Remote Access Tools (RATs) can give criminals control of your devices

By sherry@reedcompanies.com | October 16, 2025

Schwab has identified a recent trend where fraudsters have been using Remote Access Tools (RATs) in combination with phishing attacks to compromise digital devices like mobile phones, tablets, laptops and desktops. These RATs are tools that are used for legitimate purposes—IT support for example. However, bad actors can abuse them to steal assets and data.

How a RAT-based attack works:

  1. First, the fraudster sends a phishing email with a link or attachment that appears legitimate.
  2. Once the victim clicks, the RAT is installed on that device without any notification to the user, and automatically connects to a remote server controlled by the attacker.
  3. At this point, the attacker can:
    • Steal sensitive data (passwords, financial details, etc.)
    • Monitor user behavior through keylogging and screen recording
    • Gain access to anything the user accesses using the infected device, which can include Schwab Advisor Center or Schwab Alliance. This online access can let them set up fraudulent trades and/or money movements.
  4. This type of attack is difficult to detect for many reasons, including:
    • The fraudulent activity is generated by a device that’s trusted by the user.
    • These attacks may use legitimate applications, so the problem may not show up in antivirus/malware scans.

Unlike many other scams, RAT-based attacks do not require interaction with a scammer or taking action to download malicious software—for that reason, these attacks can seem “invisible”. RAT-based attacks are versatile and difficult to detect, so they are particularly dangerous. Its important to look out for these red flags, for both your staff and your clients:

  • Clicking a link or attachment in a seemingly legitimate communication from a government department or trusted institution may appear to do nothing, Unfortunately, a RAT may have been installed with no other notification.
  • If your device suddenly displays a blue or black screen and a message like  “Do not turn off your computer. Computer is currently being scanned,” this may be a sign that a RAT attack is in progress. Immediately shut down the device, contact your IT professional and report the incident to Schwab or any other custodian whose platform you may have interacted with ASAP.
  • Watch for any account activity that does not align with a client’s typical investment behavior.

Real-world RAT attack scenarios

Client online account takeover
A client receives a text message that appears to be from their financial institution, asking them to verify account information by clicking a link. This phishing text directs the user to a spoofed website, a RAT is downloaded to the device, and then the bad actor uses the remote tool to gain access to the user’s online accounts to steal data or funds. The Schwab Security Guarantee may or may not be applicable for this type of loss—each incident will be reviewed on a case-by-case basis.

In case of suspected RAT infection:

  • Disconnect from the internet immediately. This prevents the RAT from communicating with the attacker. Contact your firms IT department immediately. Or, if your firm doesn’t have IT specialists, review and remove any apps on your device that you don’t recognize. Caution: If you are unsure or unable to identify and/or remove the RAT yourself, consult a cybersecurity expert as soon as possible.
  • If you are still unable to remove the software, consider factory resetting your device—this may be required to ensure complete removal of the RAT.
  • Assume your credentials have been compromised, but don’t change them until after you have successfully removed the RAT. Otherwise, the attacker may be able to discover and leverage your new credentials.

Take these steps today:

  • Close the browser window you use to access Schwab Alliance or other secure websites as soon as your session is over.
  • Discuss the limited view option for Schwab Alliance with your advisors—this view can help to prevent unauthorized money movements in the event of an account breach.
  • Be sure reputable antivirus/anti-malware software is active on each device you use.
  • Avoid clicking on unknown or unsolicited links or attachments.
  • To avoid landing on spoofed websites, type its full URL into your browser’s address bar, and then add it as a favorite for your convenience later.
  • Remove recently downloaded applications that you do not recognize.
  • Add unique, strong passwords to your Schwab accounts, and consider the use of a password manager.
  • Take advantage of advanced security features, such as multi-factor authentication, and biometrics.
  • Keep devices updated and patched.

Remember: Report any suspicious activity and unauthorized transactions by contacting Schwab Alliance immediately at 800-515-2157.

Resources
For more information on Phishing schemes and other fraud tactics, please visit the Cybersecurity Resource Center > Fraud Prevention in Schwab Advisor Center.

Fraud Prevention:
Public site: https://advisorservices.schwab.com/navigating-risk-regulation/cyber-security

Posted in October 2025