The Investment Dealers Association of Canada’s Enforcement Department has received information from several sources that unauthorized persons have gained access to clients’ online trading accounts. Specifically how this is accomplished is not yet known. We believe this could be done through one of several methods.

One theory is that the client’s personal access information is being discovered through a computer virus on the client’s home computers. The suspected virus monitors the client’s keystrokes and forwards the information on to individuals who then use the information or pass it on to others.

The other theory is that access information is being obtained from the client through a process known as “phishing”. Most “phishing” is accomplished by an e-mail purported to be from the firm asking for the client to assist with a security issue by providing their name, account number, password and other information necessary to access the accounts. The “phishing” e-mails usually adopt or rely upon corporate logos and information derived from the Member firm’s Web site.

An alternative to phishing e-mails are pirate Web sites that are set up to appear similar to the Member firm’s own Web site. In rare instances, the corporate Web site is compromised and clients moved sideways to the pirate site. When clients attempt to login, the information is captured on the pirate site and as result the client unknowingly gives up their information. The client may never know that they are no longer on the legitimate Web site.

At this point in time, there is no confirmation as to the method used to obtain client access information. There is also no suggestion that the security of member firms’ online systems has been compromised. It appears that clients may have inadvertently given up the information to the persons who subsequently hijack the individuals’ accounts.

Once the clients’ personal identities and passwords are compromised, the perpetrators are able to access the clients’ accounts and execute trading instructions. In the instances reported to the IDA, client portfolios were sold out. The credit was then used to place buy orders for specific securities listed on the OTC Bulletin Board or Nasdaq pink sheets. It appears the purpose of such activity was to manipulate the price of shares in the issuer.

In some instances, the trades were settled before the clients were even aware that there had been an online breach of their account. Firms are now receiving client complaints concerning these unauthorized activities.

Investors who have on-line accounts should be aware of this risk. Clients should contact their firm regarding any unusual activities in their account.