Haven’t checked your retirement account balance in awhile? Um, now might be a good time.
Few financial nightmares are as frightening as life savings being looted by identity thieves. It isn’t easy, but it’s also not quite as difficult as I had thought.
Steven Voss checked his 401(k) account balance a couple months back. It was empty.
“It’s an awful feeling,” he told me.
“It’s taking away your future and giving to somebody who has done nothin’ but lie, cheat and steal from somebody who worked all their life.”
Good news: He had moved most of his money out of that account months earlier. And the retired engineer, who lives near Salt Lake City, was made whole for the $42,000 loss he did have.
Bad news: other bad guys are eyeing retirement accounts.
In Voss’ case, looters had called the investment company that holds his account, industry giant Prudential Financial. A caller pretending to be Voss apparently used surprisingly little information — Voss’ name, address, date of birth and Social Security number — to order a check to cash out his 401(k) account. The check was slated to be delivered to Voss’ home address, but a caller later asked for it to be diverted to a local UPS store.
Because Voss checked his balance and discovered the scam, police were able to get there first.
They arrested two Georgia men, Abdulrasheed Adeola Yusuf, 29, of Lilburn and Temilade Damilare Adekunle, 31, of Lawrenceville, according to local media reports. There were multiple IDs in their car and an $85,000 check from another victim, according to an FBI statement in court filings.
The FBI and Newark-based Prudential told me the investigation is ongoing, but spokesmen declined to share details about its scope.
“We are working with other financial services companies and sharing information about this,” said Erez Liebermann, Prudential’s chief counsel for cybersecurity and privacy.
He told me that Prudential routinely reviews its authentification practices based on threats it sees.
Voss said he was one of at least five people at his company who had their retirement accounts hit. And he read a letter to me that he said he got from his employer about the investigation: “other retirement providers are experiencing similar fraud incidents on accounts they administer.”
This kind of stuff is really rare, right? Well ….
There appears to be little or no data on how often it happens and how many investors have discovered their retirement accounts were emptied by identity thieves.
I checked with a bunch of abbreviations: the FBI, the FTC, FINRA, the U.S. DOL’s EBSA, etc. They didn’t have stats or didn’t have any readily available.
Fraud fighters told me that identity theft involving retirement accounts appears to be increasing, expanding from fraud involving bank accounts and home equity lines of credit. It often involves what’s called an account takeover, where the fraudster calls or goes online to take control of an account.
“It’s a daily battle that industry is dealing with,” said Matt LaVigna, who leads the National Cyber-Forensics & Training Alliance, a Pittsburgh-based nonprofit that pulls together corporate and law enforcement investigators.
LaVigna said he suspects there may be hundreds of thousands of attempts a day on all kinds of financial accounts in the United States.
“We are dealing with a persistent criminal threat,” he said. “They are very determined, and they are more organized than people can believe.”
Massive cyber attacks that expose consumers' personal information, such as what happened in the recent Equifax data breach, can give identity thieves fresh material to work with, he said.
The Equifax breach included primarily names, Social Security numbers, birth dates, addresses. That’s the same type of of data thieves used to loot Voss’ retirement account, though Voss said there is no indication that the Equifax breach is tied to his situation.
Ed Koby, a supervisory special agent in the FBI’s Newark office, told me identity thieves he’s tracked try to get a variety of information on potential victims, including account numbers. But Social Security numbers are “a critical piece to have.”
Do we really have to think about this?
We already have more than enough stuff to give us night sweats: Nuclear war, North Korea, our polarized society, whether we should kneel or stand, the wage gap, the health gap, robots taking our jobs.
Is the security of our retirement accounts really something we have to worry about?
“Yes,” anti-fraud experts told me. Not “yes,” like we need to panic. But “yes” like, with life savings on the line, it’s worth taking smart steps right now to limit the risk.
I’ve got some steps for you in a minute. But first…
How hard is it for thieves to pull this off?
It’s generally far easier and faster for identity thieves to abuse credit card accounts, the FBI’s Koby and others told me. But some thieves are drawn to the bigger potential payout of a retirement account.
A credit card gig might net $3,000 before it’s discovered, he said. A successful attack on a single retirement account that can net hundreds of thousands or more.
Personal information about potential victims can sometimes be bought online from cyber thieves. Sometimes thieves use that material to trick helpful customer service representatives at investment companies into providing more personal data on the victims.
How’s that for a twist? Nice and helpful can be bad and costly.
The thieves also need mailing addresses or bank accounts where the money can be sent without making financial institutions suspicious.
There are other tactics.
In 2012, a worker at a New Jersey call center for retirement accounts used confidential customer information, including PIN numbers to take over accounts. He and others snagged more than $750,000 in checks before being arrested, according to the U.S. Department of Justice.
And in 2009 a former worker at a Kansas City casino was sentenced to prison after using a co-worker’s Social Security number and PIN to pull $18,000 from a 401(k) account, according to the U.S. Department of Labor.
If thieves ransack my 401(k) or similar retirement account, will anybody reimburse me?
Probably. So far, people who work in this area tell me investment companies have reimbursed all the money victims had in their accounts if it’s clear that identity thieves stole their money.
That doesn’t mean you should relax. It’s your life savings; take steps to protect your financial future.
Here’s what some of the fraud fighters I spoke with suggested:
— Check your retirement account often. Check the balance and your listed addresses, phone numbers and emails. Promptly notify the company if there’s a problem.
— Don’t ignore notices from your company about account changes.
— Restrict access to computer and mobile devices the account management company recognizes.
— Add email alerts on the account to notify you when important changes are made.
— Use a tough username and password for online access to the account. It should differ from other usersnames and passwords you have.
— Avoid choosing security questions that scammers could find the answers for online or in social media.
— Request two-factor authentication to gain access to your account. This involves one-time access codes emailed or texted to the account holder.
Related coverage:
Find Matt on Facebook and Twitter (@MattKempner) or email him at mkempner@ajc.com.
About the Author