Recently, a 401(k) plan participant was defrauded of approximately $740,000 when he fell victim to an elaborate scheme perpetrated by overseas criminals. However, even friends, family members, and employers have been discovered stealing from 401(k) accounts, adding up to millions of dollars in losses every year. Here’s what your organization can do to help keep your employees’ retirement savings safe from theft.
Assessing existing protections
If your organization sponsors a 401(k) plan, assessing plan service providers’ protection systems and policies is essential. Most providers carry cyber fraud insurance that they extend to plan participants. But there may be limits to this protection if, for example, the provider determines that you (the sponsor) or employees (participants) opened the door to a security breach.
Your plan’s documents may say that participants must adopt the provider’s recommended security practices. These could include checking account information “frequently” and reviewing correspondence from the administrator “promptly.” Make sure you and your employees understand what these terms mean — and follow them.
Using technology to foil thieves
In recent years, several 401(k) plan sponsors have been sued for not adequately protecting the personal data of participants whose accounts were hacked. Although every business needs comprehensive and up-to-date cybersecurity protection, you should be even more vigilant if you keep 401(k) plan information on your servers.
Know that two-factor authentication when signing in to an account may not be enough. Some experts now encourage plan sponsors to enable three-factor authentication to foil fast-evolving fraud schemes. Also, employees should be strongly encouraged to follow strict security protocols when managing their 401(k) accounts. For example, they should:
- Choose complex passwords they don’t use on other sites — and change them often,
- Never write down account logins/passwords or store them in their browsers,
- Be suspicious if they have trouble logging in to their account or if the sign-in page looks different from what they’re used to, and
- Independently confirm the identity of anyone who contacts them claiming to be from the government, law enforcement, their 401(k) plan sponsor or a financial institution, and asks for account information.
Some more complex 401(k) plan schemes have involved crooks pretending to be fraud investigators. These criminals usually instruct account holders to move their savings to “safer” locations. Then they abscond with the funds. Make sure employees have a number they can call for official plan information or if they need to verify someone who has contacted them.
A rare but worrisome issue
Finally, although employer theft of employees’ 401(k) plan funds is relatively rare, some financially troubled companies have been accused of illegally withdrawing or retaining participants’ 401(k) contributions. According to the DOL, 401(k) sponsors must deposit participants’ contributions as soon as they can be segregated from the organization’s assets — no later than the 15th business day of the month after the amounts were withheld. A safe harbor rule for smaller companies (fewer than 100 participants) says that employers should deposit contributions within seven business days of the withholding pay date.
Annette Benson, CPA, CFE and Partner provides key tips to consider:
- Educate Employees on Security Best Practices: Conduct regular training sessions to educate employees about the importance of cybersecurity, including recognizing and avoiding phishing scams and maintaining strong, unique passwords for their accounts.
- Utilize Multi-Factor Authentication (MFA): Encourage or require the use of multi-factor authentication on 401(k) accounts. MFA adds an extra layer of security beyond just a password, making it more difficult for unauthorized individuals to gain access.
- Monitor Account Activity Regularly: Plan administrators should consistently review account activities for any unusual transactions. Promptly addressing any discrepancies can help prevent fraudulent actions and secure employees’ retirement funds.
Implementing these tips can enhance the security of 401(k) plans and safeguard employees’ retirement savings from potential fraud threats.
Let us exceed your expectations. For questions about protecting your organization’s assets and workers from fraud, contact your CDS experts at (888) 388-1040.