It sounds like a retirement savings nightmare. A hacker gets access to a 401(k) participant’s personal data—widely available on the dark web— and calls the plan provider posing as the account holder.
“The hacker says, ‘I’m in a real financial pinch. How much can I withdraw,’” says Marina Edwards, a senior retirement consultant at Willis Towers Watson . Then, after hearing his options, he’ll ask the representative to help set up a new bank account and transfer the funds immediately. “And off the money goes,” Edwards says.
Retirement plans are a relatively new frontier for cyber fraud, but many in the industry say that such heists are becoming more common. The scenario Edwards describes first came to her attention in April, when a client with more than 130,000 participants learned that almost two dozen participants’ accounts had been breached in a similar fashion. Edwards initially thought it might be an internal hack, such as another employee getting access to what’s known as personally identifiable information, or PII—such as addresses, birth dates and Social Security numbers.
Then Edwards heard from five other large plan sponsors that similar breaches had happened to participants in their plans. “The pattern was nearly identical to what we saw with the first client, which told us these were not isolated instances,” she says.
Retirement plans have yet to be the target of the kind of system-wide hacks that make headlines, such as the Equifax (EFX) breach last year. Still, hackers are getting ever-more sophisticated in their approaches. “A big concern right now is people who are trying to pursue plan sponsors [typically employers] as a weak link,” says Ben Taylor, a senior vice president with investment consulting firm Callan. “They’re getting better at skirting the methods that have been used in the past to make fraudulent disbursements from plans.”
So thwarting cybercrime has taken on increased urgency among 401(k) plan providers and brokers, Taylor says. “This is an environment where once you’ve lost trust in an entity it can pose significant business risks for the brand reputation,” he says. Given that individuals are trusting these plans with what is in many cases most of their net worth “it’s essential that they be seen as Fort Knox.”
Earlier this year, SPARK Institute, a retirement plan industry group, joined forces with the Financial Services Information Sharing and Analysis Center, or FS-ISAC, to allow retirement record keepers to anonymously share information about cyberattacks. “The industry is basically sharing information on who is attacking them, who is trying to commit fraud, how they’re trying to commit fraud, and then using the collective prospective to build defenses that are more effective, both for individuals and for themselves,” Taylor says.
There is no industry-wide policy or federal insurance program to cover account losses in the event of a breach, Taylor says, but plan sponsors and providers will generally step in to make victims whole. Many plan providers spell out these assurances on their websites. Charles Schwab (SCHW), for example, says it will cover 100% of any losses in any Schwab accounts due to unauthorized activity. Fidelity and Vanguard (VOO) offer similar guarantees, with the caveats that account holders abide by certain security practices.
Nevertheless, cyber fraud is still nascent enough, Edwards says, that plan providers and sponsors have only recently begun to outline specific procedures and policies for how to deal with related losses. In most cases, participants are instructed to file a police report, she says, though plan sponsors or providers generally take it from there.
The only catch—because hackers are in many cases posing as account holders—is that it’s up to individuals to spot the fraudulent activity, whether it’s a withdrawal or a loan against the account. Edwards recommends that individuals run an annual report by filtering for activity related to distributions or loans, starting as far back as the records will allow.
“The record-keepers are innovating fast and furiously now, but three years ago this was not as hot of a topic,” she says. “There could’ve been fraudulent activity that went under the radar.”
Account holders should also know their retirement plan’s policy on distributions. Many plans don’t allow withdrawals for employees who are still working or have not reached retirement age. Retirement plans that do often require additional paperwork.
Posing as an account holder is a relatively primitive ruse, but cyber criminals are finding their way around more sophisticated safeguards. For example, two-factor authentication—which sends account holders an authentication code—does little good if the hackers can intercept the email or have installed smartphone malware that gives them access to texted codes.
While no system is foolproof, additional security measures are still worthwhile, for the same reason thieves pass up houses with barking dogs and alarm system signs. Account holders should opt for multi-factor verification, and practice other good security hygiene, Taylor says. That includes using secure passwords, changing them frequently, avoiding unfamiliar Wi-Fi networks, and being leery of possible phishing emails or suspicious phone calls.
“If you lose your wallet or are the victim of any kind of identify theft, let your 401(k) provider know,” Edwards says. With personal data now widely available on the dark web, she says, hucksters can piece together the personal information they need to crack open a nest egg.
|For more news you can use to help guide your financial life, visit our Insights page.|