Stop Hackers From Ruining Your Retirement

Author: AppRiver’s Troy Gill
Author: AppRiver's Troy Gill

Let’s be honest… How often are you checking in on your retirement funds?

I’m not talking about glancing at your statement to make sure you are on course to retire to Cabo or to make changes to your contributions. I’m talking about going even deeper like: how often are you logging in and making sure everything in your account is accurate? When was the last time you checked your mailing address? Email address? Your preferred method of notification when changes have been made to your account? Better yet, when was the last time you changed your account password? Is it strong enough to thwart a hacker?

If you’re not nearing retirement or are more of a “set it and forget it” investor, chances are you haven’t really taken much notice. Even for those closing in on retirement, checking things like your mailing address or email probably isn’t something you are focused on when looking at your account.

But these are the type of things we should check on a regular basis to help protect ourselves and our retirement from cybertheft. Identity theft activities have become more frequently used to target retirement saving in plan accounts.

And, depending on your brokerage firm, there may be nothing they can – or will – do about it!

An Alarming Situation

Recently, several participants in the savings and retirement plan of a large, international defense, aerospace and security company were the targets of identity theft through what is believed to have been a phishing attack. The cybercriminals were able to gain personal information and use that information to gain access to several plan participants’ accounts.

In one instance, the cybercriminals were able to breach an account and halt the participants’ mail notifications before requesting a fund transfer. By stopping the mail, the plan participant never would have received written confirmation of the transfer request. Once they were made aware of the incident, the company’s third-party administrator was able to quickly stop or reverse the fraudulent transactions.

However, the company took this incident to remind their plan participants that identity theft is a crime against individuals. Meaning if you are a victim of identity theft, you would need to work with law enforcement to investigate the crime and ultimately seek restitution and recover any losses.

Most brokerage firms take the same position.

That is, if the brokerage firm itself is breached, you will usually be reimbursed. However, if your individual account is breached because you were the target of a phishing scam, you may not be as lucky.

For example, say you open an email that appears to be from your brokerage firm and it directs you to review your monthly statement or perhaps tells you there is a problem with your account. You click the link and login to what you think is your firm’s website. Everything appears to be fine, so you move on. Unfortunately, that email was fake, the website was a spoof and cybercriminals now have full credentials and access to your account.

In this situation, your brokerage firm could deny reimbursing you any funds you are out by claiming you fell for a phishing scam – despite the scam producing a credible yet replicated website.

Protect Your Future

What should you do to stay safe? Here are some simple steps that apply to any online account, not just your retirement plan.

1. Review: Regularly review account statements. Be sure to report any errors or suspected fraudulent activity.

2. Passwords: For your online account, make sure you have a strong password. Be sure to include upper and lowercase letters, numbers, symbols, etc. Make sure it does not use any personal information such as your birthdate and be sure to change it on a regular basis. As an added measure, make sure you are using different passwords for each online account.

3. Two-Step Verification: Also known as two-step authentication, this will help make it more difficult for hackers to get into your account by adding an extra layer of security. With this process, if you attempt to log in to your account from an unrecognized computer, you will be sent a unique code (via text or email) that will need to be entered before you can gain access to your account.

4. Computer Security: Make sure the security on your computer is up to date, including firewalls, antivirus software, antispyware, software patches, etc. Do not use public computers to access your account if possible.

5. WiFi: Use caution if you are using a wireless connection to access you online accounts. Make sure you have updated and enabled all the security features on your computer or device. Avoid using public WIFI to check financial accounts.

6. Watch What You Click: Approach emails asking for you to verify your financial information with skepticism. Do not click on any link within the email or open any attachments unless you have verified it is a legitimate link.

These tips to keeping your online investment account safe from fraud and more can be found at

Troy Gill, GPEN, is a senior security analyst at AppRiver. Read more AppRiver blogs here.