Cyber-security fraud against 401(k) plan participants has seen a spike in activity. At a recent retirement industry meeting of more than 20 independent 401(k) providers, firm executives shared identical stories of multiple fraud attempts against 401(k) participants in 2017 with many of the attempts sharing a similar pattern. Other providers have since reported additional fraud attempts in early 2018.
Because of the large asset balances in 401(k) accounts and recent high-profile security breaches, the increase in cyber-crime should come as no surprise, and it’s likely the trend will continue escalating in the future. Those associated with 401(k) plans, including participants, employers, and plan providers should be on alert and take extra precaution to harden and support strong security practices to protect 401(k) assets.
A Consistent Pattern
The pattern of many recent fraud attempts has been consistent across recordkeepers, leading to speculation that a single, coordinated scheme has been launched to defraud participants. In these cases, the fraudster calls into the participant call center pretending to be a 401(k) participant – in most cases a company executive or owner – and attempts to gain access to their online 401(k) account. When asked for identification and security information, the caller verifies personal information (birthdate, last 4 digits of SSN, and answers to alternate security questions). In some instances, the caller is able to verify personal information only the participant would know.
In most reported cases, the recordkeeping firms’ security processes thwarted the fraud attempts, but there have been reports of actual theft. In these cases, the caller gained access to one or more participant accounts, made changes to personal information (email address, mailing address, etc.), and requested and took online loans or in-service withdrawals.
The nature of the information that the fraudsters provided has led to speculation among industry experts that personal identity information stolen via recent public security breaches (i.e., Equifax) is now being leveraged to target business owner / company executives’ 401(k) accounts. One scenario is that CEOs and key executives are targeted because they likely have a high net-worth and because their identity is easily found via the executive profile section of their corporate websites. While it is uncertain exactly how the cyber-criminals have tied the individual participants with a specific 401(k) provider, there are several possible scenarios.
For large 401(k) plans (generally over 100 participants) a company’s 401(k) recordkeeper is listed on Form 5500 which is available as a public record via the Department of Labor website. Most of the recently reported cases have been associated with large 401(k) plans. Another scenario is that the fraudsters have gained access to one of the many industry benchmarking / marketing databases and are using this to identify the target participant’s 401(k) vendor.
A Review of Security Best Practices
Because of the increase in attempted fraud, now is the time to review and harden security practices. Below are some best-practices for participants, employers, and plan providers to help strengthen security processes and protect 401(k) assets.
For 401(k) Participants – Participants can take several steps to prevent fraud, including logging into their 401(k) account regularly, providing an active email address, utilizing strongly-typed passwords, changing passwords frequently, and providing answers to alternate security questions only the participant would know. Many security experts recommend providing fictitious answers to alternate security questions (i.e., mother’s maiden name, etc.) to make it more difficult for fraudsters to gain access to accounts.
For Employers – Employers can take steps to help protect plan assets, including encouraging participants to engage with their 401(k) accounts, providing email addresses to the recordkeeper for all plan participants, educating employees about security best-practices, and keeping employee census data up-to-date. Employers should also work with recordkeepers to ensure their personnel are trained on approval processes for loans and distributions and are actively communicating with participants about these types of transactions as they occur. Employers should also be sure their personnel are actively reading communication from their recordkeeper and other providers.
For Plan Providers – Recordkeepers, software vendors, and other plan vendors play a big role in preventing fraud. Providers should not overlook the basics, including enforcing strict password policies and alternate security questions, implementing and enabling Two-Factor or Multi-Factor Authentication (2-FA or MFA), requiring new participants to provide active email addresses, and training firm and employer personnel on distribution and loan approval processes. Recordkeepers should review “default credential” policies for newly eligible participants and ensure defaults are expired after the initial enrollment period for those that do not engage with their online account.
Because of an increase in the ability of fraudsters to circumvent basic security practices, including email and SMS-based 2-FA, recordkeepers and software vendors may need to evaluate and implement more advanced authentication and security practices. As cited by Sridhar Muppidi in his Harvard Business Review article, Companies Need More Than Two-Factor Authentication to Keep Users Safe, providers should consider implementing device-based, push notification authentication, device-based finger-print authentication, and other layered security practices aimed at evaluating the risk of specific transactions based on a participant’s location or other behavioral characteristics.
With a more comprehensive, risk-based approach to evaluating a requested 401(k) withdrawal, firms can dial-up or dial-down the need for additional forms of verification depending on the risk assessment of each transaction. By leveraging a provider’s own data and combining it with online risk solutions from providers such as LexisNexis, recordkeepers can create a stronger defense against future security attacks.
In addition to hardening participant authentication processes, providers may take steps to beef up other core security practices. These may include obtaining or reviewing cyber-security insurance policies, ensuring annual internal procedural audits include a review of security practices, requiring annual employee security training, and implementing other technologies such as secure FTP and encryption, website security monitoring, and secure website protocols such as HTTPS.
401(k) plan assets are now squarely in the cross-hairs of cyber-criminals as recently reported by multiple 401(k) recordkeepers. Because of the large account balances in 401(k) plans, recent public security breaches such as Equifax, and the public nature of 401(k) vendor data, it is likely that these attacks will continue to increase. Participants, employers, and plan providers should hasten to act by reviewing and hardening security practices and strengthening technology to better protect 401(k) plan assets.