
Here’s one that almost everyone misses: ChexSystems. This is the database banks use to approve new checking and savings accounts. If the attacker has your client’s SSN and enough personal information (which they probably do), they may try to open “mule” accounts at other banks to launder money.
Have the client place a ChexSystems security freeze as well.
Tax Fraud Prevention
If the attacker saw 1099s or tax documents in the compromised accounts, they have what they need to file a fraudulent tax return and claim a refund in the client’s name.
This is something we see wealth management clients overlook until tax season, when they try to file and discover someone already did. By then, it’s a months-long IRS dispute.
Have the client apply for an IRS Identity Protection PIN. Once they have it, the IRS won’t accept any tax return filed under their SSN without that 6-digit code.
Official Reports Create a Paper Trail
The client should file reports with:
IdentityTheft.gov — the FTC’s site creates an official Identity Theft Affidavit and personalized recovery plan
Local police (non-emergency line) — an official report helps dispute fraudulent accounts and is often required by banks
IC3.gov if significant fraud occurred — the FBI’s Internet Crime Complaint Center tracks cybercrime patterns and may help with fund recovery
These reports feel bureaucratic, but they create the paper trail needed to dispute fraudulent accounts, support insurance claims, and demonstrate due diligence.
Your Firm’s Responsibilities
Your client isn’t the only one with work to do. For RIAs, cybersecurity incident response extends beyond the client call—your firm has regulatory obligations and tools that can help.
FINRA Gives You Cover to Act
FINRA Rule 2165 provides a safe harbor for placing temporary holds on disbursements when financial exploitation is suspected. This applies to clients age 65 and older, or those 18+ with mental or physical impairment.
The rule allows an initial hold of up to 15 business days, extendable to 55 business days total if proper procedures are followed. You need to document your reasoning and notify authorized parties within 2 business days.
This is a powerful tool. If you suspect the client is being exploited—or that an attacker is still trying to move funds—you can pause disbursements while everything gets sorted out.
Use the Trusted Contact
FINRA Rule 4512 requires firms to make reasonable efforts to obtain trusted contact information for accounts. Now is when you use it.
Reach out to the trusted contact to help address the situation, verify that the client’s contact details haven’t been changed by an attacker, or confirm the client’s status if you’re having trouble reaching them.
Add Verification Requirements
Place a “verbal confirmation only” flag on the account. No money movements, address changes, or ACH link requests should be processed without verbal confirmation from the client at a phone number you already have on file.
This is manual and inconvenient. That’s the point. You’re creating friction that an attacker can’t easily overcome.
Regulatory Reporting
Broker-dealers must file SAR-SF for suspicious transactions of $5,000 or more. Determine whether the cybersecurity incident triggers that requirement. The SEC’s 2024 amendments to Regulation S-P also require incident response programs and customer notification within 30 days for data breaches—make sure your compliance officer knows what happened.
The Follow-Up Matters
The crisis doesn’t end with that first phone call. Most victims spend around 100 hours resolving identity theft, with some cases taking up to 22 months.
Check In Within 48 Hours
Call the client to check on their emotional state. Fraud victims experience shock, anger, shame, and betrayal. These are normal responses to a crime. Acknowledge it.
Also, verify that all the security changes actually got completed. It’s easy for a panicked client to miss steps or get confused about what they did and didn’t do. Confirm: email password changed? Two-factor authentication enabled? Credit freezes placed?
Review for Quiet Changes
Attackers sometimes make changes that don’t trigger immediate alerts but set up future theft. Have the client check:
Beneficiary designations for new names
Mailing address changes
New linked bank accounts
Mail forwarding with USPS (attackers forward physical mail to intercept replacement cards)
Social Security account at SSA.gov to ensure no one has claimed benefits
Set Up Ongoing Monitoring
Help the client enable comprehensive account alerts: new linked accounts, wire requests, ACH changes, address updates, and new device logins. Most platforms offer these notifications, but they’re often not enabled by default.
Remind them about the brokerage security guarantees. Schwab and Fidelity both offer protections against unauthorized activity—but they typically require reviewing statements within 30 days, and they may not cover losses if the client voluntarily provided credentials to an attacker through phishing.
The Uncomfortable Truth About Prevention
Everything in this client account compromise response guide is damage control. Important damage control, but damage control nonetheless.
The uncomfortable truth is that most account takeover incidents are entirely preventable. They happen because someone reused a password that was leaked in another breach. Or because they clicked a phishing link. Or because they didn’t have two-factor authentication enabled. Or because their computer was running unpatched software.
At Adelia Risk, we see this pattern repeatedly with our clients. After the crisis is handled, after the accounts are secured and the credit is frozen and the reports are filed, there’s a conversation about what could have prevented all of this. The answer is almost always: basic digital hygiene that wasn’t being followed.
62% of Americans reuse passwords. Your clients are probably among them. And every data breach—from LinkedIn to Marriott to whatever gets disclosed next month—feeds a database of credentials that attackers use to try logging into financial accounts.
Account takeover prevention isn’t glamorous work. The real work isn’t responding to the crisis; it’s convincing clients to take security seriously before the crisis happens. That’s harder. It requires ongoing education, periodic check-ins about whether they’re using a password manager, whether two-factor authentication is enabled on their email, and whether they know how to recognize phishing.
It’s also not billable, not exciting, and easy to deprioritize when there are portfolios to manage and markets to discuss.
But it’s the difference between getting that 2:47 PM phone call and not getting it.
Get the Complete Client Account Compromise Response Guide
We’ve created a printable Client Account Compromise Response Checklist that covers every step in this guide. It includes the exact questions to ask during the call, the correct order for securing accounts, all the phone numbers for credit bureaus and reporting agencies, and a documentation template for your notes.
Keep copies at every desk so your team knows what to do when that call comes in.
Building Prevention Into Your Practice
Responding well to client account compromise is one part of an RIA cybersecurity program. But the more valuable work is building the client education and security practices that prevent these incidents in the first place.
If you’re thinking about how to make digital hygiene part of your client relationships—or how to build the broader cybersecurity program that SEC Regulation S-P now requires—we can help.
Learn about our Virtual CISO service for wealth management →
