Recently, a 401(k) participant lost approximately $740,000 in an intricate scam orchestrated by overseas criminals. Alarming cases also reveal that friends, family, and even employers have been implicated in 401(k) theft, with millions lost annually. Here’s how your organization can help protect employees’ retirement savings from theft. 
Evaluate Existing Protections
If your organization sponsors a 401(k) plan, reviewing service providers’ security measures is essential. Many providers offer cyber fraud insurance for participants, but this coverage may be limited if the provider finds that a breach was facilitated by the sponsor or participants.
Your plan documents may require participants to follow certain security practices, such as frequently checking account information and promptly reviewing communications from the administrator. Make sure you and your employees understand these requirements — and follow them.
Leveraging Technology to Deter Fraud
Several 401(k) sponsors have faced lawsuits for failing to secure participants’ personal data. While comprehensive cybersecurity is essential for every business, organizations that store 401(k) information on their servers must be extra vigilant.
Basic two-factor authentication may no longer suffice; some experts now recommend implementing three-factor authentication to counter evolving fraud techniques. Employees should also follow strict security protocols when accessing their 401(k) accounts, such as:
- Creating complex passwords unique to their 401(k) accounts and updating them regularly,
- Avoiding storing login credentials in browsers or writing them down,
- Being cautious if login issues arise or if a sign-in page looks unfamiliar, and
- Verifying the identity of anyone requesting account details, even if they claim to represent the government, law enforcement, the plan sponsor, or a financial institution.
In more elaborate scams, criminals posing as fraud investigators may instruct participants to transfer funds to a “safe” account, only to steal the savings. Provide employees with a reliable contact number for verifying any suspicious requests.
A Rare but Concerning Issue
Although it’s rare, some employers in financial distress may misappropriate employees’ 401(k) contributions. The Department of Labor requires sponsors to deposit contributions as soon as they are separate from company assets, and no later than the 15th business day of the following month. For smaller companies (under 100 participants), a safe harbor rule specifies that contributions should be deposited within seven business days of the withholding pay date.
For more information on protecting your organization’s assets and employees from fraud, reach out to us.
