What to Do If Your Retirement Account Is Hacked

Retirement accounts have become a prime target for cybercriminals. Your 401(k), IRA, or 403(b) may hold the largest sum of money you own, and unlike your bank account, you probably do not check it every day. That infrequent monitoring gives thieves a dangerous window of opportunity. If your retirement account has been compromised, the steps you take immediately can make the difference between recovering your funds and losing them permanently. Here is exactly what to do.

Why Retirement Accounts Are Being Targeted

Retirement accounts present an appealing target for several reasons:

• Large balances: The average 401(k) balance for Americans aged 55-64 exceeds $200,000, and many accounts hold significantly more
• Infrequent monitoring: Many people check their retirement accounts quarterly or even less. A breach can go undetected for weeks or months
• Weaker security defaults: Some retirement plan portals have historically lagged behind banks in adopting modern security features like multi-factor authentication
• Dormant online access: Many account holders have never set up online access to their retirement accounts, which means a criminal can register first using stolen personal information
• Complex recovery: Unlike credit card fraud, where federal law caps your liability, retirement account fraud exists in a regulatory gray area with fewer automatic protections

Immediate Steps If Your Account Is Compromised

1. Contact Your Plan Administrator or Brokerage Immediately

Time is the most critical factor. Call the customer service or fraud line for your retirement plan provider as soon as you suspect unauthorized activity. Do not rely on email or secure messages for this initial contact. Call directly.

When you call, request the following:

• Freeze the account to prevent any further transactions, withdrawals, or changes
• Reverse any unauthorized transactions if they are still in process. Many transfers take several business days to settle, and catching them early can allow your provider to halt them
• Reset your login credentials and lock out any other active sessions
• Flag the account for fraud investigation and provide you with a case or reference number

Write down the date, time, and name of every representative you speak with. You will need this documentation throughout the recovery process.

2. Check Your Provider's Customer Protection Guarantee

Some major brokerages and plan administrators offer customer protection guarantees that cover unauthorized activity. For example, Fidelity's Customer Protection Guarantee states that the firm will reimburse losses from unauthorized activity in your accounts. Schwab, Vanguard, and other major providers have similar policies, though the specific terms vary.

Ask your provider directly:

• Does your firm offer a guarantee for unauthorized account activity?
• What are the conditions and deadlines for filing a claim?
• What documentation do you need from me?

3. File a Police Report

File a report with your local police department. While local police may not investigate the cybercrime directly, a police report creates an official record that your plan administrator, the IRS, and other agencies may require as part of the fraud resolution process. Keep a copy of the report and note the case number.

4. Report to the FBI's Internet Crime Complaint Center

File a complaint at ic3.gov. The FBI's IC3 tracks cybercrime patterns, coordinates with financial institutions, and in some cases is able to initiate asset recovery. Include as much detail as possible: account numbers, transaction amounts, dates, IP addresses if available, and any communications from the attacker.

5. Notify the IRS

If unauthorized distributions were taken from your retirement account, they may generate tax obligations in your name. Contact the IRS to report the fraud and ensure you are not held liable for taxes on money that was stolen from you. You may need to file IRS Form 14039 (Identity Theft Affidavit) and work with a tax professional to address any fraudulent 1099-R forms.

6. Monitor Your Credit Reports

If a criminal had enough personal information to access your retirement account, they likely have enough to open new credit accounts in your name or target your other financial accounts. Freeze your credit at all three bureaus (Equifax, Experian, and TransUnion) and review your credit reports for unfamiliar accounts or inquiries.

A Common Scam: The Fake Plan Administrator Call

One of the most frequent ways retirement accounts are compromised starts with a phone call. Someone contacts you claiming to be from your 401(k) or IRA provider. They may reference your actual plan name, employer, or account details to sound legitimate. They tell you suspicious activity has been detected on your account and that you need to verify your identity or transfer your funds to a "secure" account for protection.

This is a social engineering attack. The caller is not from your plan provider. They are using personal information obtained from data breaches, data broker sites, or prior phishing attacks to impersonate your provider convincingly.

Rules to follow:

• Never provide account credentials, PINs, or verification codes to anyone who calls you, regardless of who they claim to be
• Hang up and call your provider directly using the phone number on your account statement or the provider's official website
• Your plan administrator will never ask you to transfer funds to a different account "for security." This is always a scam

How to Protect Your Retirement Accounts

Set Up and Secure Online Access

• Register your online account now if you have not already. Claiming your account prevents a criminal from doing it first
• Use a strong, unique password that you do not use for any other account. A password manager like 1Password or Bitwarden can generate and store complex passwords
• Enable multi-factor authentication (MFA). Use an authenticator app rather than SMS whenever possible, as SMS codes can be intercepted through SIM-swapping attacks

Monitor Your Account Regularly

• Check your retirement account at least once a month, not just during open enrollment or market swings
• Set up email or text alerts for any account activity: logins, password changes, address changes, withdrawal requests, and beneficiary updates
• Review quarterly statements carefully and report any discrepancy immediately

Keep Your Contact Information Current

• Ensure your email address, phone number, and mailing address are up to date with your plan provider
• If a criminal changes your contact information, you will stop receiving alerts and statements, which delays detection of fraud

Be Wary of Unsolicited Communications

• Do not click links in emails or text messages claiming to be from your retirement plan provider
• Do not provide personal or account information to anyone who contacts you by phone, email, or text
• Always initiate contact yourself using verified phone numbers or websites

How PrivacyOn Helps Protect Your Retirement Savings

Retirement account takeovers typically begin with personal information. Criminals need your full name, date of birth, Social Security number, employer, and contact details to impersonate you or answer security questions. Much of this information is freely available on data broker and people-search sites, making it easy for attackers to piece together enough data to compromise your accounts.

PrivacyOn removes your personal information from over 100 data broker sites, cutting off one of the primary sources criminals use to research and target victims. By reducing the amount of personal data available about you online, PrivacyOn makes it significantly harder for attackers to impersonate you, answer your security questions, or craft convincing phishing and social engineering attacks. Combined with continuous monitoring and dark web alerts, PrivacyOn helps protect not just your retirement accounts but your entire financial identity.