There is a growing threat to your retirement savings, and you probably are not aware of it.
Thieves increasingly are targeting individual 401(k) accounts by impersonating the account owners so the crooks can steal thousands — or even hundreds of thousands — of dollars.
Heide Bartnett of Darrien, Illinois, lost $245,000 when a fraudster used the “forgot password” option on her 401(k) account to log into Bartnett’s account in 2019. The crook later successfully impersonated Bartnett when calling the 401(k) plan’s call center, The Wall Street Journal reported last year.
Two years after the theft, Bartnett had recovered just $108,000 of her stolen funds.
In another case, a woman from Massachusetts had $200,000 siphoned from her account, the Salem News reports. And another woman learned that a thief had swiped $99,000 from her 401(k) account, according to Bloomberg Tax.
You might think that the 401(k) plan itself would be responsible for reimbursing the funds it released in these situations. But that’s not necessarily the case.
As the WSJ reports, federal law is murky about who is responsible for losses associated with cybertheft. While custodians generally pledge to reimburse such fraud, some may include slippery language in their terms that can leave you in the lurch.
Even a company as respected as Vanguard says “if there’s evidence you neglected to reasonably safeguard your account, further investigation may be necessary to determine whether we can issue a reimbursement.”
So, what can you do to protect yourself? The following steps will go a long way toward keeping your retirement savings safe.
Create ridiculously strong passwords
How strong is strong? Eight characters? How about 10 characters?
Try at least 16 to 25. That’s what the folks at LMG Security — which provides cybersecurity and digital forensics services — recommend. Other experts agree.
LMG says its penetration testers can break down an eight-character password hash — a scrambled version of the password — in anywhere from less than eight hours to about seven days, depending on the nature of the hash.
It would take a bit longer to crack a 16-character password hash — up to more than 147 trillion years, although LMG notes that “well-funded malicious actors” likely could do so more quickly.
Use password managers carefully
Password managers provide a great service, and they have a solid reputation for keeping your information secure.
But a detail in the WSJ story might give you pause when considering whether to use a password manager.
Alight Solutions, a 401(k) plan record-keeper, says 401(k) plan participants who give passwords to third-party services that aggregate passwords or financial-account data might not be reimbursed if “our investigation determines that a fraud event is traceable” to such a service, the WSJ reports.
(Alight Solutions is the 401(k) plan record-keeper that allegedly released Bartnett’s $240,000 to the fraudster who attacked her account.)
That means you might be out of luck if a data breach that led to the theft of your identity can be traced back to your password manager. So, at the very least, you should choose a password manager very carefully.
Don’t use text-based verification
Two-step verification, also referred to as two-factor authentication, adds a layer of security to your online accounts. Instead of providing just a username and password to access your account, you must also provide another piece of information you have, such as a code sent to your phone via text message or an authenticator app.
This extra step makes it harder for a crook to access your retirement account or any other account for which you set up two-step verification. But if you have verification codes sent by text message, it’s possible for a fraudster to bypass this security measure.
In a scam known as a “SIM swap,” a criminal can hijack your cellphone number. The fraudster who takes over your phone number in this way can create untold havoc, including stealing money from your 401(k) account and other financial accounts.
The scammer does this by calling your cellphone company, pretending to be you and asking the provider to change the SIM card associated with your phone number to a SIM card in a phone that is in the scammer’s possession.
Think it can’t happen to you? It happened to former Twitter CEO Jack Dorsey when a crook took over Dorsey’s Twitter account.
“SIM” is short for “subscriber identification module,” and a SIM card tells a cellphone what cellular provider network and phone number to use. So, if your phone number is associated with a scammer’s SIM card, that scammer will receive calls and text messages sent to your number.
Perhaps the worst thing about this form of fraud is that there is little you can do to prevent it. You can ask your cellphone provider to create a PIN for your account so that no one can request a change of your SIM card without first providing that PIN. However, fast-talking crooks sometimes can convince the phone company representative to make the switch anyway.
For this reason, security experts recommend two-step verification that relies on an authenticator app over verification via text messages. Examples of such apps include Microsoft Authenticator and Authy.
Use a separate, secret phone number
This is tough — but necessary — medicine.
Just as a crook who knows your phone number can impersonate you and convince your cellular provider to make changes to your cellular account, a crook could call a financial services provider and impersonate you in an attempt to access your retirement account.
If the crook did a SIM swap and thus appears to be calling from the phone number that is associated with your retirement account, that crook might be able to convince the financial services provider to give them access to your retirement account.
One way to thwart this type of identity fraud is to give your financial services provider a different phone number that you keep secret by not using it for anything else. Sound like overkill? Remember, a good chunk of your life savings could be at stake if someone is able to dip into your retirement account and clean it out.
Set up an online account with your plan provider
Ben Taylor, a consultant at investment-consulting firm Callan, tells the WSJ that by exercising the option to set up an online account, you beat the crooks to the punch.
As he puts it, “unclaimed online accounts are easier for impersonators to take control of.”
In other words, if you have the option to set up an online account and you take advantage of it, an identity thief can’t open an account in your name and then take control of it.
Consider spreading retirement money across multiple providers
There are good reasons to keep all of your retirement funds with a single financial services provider. Not only is it more convenient, but many providers will cut you a break on fees or offer other perks as you accumulate more money with them.
But there is also a risk: If all of your money is with one provider and a fraudster gets hold of that account, you could be wiped out, even if the money loss is just temporary.
By having some of your retirement money — say, your individual retirement account and health savings account funds — with a separate provider, you will at least reduce the risk that you could lose your life savings overnight and have to scramble to pay your bills while waiting to get your money back.
Houston financial adviser Michelle Gessner told MarketWatch about clients who previously had been the target of identity theft. The couple once insisted to Gessner that they did not want to consolidate their retirement assets with a single provider, even if it meant giving up some modest financial benefits.
Gessner eventually calmed the couple’s fears by pointing out that most custodians guarantee reimbursement in the event of fraudulent activity. But she told MarketWatch that their worry about becoming “sitting ducks” a second time “is real and understandable.”