Updated with correction
"Phishing" training programs and multifactor authentication are two key weapons plan sponsors and record keepers can deploy to help prevent cybercriminals from getting into participant retirement accounts, Doug G. Peterson, chief information security officer at Empower Retirement, said at the Pensions & Investments' West Coast Defined Contribution conference in San Diego.
"Everyone should think about this. It's a huge security recommendation," he said of training programs about "phishing," a form of internet fraud that aims to steal personal information such as credit card numbers, Social Security numbers, user IDs and passwords.
The programs help employees identify legitimate email from phishing email, which today is the No. 1 white-collar crime investigated by the FBI, he said.
Mr. Peterson also urged plan sponsors and record keepers to implement multifactor authentication, a system that requires more than one method of authentication to verify the user's identity for a login or other transaction.
"It's a pain," he said, "but it completely changes the paradigm for what it takes to break into your account."
Mr. Peterson also exhorted plan sponsors to partner with their record keepers and provide them with up-to-date contact information for their participants. Record keepers, he said, should have good contact information so that they can verify withdrawals from employee retirement accounts.
If a cybercriminal takes over a participant's email account, the employer and record keeper have no way to confirm that a distribution request from that participant's retirement account is legitimate if there is only one email account on file.
In that situation, the employer and record keeper would be communicating with the criminal, he said.
The problem would be solved if two email addresses and two phone numbers were available. "There's no way the criminal is taking over both emails and phone numbers," he said.
At a minimum, participants should claim their retirement accounts. They should check their accounts and register them or run the risk of being claimed by impostors.
Many participants, Mr. Peterson said, have had money taken from their accounts because they never went online to check them, thinking that was the safer way to go.
"If you're dealing with any record keeper today, your account is already on the web. If you don't claim it, it's easier for the criminals to pretend to be you and claim your account," he said.