Kempner: Thieves taking over 401(k) accounts. How to protect yours


Haven’t checked your retirement account balance in awhile? Um, now might be a good time.

Few financial nightmares are as frightening as life savings being looted by identity thieves. It isn’t easy, but it’s also not quite as difficult as I had thought.

Steven Voss checked his 401(k) account balance a couple months back. It was empty.

“It’s an awful feeling,” he told me.

“It’s taking away your future and giving to somebody who has done nothin’ but lie, cheat and steal from somebody who worked all their life.”

Good news: He had moved most of his money out of that account months earlier. And the retired engineer, who lives near Salt Lake City, was made whole for the $42,000 loss he did have.

Bad news: other bad guys are eyeing retirement accounts.

In Voss’ case, looters had called the investment company that holds his account, industry giant Prudential Financial. A caller pretending to be Voss apparently used surprisingly little information — Voss’ name, address, date of birth and Social Security number — to order a check to cash out his 401(k) account. The check was slated to be delivered to Voss’ home address, but a caller later asked for it to be diverted to a local UPS store.

Because Voss checked his balance and discovered the scam, police were able to get there first.

They arrested two Georgia men, Abdulrasheed Adeola Yusuf, 29, of Lilburn and Temilade Damilare Adekunle, 31, of Lawrenceville, according to local media reports. There were multiple IDs in their car and an $85,000 check from another victim, according to an FBI statement in court filings.

The FBI and Newark-based Prudential told me the investigation is ongoing, but spokesmen declined to share details about its scope.

“We are working with other financial services companies and sharing information about this,” said Erez Liebermann, Prudential’s chief counsel for cybersecurity and privacy.

He told me that Prudential routinely reviews its authentification practices based on threats it sees.

Voss said he was one of at least five people at his company who had their retirement accounts hit. And he read a letter to me that he said he got from his employer about the investigation: “other retirement providers are experiencing similar fraud incidents on accounts they administer.”

This kind of stuff is really rare, right? Well ….

There appears to be little or no data on how often it happens and how many investors have discovered their retirement accounts were emptied by identity thieves.

I checked with a bunch of abbreviations: the FBI, the FTC, FINRA, the U.S. DOL’s EBSA, etc. They didn’t have stats or didn’t have any readily available.

Fraud fighters told me that identity theft involving retirement accounts appears to be increasing, expanding from fraud involving bank accounts and home equity lines of credit. It often involves what’s called an account takeover, where the fraudster calls or goes online to take control of an account.

“It’s a daily battle that industry is dealing with,” said Matt LaVigna, who leads the National Cyber-Forensics & Training Alliance, a Pittsburgh-based nonprofit that pulls together corporate and law enforcement investigators.

LaVigna said he suspects there may be hundreds of thousands of attempts a day on all kinds of financial accounts in the United States.

“We are dealing with a persistent criminal threat,” he said. “They are very determined, and they are more organized than people can believe.”

Massive cyber attacks that expose consumers’ personal information, such as what happened in the recent Equifax data breach, can give identity thieves fresh material to work with, he said.

The Equifax breach included primarily names, Social Security numbers, birth dates, addresses. That’s the same type of of data thieves used to loot Voss’ retirement account, though Voss said there is no indication that the Equifax breach is tied to his situation.

Ed Koby, a supervisory special agent in the FBI’s Newark office, told me identity thieves he’s tracked try to get a variety of information on potential victims, including account numbers. But Social Security numbers are “a critical piece to have.”

Do we really have to think about this?

We already have more than enough stuff to give us night sweats: Nuclear war, North Korea, our polarized society, whether we should kneel or stand, the wage gap, the health gap, robots taking our jobs.

Is the security of our retirement accounts really something we have to worry about?

“Yes,” anti-fraud experts told me. Not “yes,” like we need to panic. But “yes” like, with life savings on the line, it’s worth taking smart steps right now to limit the risk.

I’ve got some steps for you in a minute. But first…

How hard is it for thieves to pull this off?

It’s generally far easier and faster for identity thieves to abuse credit card accounts, the FBI’s Koby and others told me. But some thieves are drawn to the bigger potential payout of a retirement account.

