Your 401(k) Is the New Identity Theft Target, Here's How to Protect Your Retirement

The $751,430 Phone Call That Exposed Everything

One phone call. That's all it took.

An impostor dialed up Alight Solutions, the recordkeeper for Colgate-Palmolive's 401(k) plan, and pretended to be an employee named Paula Disberry. She rattled off Disberry's full name, the last four digits of her Social Security number, her date of birth, and the mailing address on file. That was enough to breeze past the call center's security verification.

Then came the request: "Please update the contact information on the account."

No alert went to Disberry's actual email. No notification hit her phone, both of which Alight had on file. Instead, a temporary password was mailed to the new address, and the mandatory 14-day waiting period between an address change and any distribution was allegedly skipped entirely.

Within weeks, the impostor logged in, requested a full lump-sum payout, and BNY Mellon mailed a single check, for $751,430 — to a Las Vegas address. The real Paula Disberry was living in South Africa, completely unaware her retirement had vanished.

She eventually sued and the case settled on undisclosed terms, meaning the court never ruled on whether Alight was legally required to restore her money. Meanwhile, the Government Accountability Office has since told the U.S. Department of Labor to issue new guidance on retirement plan participant data, citing eleven similar lawsuits filed between 2009 and 2024.

If you're thinking "That's terrifying, but it's one case" — keep reading.

Why Your 401(k) Is a Sitting Duck

Here's the uncomfortable truth most financial advisors won't spell out: your 401(k) was designed for long-term growth, not day-to-day security. And criminals know it.

Most people check their 401(k) maybe once a quarter, if that. The account sits there for decades, quietly accumulating, rarely scrutinized. That makes it the perfect crime scene. As one legal expert puts it, retirement accounts "are often ripe for theft because people don't regularly monitor them."

The math makes it even more tempting. Over $8.9 trillion sits across roughly 715,000 retirement plans with 70 million participants. That's not a bank vault, that's a buffet.

The FBI's April 2026 Internet Crime Report put a number on the damage: Americans 60 and older lost $7.7 billion to internet crime in 2025, a staggering 59% jump from the previous year. Investment fraud alone accounted for $3.5 billion of those losses.

And here's what keeps cybersecurity professionals up at night: criminals don't even need to "hack" anything. In fact, 99% of cyberattacks require the victim to let them in somehow, whether through reused passwords, social engineering, or simple call-center deception.

The Disberry case proved you don't even need to click a bad link. Someone just needed enough of her personal data, the kind that's almost certainly floating around on dark web breach dumps right now, to sound convincing on a phone call.

No, Your 401(k) Isn't Protected Like Your Credit Card

Let's talk about the gaping hole most people don't discover until it's too late.

If a thief racks up $10,000 on your stolen credit card, federal law limits your liability to $50, and most issuers waive even that. You report it, they freeze it, you move on.

But when account takeover hits a 401(k)? Those consumer protections simply do not apply.

The Employee Retirement Income Security Act (ERISA), the federal law governing private retirement plans, was written in 1974. It wasn't built for a world of dark web data dumps, AI-powered impersonation scams, and credential-stuffing attacks.

Some plan recordkeepers offer fraud restoration guarantees, but here's the catch: if their investigation finds you compromised your password by sharing it, reusing it across sites, or storing it insecurely, that guarantee vanishes. Check your plan documents. Read the fine print. Most people never do until they're fighting to recover a six-figure loss.

The Tax Trap Nobody Warns You About

This is the cruel twist that turns a theft into a financial catastrophe.

When money leaves a tax-deferred retirement account like a 401(k), even if it goes straight into a criminal's pocket, the IRS still treats it as a distribution. That means you could owe ordinary income tax on the stolen amount, plus a 10% early withdrawal penalty if you're under 59½.

There are real-life cases of victims losing their life savings to fraud, and then receiving a six-figure tax bill from the IRS for money they never actually received. One Washington D.C. senior was tricked into draining her entire 401(k) to a government impostor scam and found herself on the hook for $180,000 in taxes.

Yes, you read that right. You can be robbed and then taxed for the privilege.

There are potential remedies, filing Form 14039 (Identity Theft Affidavit) with the IRS, working with a tax professional to dispute the 1099-R, but it's a grueling process with no guaranteed outcome. Prevention is infinitely easier than recovery.

