Is My 401(k) Safe from Hackers?

No, although it can be much better protected by following a few simple steps

Imagine somebody accessing your 401(k) account, editing your details, and then calling your retirement plan’s call center pretending to be you in order to transfer hundreds of thousands of dollars of your pension funds into their own bank account. This chain of events, as improbable as it might sound, isn’t fiction. It is the story of Heide Bartnett, a woman from Darien, Ill., and should serve as a reminder that no money is out of reach of hackers.

Key Takeaways

  • 401(k)s store a lot of money and are rarely monitored, making them ideal targets for hackers.
  • In most cases, it is personal information that is stolen, although it has become increasingly common for money to be swiped, too.
  • Retirement plan providers are not always willing to reimburse victims of fraud and may refuse requests on the grounds that the client used sloppy security measures.
  • Following a few simple steps can greatly reduce the likelihood of someone becoming the next victim of a bumper 401(k) heist.
  • Good practices include regularly monitoring your account; using long, hard-to-guess passwords; accepting any extra security measures on offer; and generally being cautious.

401(k)s Are Hotspots for Hackers

Most of us never give hackers much thought. It seldom crosses our minds that an experienced online thief could quite easily get into our financial accounts and empty them without breaking much of a sweat.

But if we were to be targeted, a 401(k) would be attractive prey. These investment accounts usually hold a lot more money than checking or savings accounts and aren’t generally checked very often. By the time we discover that a 401(k) has been fully or partially raided, the thief will likely be long gone.

Logging into somebody’s 401(k), then somehow getting a distribution to a new bank account signed off by the administrator without ever alerting the plan holder, sounds like a highly challenging and improbable task. It apparently isn’t, though. Judging by the numerous horror stories out there, online criminals are constantly coming up with ways to circumvent the latest cybersecurity safeguards put in place to stop them.

And those who don’t go all the way might still get hold of personal information, which in some cases can be just as damaging. Hackers steal personal information so that they, or somebody to whom they sell it, can pose as the victim and apply for credit cards, government benefits, loans, and other things in their name. That’s a lucrative market and another big risk to watch out for.

Hackers break into 401(k)s to steal money or your personal information, which can sometimes be just as costly.

If My 401(k) Is Hacked, Can I Get My Money Back?

When money is stolen from a bank account or credit card, it’s usually fairly straightforward to get it back. With 401(k)s, reimbursement can be a little more complicated.

The federal Employee Retirement Income Security Act (ERISA), the law that governs 401(k) plans, has yet to fully address measures for preventing and dealing with private retirement account hacks—much to the dismay of the Government Accountability Office (GAO).

That ambiguity can leave 401(k) account holders in a tricky position. Yes, custodians do generally pledge to return any funds that went missing because of fraud. However, the language they sometimes use suggests that they could easily come up with ways to wriggle out of that commitment.

A handful of plan providers provide assurances that they will cover clients unconditionally. Others say they will pick up the bill only if account holders abide by certain security practices.

Plan providers typically have cyber-fraud insurance, but it may be extended to victims only if they can prove that they took certain steps to protect their accounts.

Tips to Thwart Hackers

Don’t bank on your plan provider to stop you from getting hacked. Billions are spent on cybersecurity, but sloppy behavior by 401(k) participants can render all of that extra protection useless.

Here are some basic steps you can take to reduce the risk of your retirement account being compromised:

Routinely monitor your account

We are often advised not to monitor investments too closely, as doing so can tempt us into knee-jerk reactions. That doesn’t mean you should never log in to your 401(k) online account, though. As with your bank account, it’s wise to comb through your statements fairly frequently to make sure there is no suspicious activity.

Make sure you also turn on account alerts. Do that and you should be informed whenever there is any kind of activity on your account, including login attempts and editing of your personal information.

Create a long, unique password

Cybersecurity experts recommend using a password with at least 16 characters. According to LMG Security, an eight-character password hash can be cracked in approximately seven days, whereas a 16-character one would take 147 trillion years to unlock.

