While hacks at Equifax and the Securities and Exchange Commission have dominated the headlines, over the past several weeks, hackers have been attempting – and in at least one case had success – in using stolen identities to hack into individual 401(k)s and other retirement plans.
These criminals are logging into individual 401(k) plans and then resetting the password and email address. Once that is done, the scam becomes easy. First they change the phone number and mailing address to a P.O. box, and then they request a loan or a distribution. In this age of making distributions faster and easier, most platforms do not call to confirm these distributions before they are issued, though some 401(k) providers have made it a little harder by requiring a 30-day waiting period for distributions after an address change.
What can be done to stop this fraud before it happens?
Individual plan participants should immediately log into their 401(k) account(s), both to make sure their information is correct and to ensure that the security questions are not publicly available information like their birth date or data that might have been garnered via one of these security hacks, like their Social Security number.
Platforms should consider using two-factor authentication or requiring plan sponsors to approve each distribution. Since the thieves are changing the phone number, providers can’t rely on a call to the number on file to verify the distribution because the thieves act like the individuals and have all their contact information to confirm the transfer.
For plan sponsors, you should discuss these security concerns with your 401(k) provider ASAP to determine what steps they have taken to safeguard your employees and what additional processes they may be considering in light of these new intrusions. Since you may not be able to ensure that your participants have established secure passwords or updated them in the wake of the recent breaches, the most secure solution may be to have the HR team physically visit each individual when they request a loan or distribution, or for those individuals to apply in person. For companies where this isn’t feasible, the HR team should use secure company communication to contact employees when address changes or distribution requests are made.
The long and short of it is that there is no simple way to stop this type of fraud. Unfortunately, it is the new normal for individuals who were affected by the data breach. The best thing for all to do is to constantly monitor all of your financial accounts, including your corporate retirement plans.
David Hilton is a Principal at Kaye Capital Management in El Segundo, CA, where he runs the firm’s ERISA fiduciary consulting practice. Kaye Capital acts as 3(38) fiduciaries to large corporations, both for-profit and not-for-profit.