Kempner: Thieves taking over 401(k) accounts. How to protect yours


Haven’t checked your retirement account balance in awhile? Um, now might be a good time.

Few financial nightmares are as frightening as life savings being looted by identity thieves. It isn’t easy, but it’s also not quite as difficult as I had thought.

Steven Voss checked his 401(k) account balance a couple months back. It was empty.

“It’s an awful feeling,” he told me.

“It’s taking away your future and giving to somebody who has done nothin’ but lie, cheat and steal from somebody who worked all their life.”

Good news: He had moved most of his money out of that account months earlier. And the retired engineer, who lives near Salt Lake City, was made whole for the $42,000 loss he did have.

Bad news: other bad guys are eyeing retirement accounts.

In Voss’ case, looters had called the investment company that holds his account, industry giant Prudential Financial. A caller pretending to be Voss apparently used surprisingly little information — Voss’ name, address, date of birth and Social Security number — to order a check to cash out his 401(k) account. The check was slated to be delivered to Voss’ home address, but a caller later asked for it to be diverted to a local UPS store.

Because Voss checked his balance and discovered the scam, police were able to get there first.

They arrested two Georgia men, Abdulrasheed Adeola Yusuf, 29, of Lilburn and Temilade Damilare Adekunle, 31, of Lawrenceville, according to local media reports. There were multiple IDs in their car and an $85,000 check from another victim, according to an FBI statement in court filings.

The FBI and Newark-based Prudential told me the investigation is ongoing, but spokesmen declined to share details about its scope.

“We are working with other financial services companies and sharing information about this,” said Erez Liebermann, Prudential’s chief counsel for cybersecurity and privacy.

He told me that Prudential routinely reviews its authentification practices based on threats it sees.

Voss said he was one of at least five people at his company who had their retirement accounts hit. And he read a letter to me that he said he got from his employer about the investigation: “other retirement providers are experiencing similar fraud incidents on accounts they administer.”

This kind of stuff is really rare, right? Well ….

There appears to be little or no data on how often it happens and how many investors have discovered their retirement accounts were emptied by identity thieves.

I checked with a bunch of abbreviations: the FBI, the FTC, FINRA, the U.S. DOL’s EBSA, etc. They didn’t have stats or didn’t have any readily available.

Fraud fighters told me that identity theft involving retirement accounts appears to be increasing, expanding from fraud involving bank accounts and home equity lines of credit. It often involves what’s called an account takeover, where the fraudster calls or goes online to take control of an account.

“It’s a daily battle that industry is dealing with,” said Matt LaVigna, who leads the National Cyber-Forensics & Training Alliance, a Pittsburgh-based nonprofit that pulls together corporate and law enforcement investigators.

LaVigna said he suspects there may be hundreds of thousands of attempts a day on all kinds of financial accounts in the United States.

“We are dealing with a persistent criminal threat,” he said. “They are very determined, and they are more organized than people can believe.”

Massive cyber attacks that expose consumers’ personal information, such as what happened in the recent Equifax data breach, can give identity thieves fresh material to work with, he said.

The Equifax breach included primarily names, Social Security numbers, birth dates, addresses. That’s the same type of of data thieves used to loot Voss’ retirement account, though Voss said there is no indication that the Equifax breach is tied to his situation.

Ed Koby, a supervisory special agent in the FBI’s Newark office, told me identity thieves he’s tracked try to get a variety of information on potential victims, including account numbers. But Social Security numbers are “a critical piece to have.”

Do we really have to think about this?

We already have more than enough stuff to give us night sweats: Nuclear war, North Korea, our polarized society, whether we should kneel or stand, the wage gap, the health gap, robots taking our jobs.

Is the security of our retirement accounts really something we have to worry about?

“Yes,” anti-fraud experts told me. Not “yes,” like we need to panic. But “yes” like, with life savings on the line, it’s worth taking smart steps right now to limit the risk.

I’ve got some steps for you in a minute. But first…

How hard is it for thieves to pull this off?

