Cybercrooks are targeting retirement accounts now
Beth Bennett didn’t often check on the balance in her employer-sponsored retirement account.
“Maybe every couple of months I’d go online and take a look at it,” said Bennett, of Madison, Wisconsin.
When she logged in to view her account in November, she expected to see a balance of more than $80,000. Instead, she saw a balance of only about $8,000.
“I was very shocked by that. I thought there must be some mistake here,” she said.
She soon found out it was no mistake.
“Indeed, my money had been systematically withdrawn over the past couple of months,” Bennett said she learned after contacting her employer’s retirement plan adviser and the mutual fund company that held the money.
Someone had stolen her identity and was able to pose as her, changing Bennett’s mailing address, redeeming big chunks of her mutual funds and having checks mailed to new locations — first to the Minneapolis-St. Paul area and then New York City. A bank cashed the first two checks, but when Bennett discovered the heist, payment was stopped on a third check.
But another shock was still in store for Bennett.
When she contacted a representative at the mutual fund company, no immediate guarantee was made that she would recover the money.
“When I tell people, they’re like, ‘What?’ And then the next thing is, ‘Well, surely they have to make sure you get your money back.’ And then when I say, ‘Well no, no one will tell me I’m going to get my money back,’ that’s when it gets scary. And that’s when you get people’s attention,” Bennett said.
Unlike with stolen credit cards, a saver’s losses to fraud in retirement investment accounts aren’t limited by federal law, although mutual fund companies typically say they’ll reimburse funds lost to fraudulent activity.
It’s an issue to be aware of as cyberattacks on retirement funds rise.
“Hackers are finding it’s getting harder to hack bank accounts, so they’re saying where else is there more money? Where can we go? And they’ve started to discover 401(k) accounts, they’ve started to discover retirement funds,” said Ed Mierzwinski, senior director of the federal consumer program for the U.S. Public Research Interest Group.
At a 2019 forum for institutions involved in retirement planning, industry expert Larry Goldbrum of Reliance
Trust told attendees that while overall cyberfraud and account fraud were down — cyberfraud amounted to $14.7 billion in 2018 — fraud in retirement accounts was rising, according to a report by the National Association of Plan Advisors.
Cybercriminals today are “looking for any possible route into people’s financial transactions, and they are increasingly focusing their efforts outside financial institutions’ firewalls,” said Steven Silberstein, chief executive officer of Financial Services Information Sharing and Analysis Center, an industry consortium dedicated to reducing cyber-risk in the global financial system.
“In other words, directly at the public,” Silberstein said. “E-mail compromises, spear phishing and social profiling are some of the key tactics being used to target all types of assets, including retirement accounts.”
In spear phishing, cyberbandits send emails, purportedly from a known or trusted sender, in the hope of persuading potential victims to reveal confidential financial information.
The good news in Bennett’s case is that American Funds, the mutual fund company that holds her retirement savings, has agreed to restore the money she lost, even though at first Bennett said representatives gave her no assurance of reimbursement.
Still, what happened to Bennett serves as a cautionary tale that people with 401(k) accounts and other types of retirement savings accounts need to be on guard.
When crooks gain entry to consumer bank and retirement accounts, the point of entry usually is the victim’s email account, said Kevin Bong, director of cybersecurity for the accounting and consulting firm Sikich.
Often, account passwords, obtained in data breaches and then sold on the “dark web” to cybercriminals, are used to break into an email account and take it over without the victim knowing it.
“We’re definitely seeing that by getting just that one account — usually your email account — they use that to figure out, ‘Here’s my bank, here’s where my retirement accounts are,’ ” Bong said. “You’ve probably got a different password on your retirement account than you do on your email address, but what do you do if you forget that password? Well, you click ‘Forgot Password’ and they email a link to reset your password. So with access to your email address, they really have access to all those other things in a lot of cases.”