Skip to main content

You are here


Thwarting Cyber Attacks on Retirement Plans

A stolen identity, a few clicks, and there it is — a handsome retirement plan balance, ripe for the picking. If only someone had done something to prevent it all. A recent blog entry offers some ideas on how to do that, as does the IRS.

In “Protecting Retirement Plans from Identity Theft,” a recent entry in Ice Miller’s blog “Build Insights,” Nicholas R. Merker and Martha Kohlstrand discuss how identity thieves target and attack retirement plans and suggest ways to protect a plan from them.

Merker and Kohlstrand warn that retirement plans are especially tempting targets. “Retirement plans can have very large balances compared to other cyber targets such as bank accounts, and therefore, have become quite attractive to cyber criminals,” they write.

Cyber crime can affect a retirement plan in a variety of ways, Merker and Kohlstrand observe, such as phishing and ransomware. Not only that, they observe, a breach of an employer’s data poses an additional risk for its retirement plans since that exposes the plan to the threat of wire transfer fraud which seeks to trick employees who work with the plan into releasing plan funds.

And, Merker and Kohlstrand add, it’s not just plan participants who are at risk. A plan and an employer also may be at risk if they fail to protect a plan from cyber criminals, they warn.

Forewarned and Forearmed

Employers, plans and participants are far from helpless against the onslaught of criminals who want what a slice of the retirement plan pie. Steps they suggest include:

Software. Keep software up to date.

Review cyber safety with employees. This can entail telling employees to check the email addresses from which emails originate to verify senders’ trustworthiness, as well as telling them to not to click links in emails.

Confirm identities. Remind employees to confirm the identity of individuals who claim they are plan participants, especially those who want to withdraw or transfer funds.

Follow best practices. Many plans have online fraud policies that guarantee reimbursement if the participant follows cyber safety practices such as changing passwords frequently and verifying that emails claiming to be from the retirement plan really do. Many plans also disclaim responsibility if a participant negligently allowed someone else to access his or her account by clicking a link in an email or fell victim for a falling for a scheme that allows wire fraud to occur.

The IRS, as part of its observance of National Tax Security Awareness Week Nov. 27-Dec. 1, offered tips that it did not target to retirement plan administrators and participants, some of which nonetheless are applicable regarding retirement plans.

  • Avoid unprotected Wi-Fi. Unprotected public Wi-Fi hotspots also may allow thieves to view transactions. Do not engage in online financial transactions if using unprotected public Wi-Fi.
  • Learn to recognize and avoid phishing emails that pose as a trusted source such as those from financial institutions or the IRS. These emails may suggest a password is expiring or an account update is needed. The criminal’s goal is to entice users to open a link or attachment. The link may take users to a fake website that will steal usernames and passwords. An attachment may download malware that tracks keystrokes.
  • Keep a clean machine. This applies to all devices — computers, phones and tablets. Use security software to protect against malware that may steal data and viruses that may damage files. Set it to update automatically so that it always has the latest security defenses. Make sure firewalls and browser defenses are always active. Avoid “free” security scans or pop-up advertisements for security software.
  • Use passwords that are strong, long and unique. Experts suggest a minimum of 10 characters but longer is better. Avoid using a specific word; longer phrases are better. Use a combination of letters, numbers and special characters. Use a different password for each account. Use a password manager, if necessary.
  • Use multi-factor authentication. Some financial institutions, email providers and social media sites allow users to set accounts for multi-factor authentication, meaning users may need a security code, usually sent as a text to a mobile phone, in addition to usernames and passwords. For added protection, some financial institutions also will send email or text alerts when there is a withdrawal or change to the account. Generally, users can check account profiles at these locations to see what added protections may be available.
  • Encrypt and password-protect sensitive data. If keeping financial records, tax returns or any personally identifiable information on computers, this data should be encrypted and protected by a strong password. Also, back-up important data to an external source such as an external hard drive. And, when disposing of computers, mobile phones or tablets, make sure to wipe the hard drive of all information before trashing.

“Retirement plans and their sponsors should also be mindful of the potential liability for cyber losses and protect themselves accordingly,” Merker and Kohlstrand write.