Kempner: Thieves taking over 401(k) accounts. How to protect yours


Haven’t checked your retirement account balance in awhile? Um, now might be a good time.

Few financial nightmares are as frightening as life savings being looted by identity thieves. It isn’t easy, but it’s also not quite as difficult as I had thought.

Steven Voss checked his 401(k) account balance a couple months back. It was empty.

“It’s an awful feeling,” he told me.

“It’s taking away your future and giving to somebody who has done nothin’ but lie, cheat and steal from somebody who worked all their life.”

Good news: He had moved most of his money out of that account months earlier. And the retired engineer, who lives near Salt Lake City, was made whole for the $42,000 loss he did have.

Bad news: other bad guys are eyeing retirement accounts.

In Voss’ case, looters had called the investment company that holds his account, industry giant Prudential Financial. A caller pretending to be Voss apparently used surprisingly little information — Voss’ name, address, date of birth and Social Security number — to order a check to cash out his 401(k) account. The check was slated to be delivered to Voss’ home address, but a caller later asked for it to be diverted to a local UPS store.

Because Voss checked his balance and discovered the scam, police were able to get there first.

They arrested two Georgia men, Abdulrasheed Adeola Yusuf, 29, of Lilburn and Temilade Damilare Adekunle, 31, of Lawrenceville, according to local media reports. There were multiple IDs in their car and an $85,000 check from another victim, according to an FBI statement in court filings.

The FBI and Newark-based Prudential told me the investigation is ongoing, but spokesmen declined to share details about its scope.

“We are working with other financial services companies and sharing information about this,” said Erez Liebermann, Prudential’s chief counsel for cybersecurity and privacy.

He told me that Prudential routinely reviews its authentification practices based on threats it sees.

Voss said he was one of at least five people at his company who had their retirement accounts hit. And he read a letter to me that he said he got from his employer about the investigation: “other retirement providers are experiencing similar fraud incidents on accounts they administer.”

This kind of stuff is really rare, right? Well ….

There appears to be little or no data on how often it happens and how many investors have discovered their retirement accounts were emptied by identity thieves.

I checked with a bunch of abbreviations: the FBI, the FTC, FINRA, the U.S. DOL’s EBSA, etc. They didn’t have stats or didn’t have any readily available.

Fraud fighters told me that identity theft involving retirement accounts appears to be increasing, expanding from fraud involving bank accounts and home equity lines of credit. It often involves what’s called an account takeover, where the fraudster calls or goes online to take control of an account.

“It’s a daily battle that industry is dealing with,” said Matt LaVigna, who leads the National Cyber-Forensics & Training Alliance, a Pittsburgh-based nonprofit that pulls together corporate and law enforcement investigators.

LaVigna said he suspects there may be hundreds of thousands of attempts a day on all kinds of financial accounts in the United States.

“We are dealing with a persistent criminal threat,” he said. “They are very determined, and they are more organized than people can believe.”

Massive cyber attacks that expose consumers’ personal information, such as what happened in the recent Equifax data breach, can give identity thieves fresh material to work with, he said.

The Equifax breach included primarily names, Social Security numbers, birth dates, addresses. That’s the same type of of data thieves used to loot Voss’ retirement account, though Voss said there is no indication that the Equifax breach is tied to his situation.

Ed Koby, a supervisory special agent in the FBI’s Newark office, told me identity thieves he’s tracked try to get a variety of information on potential victims, including account numbers. But Social Security numbers are “a critical piece to have.”

Do we really have to think about this?

We already have more than enough stuff to give us night sweats: Nuclear war, North Korea, our polarized society, whether we should kneel or stand, the wage gap, the health gap, robots taking our jobs.

Is the security of our retirement accounts really something we have to worry about?

“Yes,” anti-fraud experts told me. Not “yes,” like we need to panic. But “yes” like, with life savings on the line, it’s worth taking smart steps right now to limit the risk.

I’ve got some steps for you in a minute. But first…

How hard is it for thieves to pull this off?

