Edition

Retirement Fraud: Should We Be Concerned?

By Patrick Ring

Retirement Section News, September 2022

ret-2022-09-ring-hero.jpg

Retirement is a time when most individuals hope to finally have the time to dedicate to hobbies, travel, family, etc. But retiring requires a secure steady stream of income that lasts as long as they live. This requires diligence in managing retirement assets, which includes not being a victim of fraud.   

The SOA Aging and Retirement Strategic Research Program set up a Project Oversight Group (POG) to develop a request for proposal for creating a report that provided an overall systematic look at retirement fraud. The report produced by the winning proposal is titled “Keeping Retirement Plans Secure in an Insecure World.” The report provides input from a series of interviews with recordkeepers and subject matter experts in financial crimes and fraud prevention. The interviews reveal how fraudsters operate and what recordkeepers and other professionals are doing to combat retirement fraud./p>

I interviewed Alison Salka, co-author of the report and Russell Anderson, a financial crime expert to highlight the report findings.

Editor’s note: Alison Salka is senior vice president/director of Strategy and Market Intelligence at LL Global. Russell Anderson, CFE, is head of Financial Crimes Services at LIMRA and LOMA.

Patrick Ring (PR): How did you become interested in retirement fraud?

Alison Salka (AS): I’ve always been interested in retirement security. Retirement security used to mean helping people enroll in retirement plans, save adequately, and invest appropriately. A number of years ago the security of those retirement savings plans became a bigger issue. And since they’re the biggest source of savings/assets for most investors, it’s a really big concern.

Russell Anderson (RA): For me personally it was just a natural career progression. After starting off in internal audit and moving along through roles in compliance, financial controls, and risk management, I was just at the right place at the right time when third-party party fraudsters began targeting the industry. To this day the thought of how someone feels when they learn their retirement savings has been stolen raises the hair on the back of my neck. That feeling is what keeps me motivated to help the industry protect its participants.

PR: What does the term “retirement fraud” mean to you?

AS: It’s deception or theft of retirement assets. It’s robbing someone of their financial security.

RA: The term retirement fraud means a lot to me as it indicates someone has or is trying to defraud someone else of their ability to retire. For many people, saving for retirement is something they’ve planned for from the day they started their very first job. So, to think someone could spend the entirety of their working life saving and planning for retirement just to have someone else steal it, is gut wrenching. This is why a significant focus of my time is helping companies protect their clients’ and participants’ accounts from the relentless unknown and unrelated imposter (aka third-party imposters). The enormous and growing amount of personal data and information easily available to third-party imposters allows them to impersonate virtually any participant within any plan. Once a third-party imposter has someone’s personal data there’s nothing that can be done to stop them from attempting to steal their retirement savings. So, it’s up to the retirement services industry to continually assess and upgrade their fraud prevention controls to ensure their attempts are unsuccessful.

PR: What are the top findings in the report?

RA/AS: The majority of recordkeepers reported that fraud begins with a breach of either a participant’s email or computer or a breach occurring at the employer. This really drives home the point that communications between plan sponsors, participants and recordkeepers concerning data breaches are critical to keeping accounts secure. A recordkeeper can take additional steps to secure accounts when it knows participants’ identities have been compromised. 

Another interesting observation is that while recordkeepers with account guarantees seem to increase their liability, it’s often not the case. Account guarantees often include requirements for participants to follow to help strengthen their account security that help reduce the likelihood of a breach. Also, almost all recordkeepers make most participants whole when the attack was clearly by a third-party imposter, so the account guarantee doesn’t really increase the instances in which participants’ accounts are made whole.

PR: Where do you see the biggest opportunity for recordkeepers to improve security?

RA/AS: Recordkeepers should always start with a fraud risk assessment. In order to know where to focus their limited resource it’s imperative that they know and understand where their firms’ particular fraud risks are and which controls need to be enhanced. Since each firm is different there is no one-size-fits-all solution for effective fraud prevention. Another good place to focus is the firm’s authentication practices; the stronger the authentication, the better. At this stage if a firm hasn’t or isn’t considering implementing some form of biometric authentication, they should be.