A credit card gig might net $3,000 before it’s discovered, he said. A successful attack on a single retirement account that can net hundreds of thousands or more.

Personal information about potential victims can sometimes be bought online from cyber thieves. Sometimes thieves use that material to trick helpful customer service representatives at investment companies into providing more personal data on the victims.

How’s that for a twist? Nice and helpful can be bad and costly.

The thieves also need mailing addresses or bank accounts where the money can be sent without making financial institutions suspicious.

There are other tactics.

In 2012, a worker at a New Jersey call center for retirement accounts used confidential customer information, including PIN numbers to take over accounts. He and others snagged more than $750,000 in checks before being arrested, according to the U.S. Department of Justice.

And in 2009 a former worker at a Kansas City casino was sentenced to prison after using a co-worker’s Social Security number and PIN to pull $18,000 from a 401(k) account, according to the U.S. Department of Labor.

If thieves ransack my 401(k) or similar retirement account, will anybody reimburse me?

Probably. So far, people who work in this area tell me investment companies have reimbursed all the money victims had in their accounts if it’s clear that identity thieves stole their money.

That doesn’t mean you should relax. It’s your life savings; take steps to protect your financial future.

Here’s what some of the fraud fighters I spoke with suggested:

— Check your retirement account often. Check the balance and your listed addresses, phone numbers and emails. Promptly notify the company if there’s a problem.

— Don’t ignore notices from your company about account changes.

— Restrict access to computer and mobile devices the account management company recognizes.

— Add email alerts on the account to notify you when important changes are made.

— Use a tough username and password for online access to the account. It should differ from other usersnames and passwords you have.

— Avoid choosing security questions that scammers could find the answers for online or in social media.

— Request two-factor authentication to gain access to your account. This involves one-time access codes emailed or texted to the account holder.

Related coverage:

Equifax breach: How to protect yourself from what’s coming next

Life’s sure things: death, taxes, identity theft

Equifax breach fiasco? It’s actually a stunning repeat

Find Matt on Facebook and Twitter (@MattKempner) or email him at mkempner@ajc.com.

Other Kempner’s Unofficial Business columns



Reader Comments ...


Next Up in Business

He helps people secure their passwords with Keeper
He helps people secure their passwords with Keeper

CHICAGO — What’s it really like to work at Chicago startups and tech companies? Blue Sky’s Inside Job lets people on the ground tell us in their own words. Steven Bertrand, 32, User Experience/User Interface Interactive Designer, with a focus on Motion Design, for Keeper Keeper is the world’s leading password manager and secure...
10 household items rendered obsolete by your smartphone
10 household items rendered obsolete by your smartphone

The smartphone’s rise in prominence over the last decade has served as the death knell for many former household tech staples. In just 10 years, smartphones have become the Swiss Army knives of the tech world, being able to do so much more than simply making phone calls and sending text messages. Here are 10 items you’ll never need to buy...
Smart sweeper maps territory to clean
Smart sweeper maps territory to clean

Once you prepare your house for vacuuming, the only thing left to do to clean your floors and carpet is to press a button. From there, the Deebot R95 robotic vacuum cleaner takes over and does the work. I own one of the other robotic vacuums, and while it does a good job, it often gets hung up in areas such as high carpet, tangled with cords, or stuck...
How to brew like a barista at home, using the latest gear
How to brew like a barista at home, using the latest gear

In this age of high-end coffee, every trip to the café is a theater experience. We watch the barista measure out the coffee on a digital scale and check the temperature of the water. We stare as the rivulet of steaming water is then poured from the swan-necked kettle, evenly coating the ground beans in a ritual that ends with the perfect cup...
Mark Cuban invests in Factmata, a startup that fights fake news
Mark Cuban invests in Factmata, a startup that fights fake news

Billionaire tech entrepreneur and Dallas Mavs owner Mark Cuban is funding the fight against fake news. He’s invested in a British startup that’s using artificial intelligence to weed out inaccurate online stories, according to Business Insider. Cuban kicked in funding to a seed round for Factmata after getting a cold call from the company&rsquo...
More Stories