401(k) Fraud: A Chilling Account of How Easy It Is

401k, cybercrime, theft, lawsuit
Prevention and mitigation steps are needed.

“Houston, we have a problem.”

On the 50th anniversary of Apollo 13, it seems appropriate to examine how those in the retirement plan industry address catastrophes. Specifically, fraudulent distribution requests are at an epidemic level. Everyone in our industry should be concerned.

The Chicago Tribune published an article about a participant in a 401(k) plan that had her account drained by a fraudster. USA Today reported a similar story in January. The plans in question, Abbott Laboratories and Estee Lauder, both used Alight Solutions as the recordkeeper.

Alight is hardly alone in facing this problem. Many recordkeepers will tell you, off the record, they have either paid fraudulent distributions to the scammers or discovered the nefarious attempts prior to disbursement.

To paraphrase Willie Sutton, the bad guys are targeting retirement plans because “that’s where the money is.” What’s more, they are part of very sophisticated operations.

One of the fraudulent distribution requests I reviewed included a photocopy of the front and back of the participant’s driver’s license. The signatures of the participant, as well as the plan sponsor, were remarkably good forgeries, too.

I spoke with Chicago attorney Todd A. Rowden of Taft Stettinius & Hollister LLP, who represents the participant in this case. His position is, “Plan administrators and their representatives need to recognize this fraudulent conduct for what it is—crisis level occurrences that demand more and better security and protective action.”

He added, “When someone’s retirement and life savings are at stake, these administrators must do more and be ever vigilant.”

Rowden has filed a federal lawsuit in Chicago to recover $245,000 alleged to have been fraudulently taken from Abbott’s 401k plan because Abbott and its administrator Alight failed to require or enforce sufficient security measures. Rowden told me that the call center recordings were chilling in their lack of adherence to basic security protocols.

Anatomy of a crime

The Abbott affair began on December 29, 2018. The fraudster tried to access the participant’s account and then used the “Forgot Password” option on the website. They then received, via email, a one-time code that enabled full access to the participant’s account.  With this access, the bad guy added their new bank account information.

On December 31, the fraudster contacted the call center from a phone number that was not associated with the account. The call center representative read aloud the actual address of the real participant and asked the impersonator if they still lived there. The bad guy answered affirmatively. The representative went on to say that since the account had a new bank account, they would have to wait seven days to process a distribution.

On January 1, 2019, the plan sponsor, via regular mail, sent the participant a notice that an additional bank account had been added to her records. The participant’s preferred method of communication was e-mail.  On January 4, the participant’s husband tried to access her account. Access was denied, so he answered the security question and gained access.  He then changed the password and the participant was notified of the change via e-mail.

On January 8, the first day after the distribution holding period, the imposter requested another one-time code be sent via e-mail. With this in hand, the fraudster requested a distribution of $245,000. On January 9, via the USPS, the plan notified the participant of the distribution. The participant received this letter on January 14.

Also, on January 9, the thief contacted the call center twice to inquire when they would get the money. The reply was January 14. On January 15, the real participant contacted the call center to report missing funds.

The discussion of prevention and mitigation steps are exhaustive and will be the subject of a follow-up article. One thing is clear, you don’t have to be Nostradamus to figure out how elected officials are going to react to participant’s money being stolen and not being restored. Houston, we have a problem and we need to fix it right now.

Richard Carpenter

Richard Carpenter is president of St. Croix, U.S. Virgin Islands-based USVI Pensions.

1 comment
  1. Pingback: 401k Fraud and Identity Theft, All From Creating an Online Account – Computer Security

Comments are closed.

Related Posts
5 for 2025
Read More

5 for 25

Don Trone says ‘B’ all you can be in 2025 when it comes to improving retirement outcomes
Total
0
Share