Unauthorized Trading in Your Demat Account

Unauthorized trading is when buy or sell orders show up in your demat account without your consent. It usually happens after credentials are stolen, after an investor shares login details with someone promising risk-free profits, or because a broker misuses client securities. Most cases are preventable, and SEBI rules now offer real recovery paths if you act fast.

Every few weeks someone writes in saying their account has trades they never placed: sometimes ₹20,000, sometimes a few lakhs. The first message is always the same: "Is this fixable? Can I recover it?" The honest answer is yes, often, but only if you understand what just happened and act within hours, not days.

Demat Account vs Trading Account — What Actually Gets Hacked?

Beginners often use these two terms interchangeably, but they're different things. The distinction matters when fraud happens, because the attacker usually targets one and the damage shows up across both.

Here's the practical bit. In most fraud cases the attacker breaks into the trading account and places trades from there, but the damage shows up in both: your trading-account ledger (the cash debited) and your demat statement (shares moved in or out). Always check both when investigating.

The Four Ways Unauthorized Trades End Up in Your Account

Almost every fraud case I've seen falls into one of four buckets. On the surface they look very different. One is a polite WhatsApp message, another is a billion-rupee corporate scandal. The underlying mechanic is identical, though: somebody gets between you and your account, and starts placing orders.

Let me walk you through each one, because the defence depends on which path is being used against you.

The "Account Handler" Scam

This is the freshest, fastest-growing variant, and SEBI issued an official alert about it: Press Release No. 14/2026 dated 26 February 2026. Worth reading the actual release if you have ten minutes.

The pitch lands in your DMs, on a WhatsApp group, or as an Instagram reel. Someone calling themselves an "expert", a "PMS provider" (Portfolio Management Services), or a "professional fund manager" offers to handle your demat and trading account for you. They show you screenshots of trades they've supposedly run for other clients. The promise is some version of guaranteed profits, you keep most of it, I take a small share.

The catch is that they need your login credentials to "operate" the account. Once you share them, here's what actually happens, straight from the SEBI release.

Read that carefully. They share the upside. You absorb the downside. And because none of these "account handlers" are SEBI-registered intermediaries, they don't fall under SEBI's regulatory purview at all, meaning when the inevitable losses come, there is no easy regulatory recourse.

The simplest way to spot this scam is the promise itself. There is no risk-free return in the equity market. Anyone offering one is either a fraudster or doesn't understand what they're selling. Both are bad reasons to give them your password.

Phishing, Fake Apps, and SIM-Swap Attacks

This is the boring, technical variant, and the one most beginners underestimate, because the attack arrives looking like routine communication.

You get an SMS that says your KYC is expiring, or your demat account will be frozen unless you "verify" within 24 hours. Click the link. It opens a page that looks identical to your broker's login.

Enter your username, password, OTP. Now the attacker has all three, in real time.

SIM swap is the meaner cousin. The attacker convinces your telecom operator to issue a duplicate SIM in your number, usually using forged ID documents. Your phone goes silent.

Their phone now receives every OTP your broker sends. From their side, the login is "legitimate": the OTP went to your registered number.

The defence is two-layered, and both layers are now mandatory under SEBI rules.

In June 2022, the exchanges, in consultation with SEBI, clarified that brokers must implement two-factor authentication for every client login on internet-based and mobile/wireless trading platforms, with a deadline of 30 September 2022. The two factors must come from different categories: a password plus a PIN doesn't count, because both are "things you know". A password plus a TOTP (the rotating code from an app like Google Authenticator, Microsoft Authenticator, or Authy) does count, because the second factor is "something you have".

If your broker's setup still lets you log in with just a password and an SMS OTP, ask them about TOTP. SMS-OTP is the weakest second factor, because that's exactly what SIM swaps target. TOTP from an authenticator app is generated on your device with no data transmitted. There is nothing to intercept.

Broker-Level Fraud — The Karvy Lesson

This one is harder to defend against, because the threat isn't a stranger on WhatsApp. It's the broker you opened the account with. The textbook example, and the reason many of the rules in your demat account exist today, is Karvy Stock Broking.

Between roughly 2013 and 2019, Karvy quietly transferred client securities into a pool account it controlled, then pledged those shares to banks and NBFCs as collateral for its own borrowings. Clients had no idea. They kept getting their statements, watching their holdings, planning their portfolios. Meanwhile their shares were sitting as someone else's collateral.

When SEBI finally caught it, the regulator did move quickly to protect retail investors, directing the depositories to return pledged shares to about 82,000 of the affected accounts before the lenders could claim them. The Securities Appellate Tribunal later ruled against the lenders, and the National Stock Exchange formally expelled Karvy in November 2020, declaring it a defaulter.

The structural fix matters more than the punishment, because it changed the rules for every broker.

In June 2019, SEBI replaced the old pooled-account system with segregated client accounts. Brokers are now barred from creating pledges on these accounts. Then in 2020, SEBI moved to a margin-pledge / re-pledge system, where pledged securities stay in the client's name with a clear, traceable lien, visible all the way through broker, clearing member, and clearing corporation. Your shares no longer leave your demat account just because you wanted to take a margin loan.

This is also why every legitimate Indian broker now sends you a depository SMS the moment shares enter or leave your demat account. Those SMSes look annoying, but they are the single most reliable forensic record you have. Do not turn them off.

Power of Attorney — When Old Authorisations Bite

A Power of Attorney is a document that lets your broker move shares between your demat and the clearing account on your behalf, so you don't have to authorise every settlement manually. For years, brokers asked clients to sign open-ended PoAs that gave them sweeping control. Some abused that, some didn't.