The problem with utilizing unique, long, and complicated passwords for every online account is remembering them, particularly as we are not supposed to save passwords somewhere where somebody with evil intentions could find them. A helpful way around this can be to use a phrase. Combine several words together that are familiar to you but gibberish to anybody else and spell them creatively, with numbers and the odd caps lock thrown in.

Accept all the extra security offered

Nowadays, many plan providers offer a two-factor authentication process for access to your account. If this option is presented to you, use it.

Getting a code sent to your phone or an authenticator app isn’t completely flawless; hackers have been known to hack them, too. However, it does represent extra security, which is always a good thing.

Biometric safeguards are even better. Some websites now require fingerprints or voice or facial recognition to get past the login phase, making it even more difficult for hackers to gain access.

A long and tricky password, an authentication code sent to an app, and fingerprint confirmation can increase your chances of keeping hackers away.

Be careful when using free Wi-Fi

Free Wi-Fi at airports, hotels, and coffee shops is a great way to save mobile data. It can also be dangerous.

If you happen to be connected to the public network at the same time as a crafty hacker, you could be in trouble. According to Kaspersky, it’s possible for the cybercriminal to position themselves between you and the connection point, giving them unfettered access to every piece of information you’re sending out on the internet.

Other than being careful what you access, you should also consider using a VPN, enabling the “Always Use HTTPS” option on websites, and turning off the sharing option on your computer.

Treat communication with caution

Whenever somebody calls, texts, or emails you asking for personal information, be skeptical. It is very unlikely that your 401(k) provider would contact you to request that kind of information.

You should also be careful about clicking on links, as this could plant malicious software on your device or lead you to a website designed to steal sensitive information. If in doubt, contact the plan provider or administrator using the numbers/addresses provided in the official documents.

Can a 401(k) account be hacked?

Yes, sadly, 401(k)s do get hacked. This often leads to personal information getting stolen. However, there have also been cases where people have had hundreds of thousands of dollars stolen from their accounts.

How can I protect my 401(k) from identity theft?

Your 401(k) can be better protected by using unique, hard-to-guess passwords, implementing as many additional security barriers as possible, watching over your shoulder, and being very careful to whom you give personal information.

Are retirement accounts protected from theft?

No, not always in the same way that credit cards and bank accounts are. Custodians usually pledge to return any funds that went missing. However, that assurance can come with conditions that aren’t always easy to prove and meet.

The Bottom Line

The relative ease with which hackers swipe funds or personal information—coupled with generally little clarity about who is to blame and should foot the bill—has put the onus on 401(k) account holders to do all they can to beef up their own security. Some companies spend billions of dollars protecting their websites. However, at the end of the day, it is the simple steps taken by you, the account holder, that often function as the best form of defense.

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. GovInfo (U.S. Government Publishing Office). “United States District Court for the Northern District of Illinois Eastern Division: Heide K. Bartnett v. Abbott Laboratories, Marlon Sullivan, and Alight Solutions LLC,” Pages 3–4.

  2. U.S. Consumer Financial Protection Bureau. “How Do I Get My Money Back After I Discovered an Unauthorized Transaction or Money Missing from My Bank Account?

  3. Federal Trade Commission, Consumer Advice. “Using Credit Cards and Disputing Charges.”

  4. U.S. Government Accountability Office. “Defined Contribution Plans: Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans.”

  5. LMG Security. “How Long Should Your Password Be? The Data Behind a Safe Password Length Policy.

  6. Kapersky. “How to Avoid Public WiFi Security Risks.”

  7. Federal Trade Commission, Consumer Advice. “How to Safely Use Public Wi-Fi Networks.”

Take the Next Step to Invest
The offers that appear in this table are from partnerships from which Investopedia receives compensation. This compensation may impact how and where listings appear. Investopedia does not include all offers available in the marketplace.