The current standard seems to be sending one-time passcodes (OTP) to authenticate a user.   While OTPs are much better than using just a username and password, they can be and are being beat with increasing regularity. 

A tried-and-true method and perhaps the most cost effective is good, old-fashion training and education programs. A well-trained employee who can pick up on red flags indicating fraud and can effectively handle it is invaluable. Providing fraud awareness education to sponsors and participants goes a long way toward preventing fraud because the fraud usually begins with the participant or plan sponsor being breached.

The bottom line is that fraud prevention requires a multilayered approach of authentication, access, and disbursement controls supported by technology and well-trained professionals.

PR: What are some common situations that enable retirement fraud to occur?

AS: Many attacks against participant accounts are precipitated by a breach at the employer. For this reason, recordkeepers and plan sponsors must communicate with each other when breaches occur at either location.

RA: Account takeover fraud is possible as a result of all the personal data that is easily available to fraudsters via dark web marketplaces. These market places specialize in collecting, enriching and selling personal data including names, social security numbers, birth dates, usernames, passwords, bank accounts and much more about virtually everyone. This data is available as a result of all the large scale data breaches that have occurred going back decades. Additionally, malicious email campaigns and other schemes such as ransomware attacks that target individuals and companies provide fraudsters all the information they need to successfully impersonate virtually anyone they want. Not only can fraudsters buy the data they need to impersonate participants they can also buy the instruction manuals, plans, and technology for executing various schemes and scams. 

PR: What are some methods used by recordkeepers to fight retirement fraud?

AS: Recordkeepers use a variety of methods to fight retirement fraud such as: The IP address of the device being used; geographic location; participant behavior (e.g., time of day, frequency of access); one-time passcodes (OTP); biometrics such as voice recognition, facial recognition, or fingerprint; knowledge-based authentication, where the recordkeeper will ask about vehicles owned, addresses, relatives, etc; use of third-party authenticator applications; device “fingerprinting,” by uniquely combining multiple characteristics about a device; challenging logins coming from a device they have not seen before; and repeating the authentication process beyond login for certain sensitive transactions, such as loans and distributions.

The strictest controls are reserved for authorizing distributions because the true test of an antifraud program is its ability to permit only authorized distributions and other sensitive appropriate transactions. These controls tend to fall into three categories: Eligibility, destination, and requiring real people be involved in the process.

Regarding eligibility, recordkeepers may place a temporary hold (seven to 30 days) on distributions from accounts that have had recent changes. This practice allows time for notifications of these changes to be sent to the participant in case they did not make the change.

Regarding destination, recordkeepers may first send a form to the participant’s address to be completed and returned before a distribution is processed. While a growing number of recordkeepers allow online distribution requests, they still may mail a paper check to the participant.

Several recordkeepers mentioned inserting real persons into the distribution process as an additional control. This includes:

  • Referring participants to the plan sponsor when making a distribution request (or to change their PIN, email or mailing address).
  • Mailing a distribution form to the participant’s address of record (as mentioned above).
  • Calling participants following some online distribution requests to confirm they initiated the transaction.
  • Having a real person review all distribution requests before they are released.

In addition to specific controls and procedures to prevent and deter fraud, recordkeepers have built proactive reporting and analytics programs to develop red flags and monitor suspicious activity. For example, behavioral analytics determine patterns of how, when, or from where a participant may interact with the participant website or call center. They also typically scrutinize accounts that have had sensitive transactions such as changes to passwords, addresses, or banking information. They watch for fraudsters’ techniques such as bot attacks or credential stuffing, where a hacker writes a script to bombard potentially thousands of financial services organizations to test customer credentials.

Regardless of the source of potentially suspicious activity, recordkeepers may decide to place an alert on an account or plan, freeze accounts, force a password reset, or even contact the participant to determine whether the activity was legitimate. They may also do these things at the request of a plan sponsor or participant reporting related suspicious activity (e.g., a participant who was victim of identity theft). Suspicious activity is then reviewed by a fraud investigative team. These teams tend to err on the side of caution, which results in a high percentage of investigations revealing legitimate activity on the part of plan participants.

