A new scheme where fraudsters use legitimate Remote Access Tool (RAT) software, combined with social engineering and phishing tactics to take control of victims' devices is on the rise. With this access, it's alarmingly easy for these criminals to take over online accounts and steal assets and data. Unfortunately, RAT attacks continue to rise. Recent cases have started with phishing emails or texts—typically messages disguised as E-vites, Zoom links, invoices, or communications that appear to be from trusted sources, including the Social Security Administration, Medicaid, or Schwab. How a RAT-based attack works: First, the fraudster sends a phishing email with a link or attachment that appears legitimate. Once the victim clicks the link or attachment, the RAT is installed on that device without any notification to the user and automatically connects to a remote server controlled by the attacker. At this point, the attacker can: Steal sensitive data (passwords, financial details, etc.) Monitor user behavior through keylogging and screen recording Gain access to anything the user accesses using the infected device, which can include Schwab Advisor Center or Schwab Alliance. This online access can let them set up fraudulent trades and/or money movements. This type of attack is difficult to detect for many reasons, including: Fraudulent activity is generated by a device that's trusted by the user. These attacks may use legitimate applications, so the problem may not show up in antivirus/malware scans. Unlike many other scams, RAT-based attacks do not require interaction with a scammer or taking action to download malicious software; for that reason, these attacks can seem "invisible". RAT-based attacks are versatile and difficult to detect, so they are particularly dangerous. It's important to look for these red flags: Clicking a link or opening an attachment in what appears to be a legitimate communication from a government agency or trusted institution might seem harmless. However, a Remote Access Tool (RAT) could have been silently installed without any notification. If your device suddenly displays a blue or black screen and a message like "Do not turn off your computer, computer is currently being scanned," this may be a sign that a RAT attack is in progress. Immediately shut down the device, contact your IT professional and report the incident to Schwab or any other custodian whose platform you may have interacted with ASAP. Watch for any account activity that does not align with a client's typical investment behavior. Real-world RAT attack scenarios: Example #2: Client online account takeover A client receives a text message that appears to be from their financial institution, asking them to verify account information by clicking a link. This phishing text directs the user to a spoofed website, a RAT is downloaded to the device, and then the bad actor uses the remote tool to gain access to the user's online accounts to steal data or funds. The Schwab Security Guarantee may or may not be applicable for this type of loss—each incident will be reviewed on a case-by-case basis. In case of suspected RAT infection: Disconnect from the internet immediately. This prevents the RAT from communicating with the attacker. Contact an IT specialist immediately. Review and remove any apps on your device that you don't recognize. Caution: If you are unsure or unable to identify and/or remove the RAT yourself, consult a cybersecurity expert as soon as possible. If you are still unable to remove the software, consider factory resetting your device—this may be required to ensure complete removal of the RAT. Assume your credentials have been compromised, but don't change them until after you have successfully removed the RAT. Otherwise, the attacker may be able to discover and leverage your new credentials. Take these steps today: Get On The Defensive: Configure a firewall to block unauthorized network access. Do not share your personal account information with others. Monitor accounts by regularly reviewing your Schwab money movement and trading activity alerts. Watch for unusual network activity that could indicate a RAT's presence. Protect Your Schwab Login: Do not access Schwab from an unsecure network. Utilize a Virtual Private Network (VPN). Log out when your session is over. Enable two factor authentication. Remember: Report any suspicious activity and unauthorized transactions to Schwab immediately. Tips: Close the browser window you use to access Schwab Alliance or other secure websites as soon as your session is over. Discuss the limited view option for Schwab Alliance with your advisors—this view can help to prevent unauthorized money movements and trading activity in the event of an account breach. Be sure reputable antivirus/anti-malware software is active on each device you use. Avoid clicking on unknown or unsolicited links or attachments. To avoid landing on spoofed websites, type its full URL into your browser's address bar, and then add it as a favorite for your convenience later. Remove recently downloaded applications that you do not recognize. Add unique, strong passwords to your Schwab accounts, and consider the use of a password manager. Take advantage of advanced security features, such as multi-factor authentication, and biometrics. Keep devices updated and patched. Remember: Report any suspicious activity and unauthorized transactions by contacting Schwab Alliance immediately at 800-515-2157.

Fraud at the front door: Scammers are appearing at victims' physical addresses — how to protect yourself

Schwab has identified a new twist on the "smishing" fraud threat which is being used by fraudsters hoping to capitalize on market volatility and investor emotion to steal funds and data. This version begins when a client receives a text message prompting them to "verify a transaction"—clicking the link leads the investor to a fraudulent website that mimics Schwab's login page, where they are prompted to enter their credentials. Once the credentials have been entered, the fraudsters use them to access Schwaballiance.com. The fraudulent website may also prompt the client to enter a two-factor verification code that they would automatically receive from Schwab, which once submitted allows the fraudster to complete the login process. Once they have access, the fraudster will then change the security token on the account so that it points to a device in the hands of the criminals, instead of the client's own device. At this point, the client is effectively locked out of the account, and the fraudster can begin initiating wire transfers that rapidly drain assets from the account. What to do: Verify the legitimacy of transaction requests prior to taking any action. This can mean, logging into your Schwab account via you normal browser, do not click on the link texted to you. You can also reach out to our office to verify the legitimacy. Monitor accounts closely for any unusual activity. Be on the lookout for client-initiated transactions and for unusual beneficiary account features, such as long or otherwise strange-looking account numbers. Report any unusual activity to us or Schwab immediately. Reminders: Do not click on links or attachments received via text message. Instead, visit the official Schwab site by typing the URL into your web browser manually. Or utilize Schwab's mobile application. Do not enter Schwab credentials or other information into a page reached by clicking a link. The same applies to phone numbers received via text message. Use a verified number you've used in the past. Double check that the URL provided is not a subtle variation of the real one. Stay calm and verify using official verified channels. If you suspect a smishing attack, you should follow these steps: Take a screenshot of the text and forward it to phishing@schwab.com (Be sure the phone number is visible). Delete the text message. If you clicked on the link, you should stop logging into their online accounts and immediately run an anti-virus/malware scan and remove anything identified in that scan. Next, verify the operating system on the device is updated, and then change all relevant passwords. We strongly encourage all clients to add security measures to their Schwab accounts, such as two-factor authentication and verbal passwords, which can help to secure against these attacks. Additionally see our guide to better protect you account: 10 simple tips to protect your Schwab account. Be sure to report any suspicious or fraudulent activity in your accounts as soon as possible, especially if you entered your Schwab credentials into a fake website.