Criminals armed with a flood of data stolen in recent data breaches are newly targeting consumers where it might hurt most: their retirement accounts. The lucrative crime of brokerage account takeovers isn’t new, but it appears identity thieves are having more luck recently raiding victims’ retirements, tricking brokers into emptying accounts and mailing checks that can exceed $100,000.
It’s critical for consumers to realize that retirement accounts have few of the protections afforded to credit and debit card holders; getting “refunds” after an incident like this involves much more than a few phone calls.
Andrea and Steve Voss of Georgia were lucky; they check their account frequently and noticed something had gone wrong — their account balance was $0, and $42,000 was missing. A criminal had ordered it liquidated, and a $42,000 check sent to their home — then redirected that check to a local UPS store, according to the Atlanta Journal Constitution.
The Voss’ alerted authorities and police intercepted the delivery, nabbing two suspects. They were arrested with an $85,000 check from another victim.
At about the same time, an anonymous writer at investment site Bogleheads.org complained that $52,000 had been taken from his elderly father’s IRA account.
These don’t appear to be isolated incidents. Tucked in the annual Javelin Strategy & Research survey of ID theft crimes was this grim fact: criminals freshly armed with complete dossiers on potential victims are expanding their arsenal of fraud attacks far beyond traditional credit card account hijackings. So-called existing non-card fraud is up sharply, as criminals hijack everything from hotel reward point accounts to mobile phones to crypto-currency wallets. But the crime that might be most devastating – where many victims probably keep their biggest pile of money — is brokerage account takeovers. Javelin says that in 2016, such crimes accounted for only 2% of existing non card fraud. In 2017, that swelled to 7% — more the tripling in one year.
Retirement account hijackers have a few things going for them. Consumers might not check them as often, particularly when there’s bad news. And of course, their balances are usually larger than savings or checking accounts.
One might imagine moving money out of a retirement account would be challenging, but not always. According to the Atlanta Journal Constitution, “surprisingly little” information was required — Voss’ name, address, date of birth and Social Security number.
(I’ve reached out to the firm involved, Prudential, to see if there’s any update to that process or if it has a comment. I will update this story if it responds.)
The Bogleheads victim offers a similar tale:
The custodian of my father’s IRA states that in early September they received a phone call from a man posing as my father, who passed all the security questions and requested a change in email address and that forms for withdrawal of funds be sent to that email. Around two weeks later the custodian received all the paperwork authorizing the withdrawal of funds from the account, and the electronic transfer of said funds into a bank account under my father’s name at a bank he had never heard of and certainly did not use for banking (Regions Bank). The custodian states that the paperwork had my father’s (alleged) signature notarized, and also included a copy of a check from the bank account into which the funds were to be deposited. At that point, the custodian effected the requested transfer of $52,000.
That tale also has a happy ending, with the victim reporting the money was returned to the account — but only after about six weeks of back-and-forth discussion, the writer says. (I’ve reached out to the firm involved and will update if it responds.)
Retirement account hacking isn’t new. Way back in 2007, I wrote about a consumer who lost $179,000 in such a scam. What I learned then is what you need to learn now: The broker has no clear legal obligation to return the stolen funds. Recall that if your checking account is raided, banks have to restore the funds within days while they investigate. No such protection exists for brokerage accounts. Victims might be able to talk their way into a refund, or sue their way into one, but there’s no shortcut process for that.
That’s why it’s critical to know that ID thieves, armed with their massive databases of consumer data, are targeting these kinds of accounts. Check them, often. Make it part of your normal routine, when you check all your other accounts for fraud. Otherwise, you might end up missing every dollar you’ve worked your whole life to set aside.