Blog

Are Your 401(k) Accounts Ripe for a Hacker Takeover?

february 04, 2020 | credit, bills & debts
Smiling father holding daughter as she puts money in a piggy bank.

Saving for retirement requires discipline and sacrifice. You’ve put off vacations, new car purchases and other expenditures to guarantee some financial independence in the future. But someone else could empty your accounts before you ever spend a dime. Understand the risks to safeguard your cash.

Cyber crooks seek the biggest payouts, and, for many Americans, their 401(k) or IRA account is that target. In their 50s, participants have stashed an average of $107,100; that number jumps to $195,000 in their 60s, according to Investopedia. Billions of dollars reside in these accounts and often they aren’t checked regularly which makes these funds increasingly vulnerable.

TRAGIC TALES OF LOSS

How often do you check your retirement accounts? The correct answer should be frequently. Usually, a victim doesn’t learn of theft until a balance check occurs. In 2017, a Utah man just entering retirement discovered thieves had grabbed $42,000 from his 401(k). He was one of the lucky ones. Investigators were able to intercept that check and another for $85,000 from a second victim before crooks could cash them. Reported stories don’t always end this well.

There’s the risk of plan managers themselves embezzling your funds. Jeffrey and Wendy Richie, a Texas couple, were indicted in 2018 for allegedly misappropriating a whopping $14.5 million in retirement funds. Their targets included over 1,000 contributors and an estimated 20 employer-sponsored plans.

“This couple took advantage of innocent people who were working hard and saving for their future,” a spokesperson from the U.S. Attorney’s Office stated. “We cannot permit such brazen financial misconduct to go unchecked.”

Any individual who has access to your account and your Personally Identifiable Information (PII) could commit this sort of theft—often with an outside accomplice. In 2016, a 29-year-old Massachusetts woman working for a plan manager siphoned off data on roughly 270 clients with generous account balances and shared them with a co-conspirator. Jasmine Banks pled guilty to an identity theft charge knowing she faced up to five years in jail.

IDShield provides help in similar situations if there is an unauthorized electronic transfer of funds.

ATTACK STRATEGIES

Theft can occur when hackers collect enough bits of your PII to request a withdrawal check. Sometimes online or printed forms are utilized. A simple call to the fund’s customer service center can parley PII into account access.

If successful, thieves will seek to change your mailing address, alter your password and your email; it’s called Account Takeover (ATO) and it’s a growing issue. While a change of bank or address on record should be a huge red flag for account managers, many reported hacks document how easily institutions could miss the warning signs.

Phishing emails offer a second way to hack a 401(k). Sly ones often appear to originate from your fund’s plan manager. All it takes is one click in a bogus email to launch a hack.

Recovering Stolen Investments is No Easy Feat

There are systems in place to protect you if your credit card is hacked.  That is not always the case with investment accounts. Retirement accounts are not always provided the same protections under law.

Most investment opportunities create a fiduciary relationship. Simply put, you place your money and your trust in the hands of individuals who should represent your best interests. The U.S. Dept. of Labor holds fiduciaries to minimum standards. If individuals fail to measure up, they may be personally responsible for losses, but employers may or may not.

REDUCE THE RISK

Know your plan manager. Each investment firm is unique; some have already pledged publicly to replace unauthorized transfers, but policies can also spell out investor responsibilities. Do you understand your responsibilities related to identity theft? Some are critical in the event of a theft.

You may have a limited time as an account holder to report fraud.

Once you know the scope of your plan manager’s responsibilities and your own, investigate additional layers of security.

  • The first step is yours. Choose a unique username and strong password. Too many consumers reuse login credentials on multiple websites. This can result in credential stuffing, a practice where once your data is breached on one website, hackers then try your login combination automatically on other websites to gain access. Financial sites top their wish lists.   

  • Sign up for two-factor authorization or biometric sign-in, if available. These two-step login procedures add another blanket of security to your retirement funds.

  • Limit withdrawals if that’s an option. You may want to direct all transfers to a single bank account or require a signed letter for withdrawals. It may take more time, but it’s time well spent.

  • Do not check the computer’s option to “trust this device” when logging in. At a bare minimum, passwords tied to finances should be stored in one place only – your brain. Sticky notes aren’t recommended.

  • Consider encryption for your computer. This way if your computer accidentally lands at a malware-riddled website, stolen data won’t be useful to the hacker.

  • Cancel your paper account statements. Those are easily stolen from mailboxes or lost. If not secured, anyone in your home can view them. Electronic files are the preferred, more secure method of receipt and storage
  • Check your accounts monthly and report any irregularities immediately.

  • Resist the urge to check these accounts using public Wi-Fi. You could stumble into a rogue hotspot just waiting to steal credentials.

  • Keep your computer operating system and anti-virus software up to date. Always.

WHEN THEFT IS RELATIVE

Did you make a note of TD Ameritrade’s exemption for family hacks? One rarely discussed fact about identity theft concerns your relatives. A significant slice of identity theft victims are acquainted with their attackers. It could be a niece, your brother-in-law or another individual with regular access to your home – even the babysitter. Courts in recent years have ruled that some “relative” thefts are the investor’s responsibility, not the plan manager.

IF YOU NEED HELP

The first stab at recovery involves contacting your plan manager. Many carry fiduciary insurance, which may cover this sort of theft. Request an investigation immediately. Be sure to file a police report ASAP.

For more on ERISA protections, click here.

IDSHIELD REALLY HELPS

At IDShield, we understand these risks. That’s why we monitor up to 10 investment accounts for suspicious activity as part of our identity protection plan.

The  $1 million identity fraud reimbursement  policy covers unauthorized electronic fund transfers from your employer-sponsored 401(k) and Health Savings Account (HSA). This coverage also includes Roth 401K, Simple IRA, SEP IRA, Flexible Spending Account (FSA), and Health Reimbursement Account (HRA).

The Business Solutions Plan, offered to group participants as an employee benefit, adds financial threshold monitoring on all National Plan Accounts. All plans monitor change of address databases for each subscriber’s mailing address. Alerts are sent whenever changes are uncovered. 

Participants receive alerts notifying them of financial withdrawals, balance transfers and large purchases on financial accounts if the transaction exceeds monetary limits as indicated. For example, you may wish to be alerted when transactions exceed $1,000 or some other figure. These include credit cards, checking, savings, 401k accounts, payday loans and more.

This is not intended to be legal advice. Please contact an attorney for legal advice or assistance.IDShieldis a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage and conditions, please see www.idshield.com. A $1 million Identity Fraud Reimbursement Policy (“Policy”) is issued through a nationally recognized carrier. LegalShield/IDShield is not an insurance carrier. See a Policy for complete terms, conditions and limitations related to family members who are eligible for coverage under the Policy.