facebook twitter instagram linkedin google youtube vimeo tumblr yelp rss email podcast phone blog search brokercheck brokercheck Play Pause
Digital Security, AI, and Fraud Prevention Thumbnail

Digital Security, AI, and Fraud Prevention

In The News Retirement

During a recent meeting, one of our clients asked an excellent question: if Schwab were hacked or even “wiped out” by scammers using AI, what would actually happen to their accounts? It is a fair question, and one that is becoming more relevant as cyber threats become more sophisticated.

The short answer is that there are multiple layers of protection. If a major custodian like Schwab were ever to fail, client protections generally come from three places: how client assets are legally held, SIPC protection and additional excess insurance, and the custodian’s own fraud and security safeguards.

Schwab is one of the largest custodians in the country, operating in a heavily regulated environment with strict rules about how client assets must be handled. Your securities, such as stocks, bonds, mutual funds, and ETFs, are held separately from the custodian’s own assets and are not available to Schwab’s creditors if the firm were ever to fail.

If a brokerage firm becomes insolvent and customer cash or securities are missing, the Securities Investor Protection Corporation, or SIPC, steps in. SIPC is a nonprofit entity created by Congress to help restore customer cash and securities when a SIPC-member brokerage fails financially. It does not protect against market losses, poor investment performance, or a decline in the value of your portfolio.

SIPC coverage is generally up to $500,000 per separate capacity at a brokerage, including up to $250,000 for cash within that amount. For example, your individual taxable account, a joint account with your spouse, and an IRA might each be treated as separate capacities under SIPC’s rules, so each of those categories could have its own $500,000 protection limit at the same firm.

Because many clients have balances that exceed those amounts, large custodians often purchase additional private insurance called excess of SIPC coverage. This excess insurance does not replace SIPC. It sits on top of SIPC and may help cover remaining shortfalls above the SIPC limits if customer assets are still missing after the firm’s assets and SIPC protections have been applied.

That point is important because it helps answer the original question more directly. In a true firm-failure scenario, the main concern is usually not permanent loss of all your investments. The more likely concern is disruption, delays, and the process of reconciling and restoring access to accounts. The combination of asset segregation, SIPC, and excess insurance is designed to protect against a total loss of custody assets if a brokerage fails and some customer property is missing.

It is also helpful to distinguish firm failure from account-level fraud. SIPC protection applies when a brokerage firm fails and customer assets are missing. It does not apply to ordinary unauthorized trading, phishing, or cyber theft if the firm itself remains solvent. Those situations are typically addressed through the custodian’s own fraud protections, internal investigations, security guarantee, and other applicable legal protections.

Schwab publicly states that its Security Guarantee covers losses in Schwab accounts due to unauthorized activity, provided clients take reasonable precautions such as safeguarding credentials and promptly reviewing and reporting suspicious transactions. That is why personal security habits still matter so much, even when institutional safeguards are strong.

Artificial intelligence is part of why this topic is getting more attention. AI can help criminals create more convincing phishing emails, fake websites, and even voice clones that sound like someone you know. One example is a family emergency scam, where a retiree may receive a panicked phone call that sounds like a child or grandchild asking for money immediately.

The FTC, which stands for the Federal Trade Commission, has warned consumers about these AI-enhanced scams. The FTC is the federal agency responsible for protecting consumers from unfair, deceptive, and fraudulent practices, and its guidance is straightforward: do not trust the voice alone and ALWAYS verify the story using a phone number you already know is real.

This is also why MFA and 2FA matter. MFA means multifactor authentication, and 2FA means two-factor authentication. In simple terms, both refer to using more than just a password to log in, such as a one-time code, authentication app, or other second verification step. It can feel inconvenient, but that added step is one of the best ways to make it much harder for someone else to access your account, even if they somehow obtain your password.

Social Security offers a useful example of how seriously institutions are taking identity verification. To create or access a Social Security account, users now work through Login.gov or ID.me, which are credential providers used to verify identity more securely and meet government standards for account protection. That is a sign of where the broader security environment is headed: more verification, more layers, and less reliance on a password alone.

A few practical habits can go a long way:

  • Use strong, unique passwords for important accounts.
  • Turn on MFA/2FA wherever it is offered.
  • Be skeptical of urgent messages involving money movement or account changes.
  • Avoid clicking on unexpected links or attachments.
  • Verify requests using a phone number or website you already know is legitimate.
  • Report suspicious activity quickly, since timely reporting can matter for available protections.

For retirees especially, one of the best safeguards is simply slowing down. If something feels urgent, emotional, or slightly off, that is often the moment to pause rather than respond. A quick check with a family member, advisor, or trusted contact can be the step that prevents a costly mistake.

The takeaway is that a dramatic, Hollywood-style scenario in which a large custodian is simply “wiped out” and client assets disappear forever is not how the system is designed to work. The real risk is more often disruption or individual account fraud, which is exactly why both institutional protections and personal security habits matter so much.