NEWNow you can listen to Fox News articles!
The fraudster called Alight Solutions, the custodian of records for the Colgate-Palmolive 401(k) plan, and identified himself as a Colgate employee. You have requested to update the contact information on the account. Months later, the entire $751,430 balance was sent in one lump sum to a Las Vegas address and bank account. The original account holder, Paula Disberry, lived in South Africa.
Disberry sued Alight, Colgate’s benefits committee and BNY Mellon, the plan’s custodian, to recover the money. The case went to trial under undisclosed terms. The court has never ruled that Alight must return the money.
In February 2026, the Government Accountability Office told the US Department of Labor to issue new guidance on retirement plan participant data. The GAO cited eleven separate lawsuits filed between 2009 and 2024 under the Employee Retirement Income Security Act, the federal law that governs private retirement plans.
If the account takeover extends to a 401(k), consumer protections governing credit card fraud do not apply.
Sign up for my FREE CyberGuy report
- Get my best tech tips, emergency security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by the millions who watch CyberGuy on TV every day.
- Plus, you’ll get instant access to mine Ultimate Scam Survival Guide free when you join.
DELETE YOUR DATA TO PROTECT YOUR PENSION FROM SCAMMERS
A hacked 401(k) shows how a single phone call, exposed personal information and weak account switching protections can wipe out retirement savings. (Kurt “CyberGuy” Knutsson)
How a 401(k) account is withdrawn
Disberry’s case began when a scammer called Alight’s Benefits Information Center. He gave Disberry’s name, his last four digits Social Security numberhis date of birth and mailing address Alight on file. That was enough to clear the call center’s security check.
He then asked Alight to update the contact information on Disberry’s account. Alight did not send notice to Disberry’s existing email address or phone number, both of which it had on file. Instead, the company issued a temporary password in the mail.
The Disberry program had a 14-day waiting period between a change of address and any distribution. His case is said to have been crossed by Alight. Within weeks, the fraudster came in, asked for full payment, and BNY Mellon mailed a check to a Las Vegas address.
Why a 401(k) account takeover isn’t a unique story
Heide Bartnett, a former Abbott Laboratories employee, sued Alight over a $245,000 401(k) distribution. He alleged that the hacker used the app’s portal’s “forgot password” feature to reset his credentials and initiate a payment. Other retirement plan record keepers have faced similar cyber-theft charges.
The problem extends beyond 401(k) accounts. The FBI’s April 2026 Internet Crime Report found that Americans 60 and older will lose $7.7 billion to cybercrime in 2025, a 59% jump from the previous year. Investment fraud accounted for $3.5 billion of those losses, turning retirement-age savers into online criminals.
INSIDE THE DAY OF THIEVES AND HOW THEY IDENTIFY YOU
Retirement account takeovers can start with leaked names, birth dates, partial Social Security numbers and reused passwords from previous data breaches. (Kurt “CyberGuy” Knutsson)
How thieves take over retirement accounts
Account takeover starts with the information you already have. Names, dates of birth, partial SSNs and email addresses appear on it dark web breach disposaloften combined with leaked passwords from unrelated services. If an account owner reuses a password for all accounts, hackers can check that breach data directly through the logger’s login portal.
Disberry’s intake bypassed the portal entirely. The fraudster never accessed Disberry’s account directly. He called Alight’s call center, used what he already knew about Disberry to cancel ID verification and changed contact information. After that, the temporary password Alight was sent to a location that only the fraudster could intercept.
Some thieves bypass the record keeper and go straight to the account owner. The New York Times documented the case of Barry Heitin, a 76-year-old retired attorney, who lost $740,000 in 2024 after receiving a call from someone claiming to be a federal fraud investigator. The caller convinced Heitin that his retirement accounts were under attack and helped him withdraw the money himself. He believed he was helping a government investigation.
How to protect your 401(k) and retirement savings
Government protections against retirement account theft are limited, but a few account-level controls are inexpensive and can make it difficult.
- Open it multi-factor authentication in the portal of the record keeper. A stolen password is less useful when a one-time code is required.
- Enable all account change alerts. Email and text notifications for password resets, contact information updates, address changes and bank account changes are early signs that someone has access to your account.
- Ask your program administrator about distribution deductions. Some systems impose a waiting period between an address change and any distribution. Write a policy and verify what is causing the hold.
- Review statements quarterly. A new bank account or change in contact information appears sooner in a quarterly review than a year.
- Get an IRS Identity Protection PIN. A six-digit PIN, available at irs.gov/ippinprevents fraudulent tax returns filed using your SSN.
- Set up your credit at all three bureaus. A freeze blocks new accounts on opening on your behalf. Equifax, Experian and TransUnion have offered free configuration since September 2018.
HOW TO STOP A FRAUD BANK INDICATOR BEFORE YOU GET OUT YOUR WALLET
Multi-factor authentication, account change alerts, credit freezes and regular statement reviews can help protect your 401(k) before thieves strike. (Kurt “CyberGuy” Knutsson)
Where identity theft monitoring can help
Account change notices on the record keeper’s portal are only effective if the record keeper posts them. The Disberry case showed what can happen if those warnings are not sent.
A robust identity theft monitoring service can add another layer of protection by viewing suspicious activity beyond the retirement plan portal. Some services allow you to link bank, credit card and investment accounts to get alerts when things you don’t know about come up. In retirement account takeovers, that can help flag suspicious money movements even if the recordkeeper misses an outgoing transfer.
Many identity theft monitoring services also look at changes in all of your credit reports, scan the dark web for exposed personal information and search data vendor or people search sites for your information. Other plans include fraud resolution support and identity theft insurance for reasonable recovery costs.
How to check if your personal information has been disclosed
If you’re not sure if criminals have already exposed your information, take action now. Start with a free identity breach scanner to see if your data comes from a known leak. Early detection gives you more control and helps you respond before fraud spreads. You can also check if your personal information is already being used for identity theft, fraud or appearing on the dark web.
See my tips and picks for Best Identity Theft Protection from CyberGuy.com
Kurt’s priority is taking
Retirement accounts can feel different from the everyday fraud risks we hear about with credit cards, email accounts and bank logins. But the case shows how quickly a 401(k) can become a target when someone has enough personal information to trick a call center or reset account access. What’s scary is that a stolen retirement account may not come with the same consumer protections people expect from credit card fraud. That makes preventive signs and early warnings even more important. Turn on multi-factor authentication, enable each account to be alerted to offers from your program and ask your employer or program administrator what happens after a change of address, phone number or bank account. No one should find out months later that their life savings have disappeared. The earlier you spot suspicious activity, the better your chances of stopping the damage before it becomes a financial nightmare.
CLICK HERE TO DOWNLOAD THE FOX NEWS PROGRAM
Should retirement plans be required to send strong warnings before any major account changes or distributions, especially when someone’s life savings are on the line? Let us know by writing to us at CyberGuy.comCyberguy.com
Sign up for my FREE CyberGuy report
- Get my best tech tips, emergency security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by the millions who watch CyberGuy on TV every day.
- Plus, you’ll get instant access to mine Ultimate Scam Survival Guide free when you join.
Copyright 2026 CyberGuy.com. All rights reserved.
