As nearly 30 states across the country see their number of Coronavirus cases or hospitalizations increase at alarming rates, citizens in all states need to be weary of another potential side effect of the pandemic: the growing possibility that their retirement savings accounts could be hacked and depleted.
That is the warning from some financial advisors in the wake of the March 2020 CARES Act legislation, which makes it easier to make retirement plan distributions without penalty. Although aimed at helping out-of-work Americans get immediate access to critical funds during the COVID-19 pandemic, the legislation could play into the hands of cyber crooks who can locate plans with vulnerable security.
In the past several months there has been an increase in such hacking attacks on 401(k) plans and retirement savings accounts, and new court action could have far-reaching impact on which parties are held liable.
One of the more notable cases involves the Estee Lauder cosmetics company and the administrator of its retirement plan, Alight Solutions LLC. A former employee of Estee Lauder sued the two firms in 2019 when she discovered that three distributions were made from her plan without her knowledge or consent: $37,000, $52,000 and $12,000, for a total of $99,000. In the suit, the former employee claimed the firms breached their fiduciary duty by failing to secure and protect her account.
In another case, a woman from Massachusetts had nearly $200,000 drained from her retirement account when a hacker attached a fraudulent bank account to her retirement account. The cyber crook had also infiltrated her email account, and intercepted the notice of a change to bank status regarding the retirement account, so she was unaware of what was happening until it was too late.
These cases, and others, illustrate the increased risk that some retirement accounts can face if the plan administrators are not at the top of their game when it comes to cyber security, or even if plan holders don’t practice basic personal security measures. And a new court ruling could have long-term impact on how litigation cases around retirement plan hacks and fraudulent disbursement are resolved.
Sounding the alarm on rising attacks
In May of this year the Eastern District Court of Pennsylvania, in the case Leventhal v. MandMarblestone Group, LLC, ruled that plan sponsors can be held equally liable with plan administrators when such accounts are breached, and they can also be held accountable for inadequate security defenses if the impacted plan holders (employees) work remotely or without adequate safeguards, wrote The Wagner Law Group on its blog. In this case, the plan sponsor (employer) had sued the plan administrator for enabling the breach of an employee account. The plan administrator counter-sued, arguing that the employer had failed to provide adequate security defenses or training on their end. The court agreed, ruling that “the plan sponsor was alleged to be ‘careless’ in its ‘computer/IT systems’ and ‘employment policies’ in permitting an employee and plan participant to work remotely without adequate safeguards to do so.”
The decision suggests a looming threat of security breaches and a resulting broad scope of fiduciary liability that can touch everyone involved in the running of a plan, regardless of traditional fiduciary titles,” the Wagner Law Group said.
Hacking attacks against retirement plan accounts are not a new phenomenon, but they are one that is becoming more common.
“When I was chief information security officer at AIG’s Life and Retirement unit, these attacks were growing in frequency,” says Jeffrey Brown, the current CISO for the State of Connecticut. “ In fact, Brown said, the FBI had detected 401(k) distribution fraud incidents as early as 2017. The Bureau released a bulletin on the subject in March, 2019, “Cyber Criminals Steal Funds from Retirement and Spending Accounts through Unauthorized Online Access.”
“These attacks take advantage of stolen personally identifiable information (PII) to create new accounts or take over existing accounts. Once the account is under their control, the attacker will either transfer money, initiate a distribution, or take a loan from the accounts. It’s not just 401(k) accounts, either. Pension accounts, flexible spending accounts (FSAs) and healthcare spending accounts (HSAs) have all been victimized,” Brown says.
401(k)s: Because That’s Where The Money Is
So, why are retirement plans such ripe targets? Collectively, every source interviewed for this article had the same response: ‘Because that’s where the money is.’
“These accounts typically have a much higher balance than an average checking account and far fewer security and fraud controls,” Brown notes. “Compounding the issue is the fact that users sometimes depend on paper statements or infrequent account checks once a quarter or so. They don’t detect there’s a problem until it’s much too late. Some corporate 401(k) accounts have been hijacked even before the legitimate user registers and activates the account for the first time.”
Adding to the problem is that many record keepers don’t have a good handle on the identity of plan participants. That makes the approximately $5 trillion in liquid assets held in 401(k) accounts too tempting to ignore, explains Richard Carpenter, president of USVI Pensions in the U.S. Virgin Islands.
In April of this year, Carpenter authored a blog on 401k Fiduciary entitled “401k Fraud: A Chilling Account of How Easy It Is,” that offered a step-by-step account of how a plan holder employed at Abbott Laboratories had $245,000 fraudulently disbursed from his account. The administrator of his account was, again, Alight Solutions. In this case, the cyber crook’s efforts started with the simple use of the “Forgot Password” option on the plan’s website. The subsequent back-and-forth correspondence and requests between the crook and the plan administrator told a tale of basic disregard for security protocols, Carpenter says.
“Like most criminals, they are looking for the weakest link,” Carpenter explains. “The participants are the weakest, followed by the plan sponsors and then the intermediaries. Direct attacks of the custodians are very difficult,” Carpenter says.
Using public data to identify the weakest links
As to how potential victims are identified, Carpenter says “The bad guys appear to be mining publically available information. Sites like LinkedIn are scraped to identify targets.”
“It’s normally more about taking advantage of bad processes rather than defeating decent cybersecurity,” says Bryce Austin, a cybersecurity expert and risk consultant at TCE Strategy in Minnesota. “That being said, if a hacker can take over a victim’s computer and their smartphone, then the person is at a huge risk from an attack that drains their retirement accounts.”
As much of a problem as this already was, Austin says the pandemic is taking a heavy toll on potential victims.
“I think COVID-19 is amplifying the size of the problem. The FBI claims that cybercriminal attacks against individuals are up 400% since the COVID pandemic has hit, so an already serious issue has become that much larger,” Austin says.
The Best Defense is a Strong Offense
The best defense against these hacking attacks are strong security protocols on the part of employer and plan administrators, and common-sense security habits by plan holders.
“This depends from company-to-company, but security controls should include strong passwords, multifactor authentication (MFA), and knowledge-based authentication,” Brown stresses. “In the case of knowledge-based authentication, the user is presented with a specialized challenge, like remembering a former address, before providing the ability to register an account. It ups the game against attackers who only have a user’s basic information like name and address at their disposal. It’s important to implement multiple levels of protection. Multifactor authentication by itself doesn’t help if the account is registered to a fraudulent user on its first use.”
Equally important, not all account fraud steps will be digital.
“Don’t forget every attack does not come in over the Internet. Attackers will use email and web attacks, social engineering, over the phone and even fax for companies that still support that way of doing business. Fraud is fraud, whether it is over the Internet, phone, or on paper,” Brown stresses.
Finally, the burden is on employers to carefully select plan administrators that will protect their employees’ assets.
“If a company is looking for an outsourced company to administer their retirement accounts, I would look for two important things: 1) What are the processes that company promises to use to authenticate users before providing services to a user? 2) What contractual obligations is the retirement account company willing to sign regarding their ability for not following reasonable cybersecurity processes. They need to be on the hook for mistakes such as these. In writing. No exceptions,” Brown insists.