In early January, Megan Tong lost around $70,000 after hackers logged into one of her self-directed investment accounts, cashed in all her holdings and briefly bought and sold tens of thousands of dollars worth of two Chinese stocks.
But Ms. Tong’s discount brokerage, Questrade Financial Group Inc., has declined to reimburse her for most of the loss, saying it didn’t result from a breach of its system. Instead, the company has described the hack as a likely phishing attack, which isn’t covered by its online security guarantee.
Ms. Tong, a 38-year-old Toronto-based chartered professional accountant with experience in information technology audits, was shocked by Questrade’s response.
“It was extremely jarring for so many reasons – just knowing that my money wasn’t safe in there the whole time, that this guarantee on their website, which is very prominent on their website, is literally nothing,” she said.
Yet, when Ms. Tong took a complaint against Questrade to the Ombudsman for Banking Services and Investments, or OBSI, the independent dispute-resolution body did not hold the brokerage responsible, she said.
The case highlights the growing risk faced by consumers whenever more sophisticated fraudsters steal their credentials, a scenario in which current rules often leave victims to pick up the entire bill.
Questrade declined to comment on Ms. Tong’s experience, citing privacy concerns.
You were targeted in a scam. Is your bank liable for the losses?
The company remains committed to protecting customers from “increasingly sophisticated cyber and fraud threats that use phishing or social engineering,” spokesperson Praneil Ladwa said via e-mail, adding that the firm continues to invest in educating customers about how to protect themselves against online threats.
But Ms. Tong is quick to point out she’s far from a typical victim of online fraud. In addition to her work on IT audits early in her career, she also received extensive training in personal cybersecurity when she subsequently joined a financial planning company.
Ms. Tong had two-factor authentication activated on her account. She kept her log-in information safe and never shared it with anyone, she said. To this day, she does not know how the hackers obtained her log-in credentials.
More importantly, she said, Questrade should have done more to block the fraudsters after they’d broken into her account.
On Jan. 8, the company detected two log-ins into Ms. Tong’s account that occurred within minutes of each other from devices the system did not recognize, according to a summary of Questrade’s investigation viewed by The Globe and Mail. In both cases, the company sent Ms. Tong an email and a text message notification saying she should change her credentials and contact customer service if she didn’t recognize the two access requests, documents reviewed by The Globe show.
Ms. Tong said she had logged in once that day to check her account, though she did not add a new trusted device.
The unauthorized trades happened two days later, the afternoon of Friday, Jan. 10. That’s when the fraudsters sold all the investments in her margin account – broad-based, low-fee exchange-traded funds, or ETFs, worth around $130,000, according to the investigation.
Top OSC officials say they are witnessing a surge in online scams and fraud
With a margin loan in U.S. dollars, the hackers also bought, and then quickly sold, thousands of shares of YXT.com Group Holding Ltd., a technology company based in Suzhou, China. They also purchased and sold stocks of Pheton Holdings Ltd., though they left 13,500 of those shares in the account.
All the trades occurred in the span of one-and-a-half hours. Within the following two hours, Questrade froze the account and tried unsuccessfully to contact Ms. Tong by phone, leaving a voicemail that urged her to call customer service.
The company made four more attempts to reach her the following Monday, leaving three voicemails.
Ms. Tong said she didn’t notice the calls, in part because her phone was inundated with spam calls on Jan. 10, and also because several of Questrade’s calls appeared as 1-866 numbers she didn’t recognize.
It wasn’t until Jan. 15 that she realized her account had been hacked.
Two weeks later, Questrade informed Ms. Tong that it had concluded its investigation and would not be covering the losses.
After Ms. Tong filed an internal complaint, the firms offered to pay back US$6,885 ($9,260). The sum is equivalent to the losses she incurred between a Jan. 17 phone call in which a Questrade representative incorrectly told her the firm would reimburse her for the unauthorized activity and the date – 10 days later – when she was given an opportunity to sell the Chinese stocks that remained in her account.
Scammers are using AI to create convincing deepfakes, and authorities are using it to catch them
Ms. Tong rejected the offer because it required signing a release and confidentiality agreement, which would have limited her from speaking about her experience publicly, she said. Instead, she took her complaint to OBSI.
The ombudsman declined to comment on the case, citing the confidential nature of its dispute resolution process.
Ms. Tong argues Questrade should have halted the unauthorized trades before executing them since the activity was highly unusual given her track record of holding broad-based ETFs.
She also questions why the brokerage offered her a margin account, which allows investors to borrow against their portfolio, when she said she told the company she had no intention of using leverage. (Questrade did not address a question about margin accounts when contacted by The Globe.)
At FAIR Canada, a national organization that champions the interests of individual investors, executive director Jean-Paul Bureaud said the idea of freezing suspicious trades is tricky for investment firms.
Credit card companies routinely block purchases that appear out of character, but holding up a financial trade is a different matter, Mr. Bureaud said. With prices constantly changing in the market, customers could lose money because an investment dealer delayed what looked like a suspicious transaction.
The client could then demand that the broker compensate them for the loss, if the trade was legitimate, he added.
One way to protect consumers could be the creation of a public fund to reimburse victims of fraud, Mr. Bureaud said.
Currently, Quebec is the only province that runs a similar compensation fund for the financial services industry. Eligible victims can claim up to $200,000, although the program only covers losses tied to fraud committed by financial professionals.
Mr. Bureaud said FAIR Canada is currently reviewing the idea of creating a fund for investors who are victims of fraud.
“Trying to deal with fraud,” he said, “is a shared responsibility.”