Your 8-Step 401(k) Lock-Down Checklist

Enough fear. Let's talk about what you can actually do — today, to make your retirement account dramatically harder to breach.

1. Enable Multi-Factor Authentication (MFA), Right Now

If your plan portal offers MFA and you haven't turned it on, stop reading and go do it. This single step blocks the vast majority of credential-based attacks. Even if someone has your password, they can't get in without that second factor. Some experts now recommend three-factor authentication for plan sponsors, but for individuals: MFA is the floor, not the ceiling.

2. Use a Password Manager (And Stop Reusing Passwords)

If you're using the same password for your 401(k) portal that you used for that random online store that got breached in 2019, assume criminals already have it. A password manager generates and stores unique, complex passwords for every account, so one breach doesn't cascade into a retirement catastrophe.

3. Set Up Every Available Account Alert

Most 401(k) portals let you configure notifications for: password changes, contact information updates, withdrawal or loan requests, and beneficiary changes. Turn them all on. Send them to an email address you actually check daily, not the one you abandoned in 2017.

4. Request a Trustee-to-Trustee Transfer for Rollovers

Never let anyone mail you a paper check for a 401(k) rollover. Always request a trustee-to-trustee transfer, the money moves directly from your old plan to your new one. No check. No mailbox. No theft risk.

5. Freeze Your Credit With All Three Bureaus

A credit freeze blocks anyone from opening new accounts in your name, including fraudulent retirement accounts. It's free, it takes about 15 minutes total across Equifax, Experian, and TransUnion, and it's reversible in minutes when you legitimately need credit.

6. Get an IRS Identity Protection PIN (IP PIN)

This six-digit PIN prevents someone from filing a fraudulent tax return in your name, and it adds another layer of verification if a criminal tries to trigger a taxable distribution from your retirement account.

7. Check Your 401(k) Quarterly, Calendar It

Pick a recurring date. Put it on your calendar. Log in, review transactions, confirm your contact information and beneficiaries haven't changed. Five minutes, four times a year, could save you decades of savings.

8. Ask Your Plan Administrator About Security Protocols

Send one email: "What security protocols does our plan recordkeeper have in place? Do they offer multi-factor authentication, account lockout after failed attempts, and fraud restoration guarantees?" If the answer is vague or incomplete, that's a red flag worth escalating to HR.

Red Flags You're Already a Target

Don't wait for a zero balance to realize something's wrong. Watch for:

• Unexpected password reset emails you didn't request
• Login attempt notifications from unfamiliar locations or devices
• Changes to your contact information that you didn't authorize
• Small test withdrawals — criminals often test with tiny amounts first
• Missing paper or electronic statements — could signal an address change

If any of these pop up, do not ignore them. Call your plan recordkeeper directly using the number on your statement, not a number from the suspicious email.

What to Do If Your 401(k) Has Been Drained

Breathe. Then move fast.

1. Contact your plan recordkeeper immediately — report the fraud, freeze the account, and request written confirmation of every action they take.
2. File a police report — you'll need it for every institution you deal with.
3. Notify your employer's benefits or HR department — they have a relationship with the recordkeeper and may be able to escalate.
4. File an Identity Theft Affidavit (IRS Form 14039) — this flags your account with the IRS and can help dispute fraudulent tax liabilities.
5. Contact a consumer protection attorney — particularly one familiar with ERISA. Recovery often requires legal pressure.
6. Report to the FBI's Internet Crime Complaint Center (IC3.gov) — large-scale fraud patterns help law enforcement build cases.

This process is painful. It takes months. Outcomes aren't guaranteed. That's not pessimism, it's honesty. Which is why the lock-down checklist matters more than anything else in this article.

Your 401(k) represents decades of waking up early, skipping luxuries, and betting on your future self. The idea that someone could drain it with a single phone call, using information that's probably already leaked online, should make you furious.

Let it.

Then channel that frustration into the 8-step lock-down checklist above. Most of it takes less than an hour total, and none of it requires technical expertise. It just requires you to care enough to act.

Because here's the reality: federal protections haven't caught up to the threat. Regulators are talking. Lawsuits are piling up. But your retirement security can't wait for Washington to figure it out.

Lock it down today. Your future self, the one sipping coffee on a porch somewhere, not frantically calling lawyers, will thank you.