Any online platform that contains personal data carries the risk of being hacked, especially with the increasing number of credentials being sold on the dark web.
In the post-Equifax data breach era, financial technology and cybersecurity experts advise individuals to double-check and reinforce the locks on their online accounts regularly.
The login credentials used to access retirement savings should be given special care, experts warn.
While bank accounts are backed by the Federal Deposit Insurance Corporation for losses up to US$250,000 and credit cards carry a zero liability policy to protect against fraudulent transactions, retirement savings such as 401(k) plans do not have any universal safeguard against online theft.
Employers often follow a stringent process that protects the savings. Some plan sponsors limit access to the account, prevent electronic withdrawals, and implement special rules that govern what can be done with the funds.
Plan sponsors have a fiduciary obligation to prevent any breach. If funds are stolen because of the employer’s own negligence – in the event of a large-scale breach into the administrators’ system, for instance – then the plan sponsor is required to return the amount.
Apart from the safeguards initiated by the sponsor, employees participating in the plan can add their own protective measures. One example is to implement a block on withdrawals made against accounts less than 10 years old.
What happens if the data breach is caused by the employee’s own negligence?
Hackers who can pry open a retirement account can easily siphon the money out. Unless the account holder is protected by a cyber fraud insurance policy, it is often difficult to trace where the stolen funds go, and to retrieve them, beyond that point.
Individuals can follow the steps recommended by the US Securities and Exchange Commission:
- Secure your password: Elect a unique password of eight or more characters with a mix of uppercase and lowercase letters and special characters. Avoid using words found in the dictionary or terms related to personal information. Do not share the password with anyone, and make sure to change it regularly. Never use the same password for multiple accounts.
- Add two-step verification or biometric scans: The process adds an extra layer of protection by requiring a secondary security code, password, or biometric scan – in addition to an already robust password – to open the account. Biometric safeguards include fingerprint and iris scanning as well as facial and voice recognition.
- Avoid accessing accounts through public portals: Investment and other personal accounts carry sensitive information. Accessing them through public computers raises the risk of a data breach since the portal is open to multiple users. If using a public portal cannot be avoided, make sure to disable password saving and, when done, log out of the account completely and delete the history, cache, cookies, and files downloaded through the portal. When returning to a private network, remember to change the password used in public. Never leave the computer station when an account is open and displayed on screen.
- Be careful when clicking on external links: Not all resources sent to a personal account can be trusted. Ensure the link is from a legitimate source before clicking on it and subsequently entering information on the page it loads. Suspicious links are typically connected with phishing scams.