Data security has been increased for tax returns, credit cards, and other traditional targets of cyber thieves. Now, the online thieves are making sophisticated attacks on employer retirement plans and the accounts in the plans.
Data security at retirement plans varies, and the security can be breached several different ways. The cyber thieves probe to find the most vulnerable point of each plan.
I know of one retiree at a large employer who recently realized his monthly pension check hadn’t been deposited by the usual date. He contacted the retirement administrator who, after some research, found that the bank account designated to receive the deposit had been changed.
The retiree hadn’t changed the account. Instead, an unknown person submitted the request. The change request included all the relevant and accurate information, so it was processed by a plan employee.
Fortunately, neither the retiree nor the plan lost money. The payment quickly was stopped, and the retiree’s financial account was re-designated as the place for the deposits to be made. The plan administrator did a quick check and found that change requests had been put in for several other retirees, with all the payments going to the same bank account.
This retiree avoided being a cyber crime victim by paying close attention to his accounts and recognizing that his monthly payment wasn’t deposited on the usual day of the month. He contacted the administrator quickly and made sure the change didn’t go through.
The hackers are take several general approaches to steal from retirement plans and accounts.
One approach is to try the traditional ways of breaching an email system. The old-fashioned hacking methods still can give access to a corporate email system at times.
More often these days, the cyber criminals use “phishing” emails to trick an employee or a retiree into revealing access information. Usually in a phishing attack the criminals send an email to a targeted key employee or a retiree and make the email appear to be from a real corporate employee (usually a higher-level executive) or an outside vendor.
The phishing email requests specific information and when directed to an employee might request a list of the personal information of a number of employees or retirees. If the email recipient isn’t alert, sensitive information is sent to the criminals.
Another approach is for the cyber thieves to buy personal information about the retirement account owner through the dark web and use that information to access the retiree’s account.
Whichever strategy is used, once the cyber thief has the information it can be used to log into a retiree’s or employee’s account and redirect payments or distributions.
In the recent case I’m aware, the thieves used a combination of new school and old school methods. The information about the retiree apparently was purchased on the dark web. The thieves then downloaded the appropriate form from the retirement plan’s web site, printed it, completed it by hand, and mailed it to the administrator. The administrator routinely processed the paper document.
One way to protect yourself is to know the retirement plan’s security measures. In particular, learn the steps it takes to ensure that any account change request is legitimate. What does it do to verify the identity of the user? Is two-factor authentication used before an account can be accessed online or changes made?
Of course, none of those data security measure matter when the cyber thieves go old school and submit paper requests for change. Ask if the plan administrator takes any additional steps after finding that the information in a paper request is accurate. Does it call the individual to verify the request? Does it send a first-class letter to the individual confirming the request?
The other way to protect yourself is to establish personal cyber security practices.
Most cyber security experts say to assume that vital personal information about you is available for purchase on the dark web. Of course, protect that information as best you can. Don’t give out your Social Security number and other important information unless it’s necessary. But you should assume it’s already out there.
That’s why you must monitor your accounts on a regular basis. If deposits are due on a certain date, check your accounts around that date each month to be sure the deposits are made. If a deposit isn’t made, contact the plan administrator.
Also, log on to your account regularly and review it for any activity. Look for unauthorized changes and transactions. Be sure your address, beneficiary, account to receive transfers, and other information hasn’t been changed.