Retirement Planning Gives Bigger Role to Theft Prevention as Risks Lurk Online

Seeing an unknown charge on your credit card is so common these days that many people shrug it off. When money is stolen from your 401(k) account, there is less recourse and more cause for concern.

Source: WSJ | Published on February 16, 2021

GE pays fines for 401 K mismanagement

Federal law limits consumer liability for fraudulent credit- and debit-card charges. But there is no similar protection for retirement accounts, where many people have saved a lot more money than in bank accounts.

When it comes to theft from retirement accounts, 401(k) record-keepers say family members are often the perpetrators. But about three years ago, the industry noticed a rise in online theft from such accounts by strangers, said Tim Rouse, executive director of Spark Institute Inc., which represents the retirement industry. “That set off huge alarms,” he said.

Recent court cases, in which hundreds of thousands of dollars were allegedly stolen from three people in separate 401(k) plans, highlight the risks to workers and retirees. While record-keepers generally promise to reimburse consumers for such losses, there are no guarantees.

“Cyber theft from retirement accounts is a growing concern,” said Steven Silberstein, chief executive of the Financial Services Information Sharing and Analysis Center, which combats cyber fraud in the finance industry. With more than $20 trillion in individual retirement accounts and 401(k)-type plans, they “are relatively high-value targets,” he said.

Companies that administer 401(k) plans spend millions of dollars annually on technology to prevent hackers from stealing account owners’ personal information and savings.

Little data on 401(k) breaches is available.

In 2012, the federal government’s Thrift Savings Plan reported the theft of information, including Social Security numbers, from 123,000 of the 401(k)-type plan’s six million participants.

A spokeswoman said there have been other “isolated” incidents in which savings were stolen from account owners.

Hacks resulting in the theft of personal information from 401(k) plans are more prevalent than those involving stolen money, according to people who work in the industry. The latter are “a small but growing problem,” said Ben Taylor, a consultant at investment-consulting firm Callan LLC.

The federal Employee Retirement Income Security Act of 1974, or Erisa, which governs 401(k) plans, was enacted before the internet. Questions including who bears the risk for losses associated with cyber theft “remain ill-defined,” says a 2019 letter from Rep. Bobby Scott (D., Va.) and Sen. Patty Murray (D., Wash.) to the Government Accountability Office requesting an examination of the cybersecurity of the nation’s private retirement industry. (The GAO is expected to issue a report soon.)

Record-keepers say they are constantly upgrading their cybersecurity systems. Some now use facial-, fingerprint- and voice-recognition technologies to verify participants’ identities. Many also track the locations of callers and internet users.

“If you live in Ohio and a call comes from Macedonia requesting a distribution, that’s a red flag,” Mr. Taylor said.

Record-keepers typically have policies that promise reimbursement as a result of unauthorized activity in 401(k) accounts. But such coverage might be contingent on account owners having taken certain steps.

Vanguard Group Inc., for example, says “if there’s evidence you neglected to reasonably safeguard your account, further investigation may be necessary to determine whether we can issue a reimbursement.”

Recent court cases highlight the risks for account owners.

In one such case, filed last April, Heide Bartnett alleges that Abbott Laboratories, where she worked in sales from 2002 to 2012, and its 401(k) plan record-keeper, Alight Solutions LLC, violated Erisa by allowing money to be stolen from her account.

Ms. Bartnett, 60 years old, said she was shocked to receive letters from Abbott on Jan. 14, 2019, notifying her that her 401(k) account password had been changed and a $245,000 distribution made to a bank account that wasn’t hers.

With 68% of her $362,000 balance gone, “I thought, ‘This cannot be happening,’ ” said the Darien, Ill., resident. She has since recovered about $108,000.

Ms. Bartnett said she and her husband have postponed retirement indefinitely. “Losing that money and the return it would have earned in the stock market the past two years has thwarted our plan to retire,” said Ms. Bartnett, who left a sales job at another company in late 2019 and is seeking a new position.

According to the lawsuit, the perpetrator changed Ms. Bartnett’s 401(k) account password by using the “forgot password” option and a one-time code sent to her email address—an email Ms. Bartnett said she has no record of receiving. The thief also successfully impersonated her in calls to the plan’s call center.

In a statement, Abbott said it “empathizes with Ms. Bartnett, who was unquestionably the victim of a crime” but that the company was “not responsible for the actions of the identity thief who hacked Ms. Bartnett’s personal email account.”

On Feb. 8, U.S. District Judge Thomas Durkin in the Northern District of Illinois dismissed Ms. Bartnett’s case against Abbott, but not against Alight. In a statement, Alight declined to comment on the litigation and said: “We continually evaluate our security measures to ensure they meet and exceed industry best practices.”

Here are steps 401(k) record-keepers and others recommend taking to safeguard your retirement accounts:

Have an online account. Mr. Taylor recommends setting up online access to your account even if you prefer paper statements, because “unclaimed online accounts are easier for impersonators to take control of.”

Check in regularly. Check your 401(k) account, including your email and street addresses, at least monthly. Sign up for text alerts that notify you of changes or transactions and use multifactor authentication, which verifies your identity by sending codes to multiple devices.

Practice good internet hygiene. Avoid public Wi-Fi and never click on emails or texts seeking personal information, including passwords. Promptly install software updates.

Create good passwords. Choose a unique password you keep confidential. Providing passwords to third-party services that aggregate passwords or financial-account data could be grounds for denying reimbursement if “our investigation determines that a fraud event is traceable” to that service, Alight said.