Post-Karvy, SEBI sharply narrowed what a PoA can do. A broker's PoA today can be used only for settlement-related transfers and pledging for margin, not for arbitrary trades, fund movements, or off-market transfers. SEBI also clarified that signing a PoA is not mandatory. You can run your account using DDPI (Demat Debit and Pledge Instruction), a much narrower e-mandate that does the same settlement job without giving the broker a blanket authorisation.

If you opened your demat account before 2020, there is a real chance you signed a wide PoA you've forgotten about. Open the original account-opening document and look. If it's there, ask your broker to revoke it and switch you to DDPI. Five minutes of paperwork removes a category of risk you don't need to carry.

The Warning Signs You're Already a Target

Most fraud doesn't look dramatic until the day the money is gone. The warning signs are quieter, and they show up in places you might not be looking.

• Sign 1 · Communication

  Someone is asking for your login

  A "fund manager", "dabba operator", "account handler", relative's friend, anyone. If the request requires your password, your TOTP, or remote access to your phone, the answer is no. Even a SEBI-registered investment adviser does not need your trading login to advise you.

• Sign 2 · Phone

  Your number stops receiving calls or SMSes

  If your phone suddenly shows "no service" while other phones around you work, that is the classic SIM-swap symptom. Walk into the operator's store immediately and verify your SIM is still active. Don't wait until evening to check.

• Sign 3 · Inbox

  Login alerts you didn't trigger

  Every broker sends an SMS or email when there is a successful login from a new device. If you get one and you didn't log in, change your password before you finish reading the message. Then check holdings.

• Sign 4 · Statement

  A trade you don't recognise — even one

  Most fraudsters test a small trade first to see if you notice. A single ₹2,000 buy of a stock you don't follow is not a clerical glitch. It's a rehearsal. Treat it as a full breach and act accordingly.

• Sign 5 · Email

  Contact details on file have been changed

  Look at the email and mobile number registered with your broker and your DP. If either has been changed and you didn't change it, the attacker is preparing to lock you out by re-routing the OTPs. This is the latest you should still be acting on.

Your Defensive System

None of these are exotic. All of them are free. Most take under five minutes to set up. Together, they close every one of the four attack paths above.

• Layer 1 · Login

  Switch your 2FA to a TOTP authenticator

  Open Google Authenticator, Microsoft Authenticator, or Authy. Inside your broker app, find the security settings and replace SMS-OTP with TOTP (a six-digit code that refreshes every 30 seconds, generated by the authenticator app on your phone). Now even a SIM-swap leaves your account safe. The code is generated on your device, never transmitted.

• Layer 2 · Notification

  Enable SMS & email alerts on every transaction

  Both the broker and the depository (NSDL or CDSL) send transaction alerts. Confirm both are switched on, and that the registered mobile and email belong to you, not your broker, not a relative. NSDL and CDSL each let you check this directly on their websites.

• Layer 3 · Review

  Read your monthly holdings statement

  Every demat account holder receives a monthly statement from the depository when there is activity. Open it and match every transaction to a trade you remember. Five minutes, once a month. Most fraud cases that take six months to detect would have been caught in week one if anyone had bothered to read the statement.

• Layer 4 · Authorisation

  Audit your Power of Attorney

  If you signed a wide PoA before 2020, ask your broker to revoke it and migrate you to DDPI. If you have multiple demat accounts and one is dormant, freeze it directly with your DP. Frozen accounts cannot be debited at all until you unfreeze them.

• Layer 5 · Hygiene

  Stop reusing the password

  Your broker password should be different from your email, your bank, and your Netflix account. A password manager (1Password, Bitwarden) creates and stores them for you, so you don't have to remember any of them. Most credential-theft fraud isn't from breaching the broker. It's from a breach somewhere else, where you used the same password.

What to Do If It Has Already Happened

If you spot an unauthorised trade, the next 24 hours decide most of the recovery. The order below is the order I'd follow personally.

• Hour 1 · Stop the bleeding

  Freeze the account & change credentials

  Call your broker's emergency line and ask for an immediate trading-block on the account. Simultaneously, instruct your DP (NSDL or CDSL) to freeze the demat account so no further securities can move out. Change your password and re-pair the TOTP device.

• Hour 2–6 · Document

  Collect every piece of evidence

  Screenshot the unauthorised trades, login alerts, SMSes, and account statements. Note the exact times. Save everything to two places (your phone and an email to yourself) so nothing depends on one device staying alive.

• Day 1 · Cyber crime FIR

  File with the police and the cyber portal

  If credentials were stolen or impersonation is involved, this is a cognisable offence. File an FIR at the cyber-crime police station, and parallelly lodge the complaint on the National Cyber Crime Reporting Portal at cybercrime.gov.in. The FIR is what unlocks bank-level fund-tracing later.

• Day 1–7 · Broker complaint in writing

  Email the broker's grievance officer

  Verbal complaints don't count. Email the broker's designated compliance / grievance officer with the exact list of unauthorised trades, your account details, and copies of the FIR. Mark a copy to the exchange (NSE Investor Services Cell or BSE equivalent) so the timeline is on record from day one.

• Within 30 days · SCORES

  Escalate to SEBI if the broker stalls

  If the broker hasn't given you a satisfactory written response, lodge a complaint on SCORES, SEBI's online grievance redressal platform at scores.sebi.gov.in. You have one year from the date of cause of complaint, but earlier is much better. SEBI sends automatic reminders and there is a two-level review system.

• If the broker defaults · IPF

  Claim from the Investor Protection Fund

  If your broker is declared a defaulter (as Karvy was), you can claim from the exchange's Investor Protection Fund (NSE IPF or BSE IPF). The NSE IPF currently caps a single investor claim at ₹35 lakh (revised up from ₹25 lakh in August 2024) for trading members declared defaulter or expelled after that date. Documentation requirements are heavy; the earlier you started the paper trail above, the cleaner this stage gets.