On Monday at 7:16 p.m. EDT, a weird email hit my inbox. Robinhood (HOOD), the online brokerage that has shaken up retail investing, told me it had approved an account in my name. A second email the next day urged me to link my bank account to Robinhood so I could trade my first stock.
This was strange because I’ve never contemplated trading individual stocks. Sure, I work for a news site with a large audience of retail investors, but I’ve never been part of those ranks. While initially I thought scammers had spoofed a Robinhood email address, the message seemed legitimate. And in fact, it was — I soon learned somebody had created a Robinhood account using my Social Security number and date of birth.
Despite the fact that my own colleague, Dan Howley, has written that virtually everybody has already been hacked, I was shocked. I could understand why somebody might open a credit card in my name, or why they might want to drain my bank account. But why would somebody masquerade as Erin Fuchs among Robinhood’s throngs of retail traders?
“Why would somebody want to use your information to open up a Robinhood account? It’s to cover their tracks,” Eva Velasquez, the president and CEO of the Identity Theft Resource Center, told me this week. “The most likely intent behind it is for money laundering. They can use that account to launder other money and it can’t be traced back to them because it’s in your name.”
Indeed, CNBC reported in March that fraudsters were stealing COVID-19 relief funds and then dumping the cash into online investment platforms like Robinhood, TD Ameritrade, E-Trade, and Fidelity. Those accounts, CNBC reported, were opened using stolen identities.
Fortunately, I spotted the Robinhood fraud before the new account could be connected to a bank account. When I saw the email notifying me of my “new account,” I went online to try to figure out how to alert Robinhood that I’d never opened one up. Unable to find a quick way to contact a human who could help me, I turned to the most powerful tool at my disposal — my job as a journalist. I found Robinhood’s media email address and identified myself as a journalist with a question about my Robinhood account.
A corporate communications manager emailed me 12 minutes later to say he was on the case. Later that evening, on my way back from outdoor drinks with my best friend, I got a sobering email. A Social Security number and date of birth were used to set up a Robinhood account in my name.
“It is possible that your personal information has been compromised,” the email said, apologizing to be the bearer of bad news. “It’s also possible that someone with your name entered the wrong email address.”
Which was it? Years of self-Googling made me well-aware that other Erin Fuchses existed. Had Erin Fuchs the optometrist or Erin Fuchs the realtor tried setting up a Robinhood account and forgot to include a middle initial in their email address? Or was it fraud?
“Thanks for this. Curious about whether the date of birth and SSN match my own,” I wrote back.
The PR guy had Dan from their security team call me right away just as I was getting off the subway. I gave Dan my date of birth. I gave him the last four digits of my Social. Both matched the account that had been set up in my name. In a soothing voice, Dan outlined everything I should do to protect my identity, starting with putting fraud alerts on my credit report. I walked home from the subway in a daze and made a list of everything to do, from notifying the credit bureaus to alerting my bank and mobile phone provider.
My wife also sprang into action and enrolled in the Identity Guard Ultra Family Plan. After I made my way through my identity theft to-do list, I logged onto Identity Guard. A dark-web nightmare awaited me. The site identified 35 instances of my information being out on the “historical dark web,” and I briefly panicked.
Thankfully, most of these bits of data for sale were actually passwords I’d long changed or had no use for anymore. In one instance, hackers had obtained my MySpace account log-in during a massive 2016 hack. Remember MySpace? There was one password that got scooped up in a 2013 Adobe breach. Among the 35 instances, I couldn’t find any passwords I was still using.
Still, an identity thief had obtained my Social Security number, date of birth, and email address, and convinced Robinhood to open up a new account in my name. How could this happen?
“There have been a lot of data breaches in the past three to five years,” says Eric Chan-Tin, an associate professor of computer science at Loyola University Chicago. “Hackers could be sitting on a huge amount of personal information.”
With so many data breaches, experts believe that virtually everybody has been a victim at some point. As Velasquez, of the Identity Theft Resource Center, put it: “The state of data breaches has us pretty confident that everybody’s Social Security number has been compromised in one way or another.”
Of course, consumers can take steps to protect their personal information. They can use long, unique passwords and, most importantly, put a permanent freeze on their credit reports so fraudsters can’t open new accounts. They can also make sure they don’t manage all of their accounts on one computer, suggests Marie-Helen Maras, a cybersecurity expert and associate professor at the John Jay School of Criminal Justice.
But, she noted, “Not everybody can afford having more than one computer.”
That point gets to a larger problem with data security in the U.S.: It is up to the consumer to protect themselves, and not everybody has the resources or the wherewithal to do so. For now, I’m going to keep that freeze on my credit reports. As Maras told me, “It is really the only protection you have.”
I reached out to Robinhood for comment on how prevalent identity theft is on its platform and whether it’s taking additional steps to stop such theft. I did not receive a response before publication.
Erin Fuchs is deputy managing editor at Yahoo Finance.