It’s generally far easier and faster for identity thieves to abuse credit card accounts, the FBI’s Koby and others told me. But some thieves are drawn to the bigger potential payout of a retirement account.

A credit card gig might net $3,000 before it’s discovered, he said. A successful attack on a single retirement account that can net hundreds of thousands or more.

Personal information about potential victims can sometimes be bought online from cyber thieves. Sometimes thieves use that material to trick helpful customer service representatives at investment companies into providing more personal data on the victims.

How’s that for a twist? Nice and helpful can be bad and costly.

The thieves also need mailing addresses or bank accounts where the money can be sent without making financial institutions suspicious.

There are other tactics.

In 2012, a worker at a New Jersey call center for retirement accounts used confidential customer information, including PIN numbers to take over accounts. He and others snagged more than $750,000 in checks before being arrested, according to the U.S. Department of Justice.

And in 2009 a former worker at a Kansas City casino was sentenced to prison after using a co-worker’s Social Security number and PIN to pull $18,000 from a 401(k) account, according to the U.S. Department of Labor.

If thieves ransack my 401(k) or similar retirement account, will anybody reimburse me?

Probably. So far, people who work in this area tell me investment companies have reimbursed all the money victims had in their accounts if it’s clear that identity thieves stole their money.

That doesn’t mean you should relax. It’s your life savings; take steps to protect your financial future.

Here’s what some of the fraud fighters I spoke with suggested:

— Check your retirement account often. Check the balance and your listed addresses, phone numbers and emails. Promptly notify the company if there’s a problem.

— Don’t ignore notices from your company about account changes.

— Restrict access to computer and mobile devices the account management company recognizes.

— Add email alerts on the account to notify you when important changes are made.

— Use a tough username and password for online access to the account. It should differ from other usersnames and passwords you have.

— Avoid choosing security questions that scammers could find the answers for online or in social media.

— Request two-factor authentication to gain access to your account. This involves one-time access codes emailed or texted to the account holder.



Reader Comments ...


Next Up in Business

Equifax wants judge to reject suits by banks
Equifax wants judge to reject suits by banks

Equifax has asked a federal judge to reject the claims from 46 banks and credit unions for payment of damages because of last year’s massive data breach at the Atlanta-based company. The companies, which are based in 29 states, sued Equifax and claimed that Equifax owes them for all the costs they incurred after the data breach was...
Georgia jobless rate at 17-year low; trade war a worry
Georgia jobless rate at 17-year low; trade war a worry

Georgia’s economy had a strong June, adding 14,200 jobs while the unemployment rate slipped to its lowest level in 17 years. In a sign of strong hiring, the jobless rate is slipped from 4.2 percent in May to 4.1 percent while adding more than 10,000 people to the labor force, according to Georgia Department of Labor. Since June of last...
Delta relaunches Atlanta-Shanghai route, key link to China
Delta relaunches Atlanta-Shanghai route, key link to China

Delta Air Lines is reconnecting a key link between the Southeast and China with the resumption of flights from Atlanta to Shanghai this week. It’s the culmination of a years-long effort to bring the service back, after years with no nonstop flights between the world’s busiest airport and China. Delta CEO Ed Bastian said Shanghai...
Paulding airport says lease still calls for commercialization effort
Paulding airport says lease still calls for commercialization effort

Paulding County’s airport may try again to commercialize and attract airline flights, after its last effort was brought to an end by the Federal Aviation Administration. That’s because a long-term lease with an airport partner could obligate it to do so, according to the Paulding airport director. That company, Silver Comet Terminal Partners...
Super Bowl prep underway in Atlanta, 200 days in advance
Super Bowl prep underway in Atlanta, 200 days in advance

The Super Bowl is still 200 days away. But thousands of hotel rooms are already booked, tens of millions of dollars are already invested and hundreds of companies are vying for the right to supply things like carpeting, catering, ice, flowers, golf carts, paint, piping and portable potties. With Atlanta getting its third chance as the site of the game...
More Stories