We recently became aware of a fraud scheme targeting 401(k) plans and wanted to bring it to your attention.

In this scheme, a fraudster calls the 401(k) plan custodian or third-party administrator (“TPA”) and impersonates a plan participant. First, the fraudster changes the email address on file so the participant will not receive notice of subsequent changes and then the fraudster requests a loan against the participant’s account. Most TPA’s require some form of identification verification before fulfilling these requests. However, it appears the fraudster has obtained the information necessary to “verify” the participant’s identity from other sources (most likely from a separate data breach, e.g. Equifax). After “verifying” the participant’s identity, the fraudster then directs the loan proceeds to his or her own account via ACH or other electronic transfer.

To mitigate the risk of this scheme, we recommend that companies with 401(k) plans contact their 401(k) plan custodian/TPA to ensure controls are in place to:

1. Require that every time a change is made to a participant’s account profile (e.g. email address, physical address, ACH account number, etc.), notification is sent to BOTH the old and the new email address
2. Require authorization from the plan administrator (i.e. the person at the company/plan sponsor responsible for the 401(k) plan) for all disbursements from the plan (including distributions AND loans)
3. Require that all disbursements be mailed as paper check to the physical address on file for the requesting participant

If you have any questions regarding what you can do to mitigate this risk, please call BiggsKofford at 719-579-9090.