Is Your 401(k) at Risk from Cyberattacks?

You’ve worked hard to build up your savings to ensure you have a comfortable retirement.

What if cybercriminals stole from your 401(k)?

Sadly, it’s happening, and experts are fearful it may happen more frequently with retirement accounts – with some even referring to the risk as “a sleeping giant.”¹

While most of the time it’s personal information that’s stolen, money being taken is on the rise.

Criminals know 401(k)s are a jackpot if they can get into it. 

And they understand that the set-it-and-forget-it mentality many 401(k) investors have means accounts are rarely monitored

By the time you realize your account has been compromised, the thief is usually long gone.

You can no longer just sign up for a 401(k), contribute, and hope your money grows safely.

In addition to being an active participant in growing your 401(k), it’s advisable to monitor your accounts regularly for cybersecurity purposes.

Read on to find out how 401(k)s can be hacked and what you can do to protect yourself. 

How 401(k)s Are Hacked

When it comes to retirement accounts or 401(k) accounts, it is often a matter of account takeover via stolen login information from phishing scams or malware attacks.

A cybercriminal can use cybercrimes, such as phishing, to obtain a 401(k) plan participant’s login information. 

Once the cybercriminal has personally identifiable information (PII), such as contact phone number, address, or login password, the criminal logs into the employee’s 401(k) account and changes key information, such as the employee’s address.

Should these changes go unnoticed, the cybercriminal will then transfer funds from the 401(k) account into a separate bank account. 

Consider this example as reported in Forbes

“One retiree at a large employer […] recently realized his monthly pension check hadn’t been deposited by the usual date. He contacted the retirement administrator who, after some research, found that the bank account designated to receive the deposit had been changed. The retiree hadn’t changed the account. Instead, an unknown person submitted the request. The change request included all the relevant and accurate information, so it was processed by a plan employee.”²

What You Need to Know

The law that governs 401(k)s, the Employee Retirement Income Security Act (ERISA), hasn’t fully addressed cyberfraud prevention and response measures. 

This ambiguity can leave 401(k) investors in a tough spot.

Many plan providers promise to return stolen funds, but the fine print sometimes suggests they could find ways to avoid fulfilling that promise. 

Some only cover you if you follow certain security practices.

While 401(k) providers invest in cybersecurity, your own vigilance is often the best defense. 

What to Do If You Are a Victim of Retirement Cyberfraud

Cybersecurity for retirement accounts isn’t foolproof.

Should you be the victim of retirement cyberfraud, there are steps you can take to be reimbursed.

Note – While plan sponsors and fiduciaries may have cyberfraud security, there may be contingencies that make it harder to be reimbursed. 

For example, if you wait too long to report potential cyberfraud, the money may be lost. 

If you believe you are the victim of cyberfraud, contact your plan sponsor immediately.

After contacting the plan sponsor, you may need to contact the FBI or the Department of Homeland Security to file a report at or

Tips to Protect Your Retirement Savings

Even with cybersecurity for retirement accounts at the top level, you must take steps at the personal level to protect your assets. 

  1. Monitor your retirement accounts. Stay aware of what is happening with your 401(k) account. It’s imperative that you read your 401(k) statements. The sooner you recognize discrepancies, the better.
  2. Know your 401(k) plan’s security measures. Make yourself aware of your plan’s security measures. What steps are taken to ensure your retirement account is safe? How do they verify account changes are valid? Knowing this information up front will help you decipher a phishing scam from the real thing.
  3. Create long, unique passwords. Experts recommend using password phrases. These are lengthy phrases consisting of multiple words and numbers that would be difficult for hackers to guess (no Abcde or 1234). Also, don’t use this password for anything else.
  4. Use multi-factor authentication. Use multi-factor authentication when accessing any site that includes PII (personally identifiable information). This requires the user to not only submit a password but also gain access via an additional code sent by text message or email.
  5. Do not give out PII or account information. Often, retirement accounts are breached because an individual provides a criminal with personal information unknowingly. Be skeptical. You should never give out personal information (such as login information or banking information) over the phone, text message, or email. Always verify the sender requesting information.
  6. Educate yourself on cybercrime. Take time to learn new strategies cybercriminals are using to gain access to personal information. Learn how to identify phishing emails.
  7. Avoid public Wi-Fi. Free Wi-Fi networks allow cybercriminals to gain access to personal information.

Sign up for security alerts. Sign up for security alerts with your bank and credit card company. In addition, monitor your credit reports and banking statements for any unauthorized transactions.

Better Prepare for a Life of Abundance in Retirement. Check us out on YouTube

Have questions or concerns about your 401(k) performance? Book a complimentary 15-minute 401(k) strategy session with one of our advisors.

Let's Get Started!

or...fill out this form and we will reach out to take the next step