SouthernWorldwide.com – Your 401(k) is becoming an increasingly attractive target for identity thieves, with sophisticated scams capable of wiping out entire life savings.
One alarming case involved an impostor who contacted Alight Solutions, the administrator for Colgate-Palmolive’s 401(k) plan. Posing as a Colgate employee, the individual requested to update contact information on an account. Months later, the entire $751,430 balance was transferred in a single lump sum to a Las Vegas address and bank account. The legitimate account holder, Paula Disberry, was living in South Africa at the time.
Disberry subsequently sued Alight, Colgate’s benefits committee, and BNY Mellon, the plan’s custodian, seeking to recover the lost funds. The case was eventually settled under undisclosed terms, and the court never issued a ruling on Alight’s liability to restore the money.
In February 2026, the Government Accountability Office recommended that the U.S. Department of Labor issue updated guidance regarding retirement plan participant data. This recommendation was prompted by eleven separate lawsuits filed between 2009 and 2024 under the Employee Retirement Income Security Act (ERISA), the federal law that governs private retirement plans.
A critical distinction in these cases is that the consumer protections typically afforded in credit card fraud do not apply when a 401(k) account takeover occurs.
REMOVE YOUR DATA TO PROTECT YOUR RETIREMENT FROM SCAMMERS
The incident involving Paula Disberry began when an impostor called Alight’s Benefits Information Center. The caller provided Disberry’s name, the last four digits of her Social Security number, her date of birth, and the mailing address Alight had on file. This information was sufficient to pass the call center’s security verification.
The impostor then requested an update to the contact information for Disberry’s account. Alight failed to send an alert to Disberry’s existing email address or phone number, both of which were on file. Instead, the company opted to send a temporary password via mail.
Disberry’s plan reportedly had a 14-day waiting period between an address change and any distribution. Her lawsuit alleged that Alight bypassed this crucial safeguard. Within weeks, the impostor logged into the account, initiated a full payout, and BNY Mellon subsequently mailed a check to a Las Vegas address.
Heide Bartnett, a former employee of Abbott Laboratories, also filed a lawsuit against Alight concerning a $245,000 401(k) distribution. Bartnett claimed that a hacker exploited the plan portal’s “forgot password” feature to reset her credentials and subsequently trigger the payout. Other retirement plan recordkeepers have faced similar lawsuits related to cybertheft.
The scope of this problem extends beyond 401(k) accounts. The FBI’s April 2026 Internet Crime Report revealed that Americans aged 60 and older lost a staggering $7.7 billion to internet crime in 2025. This represents a 59% increase from the previous year. Investment fraud alone accounted for $3.5 billion of these losses, highlighting that individuals in or nearing retirement are a prime target for online criminals.
INSIDE A SCAMMER’S DAY AND HOW THEY TARGET YOU
Account takeovers often commence with information that criminals already possess. Names, dates of birth, partial Social Security numbers, and email addresses are frequently found in dark web data breaches. This stolen information is often combined with leaked passwords from unrelated services. When an account holder reuses the same password across multiple platforms, hackers can directly test this compromised data against the recordkeeper’s login portal.
In Disberry’s case, the takeover circumvented the login portal entirely. The impostor never directly accessed Disberry’s account through the online portal. Instead, the fraudster called Alight’s call center, used the personal information to clear identity verification, and successfully altered the contact details. Following this, the temporary password mailed by Alight was intercepted by the impostor.
Some criminals bypass the recordkeeper altogether and target the account holder directly. The New York Times reported the case of Barry Heitin, a 76-year-old retired lawyer, who lost $740,000 in 2024 after receiving a call from an individual claiming to be a federal fraud investigator. The caller convinced Heitin that his retirement accounts were under threat and instructed him to transfer the money out himself, under the guise of assisting a federal investigation.
While federal protections for retirement account theft are limited, several account-level controls are available at no cost and can significantly impede takeover attempts.
HOW TO STOP IMPOSTOR BANK SCAMS BEFORE THEY DRAIN YOUR WALLET
Account-change alerts configured on the recordkeeper portal are only effective if the recordkeeper actually sends them. The Disberry case starkly illustrates the potential consequences when these alerts are not transmitted.
A robust identity theft monitoring service can provide an additional layer of security by tracking suspicious activities beyond the retirement plan portal. Some services allow users to link their bank, credit card, and investment accounts, enabling alerts for unfamiliar transactions. In the event of a retirement account takeover, this can help flag suspicious money movements even if the recordkeeper fails to alert the account holder about an outgoing transfer.
Many identity theft monitoring services also monitor credit reports for changes, scan the dark web for exposed personal information, and search data broker or people-search sites for an individual’s details. Some plans also offer fraud resolution support and identity theft insurance to cover eligible recovery costs.
If you are uncertain whether your personal information has been compromised, it is crucial to take immediate action. Begin with a free identity breach scan to determine if your data appears in known leaks. Early detection empowers you with greater control and facilitates a timely response before fraud escalates. You can also verify if your personal information is already being used for identity theft or fraud, or if it has surfaced on the dark web.
See my tips and best picks on Best Identity Theft Protection at CyberGuy.com
Retirement accounts may seem insulated from the everyday fraud risks associated with credit cards, email accounts, and bank logins. However, this case demonstrates how swiftly a 401(k) can become a target when an individual possesses enough personal information to deceive a call center or reset account access. The alarming aspect is that a stolen retirement account may not be covered by the same consumer protections that individuals expect with credit card fraud. This underscores the paramount importance of prevention and recognizing early warning signs.
It is advisable to enable multi-factor authentication, activate all available account alerts offered by your plan, and inquire with your employer or plan administrator about the procedures following an address, phone number, or bank account change. No one should have to discover months later that their life savings have vanished. The sooner suspicious activity is detected, the greater the likelihood of mitigating the damage before it escalates into a financial crisis.
Read more : King Charles 'Shocked and Saddened' by Soldier's Unexplained Death at Horse Show He Attended
Should retirement plans be mandated to issue more robust alerts before any significant account change or distribution, particularly when an individual’s life savings are at stake? Share your thoughts with us by writing to us at CyberGuy.com.Cyberguy.com
