Did Someone Try to Hack My Retirement Account? My Personal Cybersecurity Issue

On a recent evening as I was catching up on emails, I received a verification code from my retirement plan’s recordkeeper.  You know - those codes they send to verify that you are, in fact, you; particularly when you log in from a different computer? The trouble that evening was that I had not logged in to my retirement plan account at all.

So, as someone who works closely with retirement plans, I naturally reacted in a calm and professional manner - oh, who am I kidding - I panicked!  Expecting that my funds had disappeared, I immediately logged into my retirement account, while calling my recordkeeper’s customer service line at the same time.

Fortunately, nothing appeared to be amiss with my retirement plan; my account balance was there, and no unusual transaction activity had been reported. Nevertheless, I changed all my login credentials to an even more complicated combination of letters, numbers and symbols than I had previously and immediately informed our firm’s cybersecurity officer of the potential breach.

Both my firm’s cybersecurity officer and my recordkeeper confirmed later that the verification code was generated because I use an outside organization to aggregate my retirement plan and other financial account balances in one place. Apparently, that organization had accidentally “pinged” my account in a manner that generated a verification code. While I was relieved to find a reasonable explanation for what I thought was someone trying to make off with my retirement plan dollars, it got me thinking about the general security of my retirement plan account. And when I think, I Google - which led me to some points regarding account security that I believe are worth sharing with all of you!

  • Apparently, verification code forwarding attacks are a thing. While the issuance of my verification code does not appear to be malicious, it could have been.  Of course, I know not to provide the code to anyone requesting it, no matter how official-sounding. Verification codes are, in a way, even more important to safeguard than passwords, since a cyber criminal attempting to access a verification code is likely to already have access to login credentials. 
  • While it is tempting to make login credentials the same for retirement and other financial accounts, don’t do it! Creating a unique and complicated password (that includes a combination of letters, symbols, and numbers) for each account is best practice.  Password managers, which are generally secure, can help assist in generating random passwords. 
  • Though it is more difficult to steal money from retirement plan accounts than some other types of financial accounts, due to restrictions inherent in retirement plans (such as the spousal consent required for some ERISA plans), that does not mean that retirement plan account security should be taken for granted.  Frequently monitoring account statements for suspicious activity and reporting anything unusual (such as a verification code that wasn’t received) to the recordkeeper and the appropriate party at an organization can help protect retirement plan accounts.

Do you have any other suggestions to improve the security of retirement plan accounts?Feel free to share your thoughts with me on Twitter or at

Note: This feature is to provide general information only, does not constitute legal advice, and cannot be used or substituted for legal or tax advice.

Investment products available through Cammack LaRhette Brokerage, Inc.
Investment advisory services available through Cammack LaRhette Advisors, LLC.
Both located at 100 William Street, Suite 215, Wellesley, MA 02481 | p 781-237-2291