Investor Cyber Safety / Fraud

Investor Cyber Safety Checklist

CA Nikhil Gupta·June 2026·3 min readInvestor Cyber Safety / Fraud

Investment accounts can be stolen without stealing the securities first—credentials, APIs and linked email may be enough to create loss.

Quick View

Decision

Reduce account attack paths and prepare a response plan before suspicious activity occurs.

First action

Bookmark official websites.

Core proof

Login and device alerts.

Main risk

Remote-access requests.

Why It Matters

Use only official broker, depository, AMC and registrar applications or websites. Search advertisements and forwarded links can imitate genuine domains.

Strong unique passwords, secure email, device locks and multi-factor authentication reduce risk. OTP, PIN, TPIN and remote-access control should never be shared with support callers.

API keys and third-party trading applications can authorise sensitive actions. Revoke unused access and understand what the application can read or execute.

Decision Framework

AreaWhat to assessInvestor rule
IdentityOfficial domain and app publisher are verified.Avoid search-ad links.
AuthenticationUnique credentials and MFA are enabled.Protect linked email.
AccessAPI, device and third-party permissions are reviewed.Revoke unused access.
MonitoringTrade, login and fund alerts are active.Respond immediately.

Action Checklist

  1. Bookmark official websites.
  2. Use a password manager and MFA.
  3. Secure email and SIM.
  4. Review API permissions.
  5. Enable transaction alerts.
  6. Keep broker and cybercrime contacts ready.

Practical Example

An investor shares a remote-access code with a caller claiming to be broker support. The caller resets email access and initiates unauthorised transactions before the investor notices.

Evidence to Keep

  • Login and device alerts.
  • Broker and depository statements.
  • API and application permission list.
  • Suspicious messages and caller details.
  • Bank and broker complaint references.
  • Cybercrime report and timeline.

Warning Signs

  • Remote-access requests.
  • Urgent KYC links.
  • APK files sent through chat.
  • Shared OTP or TPIN.
  • Unknown API applications.

How to Analyse

Contain quickly: contact the broker and bank, change credentials from a clean device, revoke APIs, secure email and SIM, and report financial cyber fraud.

Preserve evidence before deleting messages or resetting devices. Recovery and investigation depend on accurate timestamps and records.

The investor should record the product, entity, amount, expected return source, maximum credible loss, liquidity, cost, holding period and exit route before transferring money. A decision that cannot be explained without a price target or influencer claim is not yet an investment thesis.

Regulations, product terms, charges, taxes and complaint procedures can change. Use the latest official document and the investor’s actual statement rather than an old screenshot or generic online table.

Investor Safety Test

First verify the legal entity and regulated role. A familiar brand, app-store listing, social-media badge or celebrity does not prove that the person receiving money is the registered intermediary.

Second verify the money and asset trail. Payment should move through the appropriate regulated account, and the investment should appear in an independent contract note, depository statement, folio record or lawful product report.

Third compare return with the risk that produces it. High yield, rapid profit, leverage, illiquidity, concentration and complex valuation are not separate from return; they are often the reason the expected return looks attractive.

Fourth preserve evidence. Statements, product documents, risk disclosures, communications, ticket numbers and complaint acknowledgements should be stored outside the app or platform being disputed.

Finally, separate a disappointing market outcome from fraud, mis-selling, unauthorised activity or service failure. The correct complaint route and available relief depend on that distinction.

Deeper Review

The review should use the same transaction or holding population across all evidence. For this topic, the main areas are identity, authentication, access, monitoring. If the app, contract note, depository statement, factsheet and tax record describe different positions, the investor should resolve the difference before taking another action.

Suitability has two layers: product risk and household capacity. A product can be lawful and accurately disclosed yet still be unsuitable for money needed for education, emergencies, near-term housing or debt repayment.

The investor should separate price volatility from permanent loss. Temporary market movement, issuer default, fraud, forced sale, liquidity failure and excessive cost require different controls and complaint routes.

Every review should end with a written action: hold with a stated reason, reduce concentration, seek clarification, stop further transfers, preserve evidence or escalate through the regulated entity and official platform.

Do not send a verification, tax, margin or withdrawal payment merely because a platform displays a larger balance. Independently verify the entity and beneficiary through official records.

Rapid reporting matters. Contact the bank or broker, secure credentials and preserve timestamps while also using the appropriate cybercrime or securities-market complaint channel.

Frequently Asked Questions

Should broker support ask for OTP or TPIN? â–¼
Sensitive authentication credentials should not be shared with callers or chat agents.
Are app-store apps always safe? â–¼
No. Verify the publisher and official intermediary link.
What are API risks? â–¼
Authorised third-party applications can read data or place orders depending on permissions.
What should happen after unauthorised activity? â–¼
Notify the broker and bank immediately, secure accounts and use official cybercrime reporting.