Skip to main content
Top Button
Protecting Retirement Plans from Identity Theft Protecting Retirement Plans from Identity Theft

Protecting Retirement Plans from Identity Theft

Identity theft and related crimes are on the rise, and they can have a devastating impact on employer-sponsored retirement plans, such as 401(k)s. Retirement plans can have very large balances compared to other cyber targets such as bank accounts, and therefore, have become quite attractive to cyber criminals. Cybercrime related to retirement plans can occur as a result of threats such as phishing, ransomware, “social engineering,” and wire transfer fraud, among others.

For example, a cybercriminal may send out phishing emails in the hope of installing ransomware on the recipient’s system, which can then spread throughout the company. These phishing attacks will look like authentic emails from a known outside company, a package delivery service, or even an executive within the retirement plan. The fake email contains a link, which, when clicked, triggers ransomware that locks the company’s system or files until a ransom is paid. And phishing isn’t the only way ransomware infiltrates a company. In May 2017, the widespread ransomware attack called “WannaCry” froze computers and systems across the world, demanding payment to restore the data. Unlike most ransomware, WannaCry was unleashed not through the user clicking a malicious link, but through a digital “worm” that scanned the internet for vulnerable devices to attack, exploiting a flaw in an outdated version of Windows. As a result, the Securities and Exchange Commission issued a cybersecurity alert to investment firms reminding them to upgrade systems on a timely basis. (Office of Compliance Inspections and Examinations, Cybersecurity: Ransomware Alert, Securities and Exchange Commission (May 17, 2017),

Phishing emails can also target the retirement plan’s customers themselves. These attacks are disguised as an authentic email from the retirement company, claiming the recipient’s account has been compromised and will be closed unless the recipient verifies some information. When the recipient clicks the link, he or she is taken to a lookalike website that asks for personal and account information. From there, the criminal can log into the individual’s retirement account and request that funds be wired into the criminal’s account, often overseas.

Finally, cybercriminals can use information obtained from an unrelated data breach in order to commit their crimes via “social engineering.” The most common way this is done is through wire transfer fraud, tricking retirement plan employees into releasing someone else’s retirement funds. Let’s say a criminal obtains someone’s name, Social Security number, birth date, and address—all information that was exposed in the recent Equifax breach. The criminal may call the investment company that holds the individual’s retirement account and, pretending to be that person by using the stolen identifiers, request that the company transfer the funds to the criminal’s own account. A lifetime’s worth of savings evaporates in an instant.

Given all these threats, retirement plans should remind their employees to confirm the identity of individuals who call claiming to be a plan participant, especially if the individual is calling to make a withdrawal or transfer. Moreover, employers should review cyber safety with employees telling them not to click links in emails, to check the email address where the email originates to verify the sender really is who they claim to be, and to keep software up to date. Importantly too, retirement plans should frequently remind their customers of best practices in cybersecurity. Many retirement plans have online fraud policies, guaranteeing reimbursement if the participant practices cyber safety—such as changing their passwords frequently and verifying emails that claim to be from the retirement plan—but disclaiming responsibility if the participant negligently allowed someone else to access his or her account by clicking a link in an email or falling for a social engineering scheme. For instance, Fidelity has a Customer Protection Guarantee in which it promises Fidelity will “reimburse you for losses from unauthorized activity in covered accounts occurring through no fault of your own.” But, to be covered, the customer must adopt all of Fidelity’s recommended security practices. The careful wording on this policy protects Fidelity as much as it does the participant. Retirement plans and their sponsors should also be mindful of the potential liability for cyber losses and protect themselves accordingly.

For more information or for guidance, please contact Nicholas Merker or another member of Ice Miller’s Data Security and Privacy Practice.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

View Full Site View Mobile Optimized