Recently, the details of the cybersecurity hack against MGM were released. The details and low level of sophistication is alarming but more importantly very similar to some of the techniques used to steal retirement plan assets from participants. In this article, I will do my best to explain some of the methods used without getting into the specifics. I do not want to hand out the blueprint on how to steal funds.
The MGM hack started with two methods called “Vishing” (voice phishing) and “social engineering.” In this case, hackers allegedly used publicly available LinkedIn info to impersonate an employee and tricked someone at MGM’s IT help desk into revealing access credentials. Once the hacker had access to the employees’ email, they installed malware that enabled them to completely control the MGM system. This hack was contributed to one employee not following protocols and procedures in place for verifying one’s identity.
Today, there are approximately 140 million participants in ERISA-governed retirement plans holding approximately $9.3 trillion in assets making these plans a big target for theft. In 2021 the Department of Labor’s Employee Benefits Security Administration (DOL/EBSA) released guidance on cybersecurity program best practices. After this release just about every organization released their own overview of the guidance. I read many of these articles and the one thing that wasn’t commonly addressed was the importance of human error and how that pertains to identity theft, which is the most common type of theft of retirement plan assets. According to the DOL guidance, “Since identity theft is a leading cause of fraudulent distributions, it should be considered a key topic of training, which should focus on current trends to exploit unauthorized access to systems. Be on the lookout for individuals falsely posing as authorized plan officials, fiduciaries, participants, or beneficiaries.”
As a former Senior Investigator for the DOL, I have been asked to review attempted or successful thefts of retirement plan assets. Although there are more sophisticated methods that are being used such as the unknown installation of malware, many incidents can be originally attributed to vishing, and social engineering. Human error is a factor in almost every instance. Providers and plan sponsors need to implement protocols and safeguards where human error can be a factor.