It’s generally far easier and faster for identity thieves to abuse credit card accounts, the FBI’s Koby and others told me. But some thieves are drawn to the bigger potential payout of a retirement account.

A credit card gig might net $3,000 before it’s discovered, he said. A successful attack on a single retirement account that can net hundreds of thousands or more.

Personal information about potential victims can sometimes be bought online from cyber thieves. Sometimes thieves use that material to trick helpful customer service representatives at investment companies into providing more personal data on the victims.

How’s that for a twist? Nice and helpful can be bad and costly.

The thieves also need mailing addresses or bank accounts where the money can be sent without making financial institutions suspicious.

There are other tactics.

In 2012, a worker at a New Jersey call center for retirement accounts used confidential customer information, including PIN numbers to take over accounts. He and others snagged more than $750,000 in checks before being arrested, according to the U.S. Department of Justice.

And in 2009 a former worker at a Kansas City casino was sentenced to prison after using a co-worker’s Social Security number and PIN to pull $18,000 from a 401(k) account, according to the U.S. Department of Labor.

If thieves ransack my 401(k) or similar retirement account, will anybody reimburse me?

Probably. So far, people who work in this area tell me investment companies have reimbursed all the money victims had in their accounts if it’s clear that identity thieves stole their money.

That doesn’t mean you should relax. It’s your life savings; take steps to protect your financial future.

Here’s what some of the fraud fighters I spoke with suggested:

— Check your retirement account often. Check the balance and your listed addresses, phone numbers and emails. Promptly notify the company if there’s a problem.

— Don’t ignore notices from your company about account changes.

— Restrict access to computer and mobile devices the account management company recognizes.

— Add email alerts on the account to notify you when important changes are made.

— Use a tough username and password for online access to the account. It should differ from other usersnames and passwords you have.

— Avoid choosing security questions that scammers could find the answers for online or in social media.

— Request two-factor authentication to gain access to your account. This involves one-time access codes emailed or texted to the account holder.



Reader Comments ...


Next Up in Business

Major corporations reel under the weight of cyber threats
Major corporations reel under the weight of cyber threats

The latest wave of cyber attacks to hit big corporations reveals a growing need for companies to safeguard their customers from internal and and external breaches. With the digitization of transactions and ease of online services, customers’ information is subject to the risk of cyber fraud every moment one processes non-cash transactions. According...
Atlanta home prices up faster than national average
Atlanta home prices up faster than national average

Extending a six-year trend of solid increases, metro Atlanta home prices rose 6.5 percent during the past year, slightly outpacing the national average, according to a high-profile analysis issued Tuesday. Of the 20 largest metro areas in the nation, the Atlanta region saw the 10th highest increase, stronger than the national average of 6.3 percent...
Airline customer satisfaction declines
Airline customer satisfaction declines

Satisfaction with airlines has declined 2.7 percent in the past year, according to a new American Customer Satisfaction Index report. The report, based on a survey of 12,172 people between April 2017 and March 2018, showed the decline after “a year of customer service crises and rising ticket prices,” according to ACSI. Those...
Smyrna-based company in $150 million deal for epilepsy drug
Smyrna-based company in $150 million deal for epilepsy drug

A quiet, Smyrna-based pharmaceutical company that has been flying under the radar, has emerged to announce a $150 million deal to buy an epilepsy drug. UCB, which already produces a number of drugs aimed at epilepsy, will buy the drug from Proximagen, which is part of a Minnesota-based company. The drug is a treatment for “acute...
NCR to cut hundreds of jobs in Georgia plant closures
NCR to cut hundreds of jobs in Georgia plant closures

Atlanta-based financial technology company NCR said it will close two manufacturing facilities near Columbus, in west Georgia, later this year, as the company shifts to some outsourced production of automated teller machines and other self-service kiosks. The moves will eliminate about 360 full-time jobs in Georgia, and could affect about 680 contract...
More Stories