Many recordkeepers subscribe to vendor services to help combat fraud as well as to minimize friction when participants call in or login.

RA: Most recordkeepers employ multiple methods to protect participant’s accounts. A growing number have employed voice biometric authentication capabilities that helps stop third-party fraudsters as well as friends and family with bad intent from accessing accounts. 

Protecting online accounts is tricky and requires a combination of methods. Most utilize some form of multi-factor authentication (MFA) including the use of one-time passcodes in combination with anomaly detection and the use of “known bad” consortium data. In case the fraudster is able to beat the MFA, some recordkeepers employ technology that analyzes user behaviors to detect patterns or traits that are either uncharacteristic of that participant or indicative of a fraudster. For example, if a participant usually logs in from a certain IP address range during a certain time of day the system can learn that and detect when someone is logging in from other IP addresses during a different time period. Additionally, there are consortium data bases such as LIMRA’s FraudShare that allow members to share confirmed third-party fraud incident and threat data (i.e., “known bad”) with each other, so they can protect themselves from similar and related attacks. Another valuable method is using a bank account ownership validation utility to confirm the bank account about to receive a plan distribution is indeed owned by the participant. Lastly, nothing beats a well informed and trained employee.  Successful firms provide regular training and education to their teams to update them on the most recent fraud schemes and scams, the red flags to be on the lookout for and how to effectively handle any suspicious activity they detect.

PR: How successful has the retirement industry been in combatting fraud?

AS: The industry has spent a lot of time and effort combatting fraud. They have been relatively successful, but that’s not enough. Criminals are becoming more organized and sophisticated. Cyber organized crime is growing. Fraudsters have been relatively successful gaining access to information and will likely become more sophisticated in their use of it. Entire organizations are in business to commit fraud. They are always looking for vulnerability and opportunity. For this reason, recordkeepers have to be ever vigilant.

RA: The retirement industry has been very successful in combating fraud. The great majority of attempts are unsuccessful and even when a fraudster is able to withdraw funds recordkeepers are often successful in getting the funds back. Fraud prevention has become an integral part of doing business and successful firms have realized that strong fraud prevention and authentication controls do much more than prevent fraud. Strong authentication and fraud controls enable recordkeepers to allow participants greater access to their accounts with expanded self-service capabilities. Allowing participants greater access and the ability to self-service improves customer satisfaction while reducing associated unit costs. So, implementing the right authentication and fraud prevention controls is a real win-win proposition.

PR: What are some of the common techniques used by fraudsters and have new techniques evolved?

RA/AS: Fraudsters still use many of the tried-and-true methods. Recordkeepers still experience old-fashion check washing in which a fraudster steals a check form the U.S. postal system and alters the payee name so they can cash it. 

A new twist on the scheme involves overnight disbursement check requests. A fraudster will request a disbursement check to be overnighted to the participants address on record. Once the overnight package is sent the fraudster calls back to get the tracking number so they can call the overnight carrier to change the destination address.

The more challenging schemes to detect are ones involving situations in which the participant’s, plan sponsor’s or TPA’s email has been compromised. Once a fraudster has access to someone’s email, they can learn all about them and their accounts. It’s especially advantageous when they find an email chain involving a previous disbursement request because all they need to do is update the bank account information and resubmit the request. When an email comes from actual participants, plan sponsors or TPAs containing previously used instructions it’s extremely hard to detect that it is fraudulent. 

One-time passcodes (OTP) sent to cell phones can be beat with a very simple ploy. The fraudster will access the online account, click on forgot username and\or password, and before the OTP is sent, the fraudster will call the participant about some issue with their account. While on the phone the fraudster will ask the participant to tell them the OTP that they will shortly receive via email. When the participant tells them the code, the fraudster uses it to obtain their username and reset their password and access their account. The schemes and scams are only limited by the creativity of the fraudster.

PR: Is there anything else you would like to tell us?

AS: This topic is and will continue to be critical. Recordkeepers have to balance the security of participant accounts with the customer experience. Security can be cumbersome, but it’s important. As recordkeepers continue to add digital capabilities to increase convenience, they have to be careful not to create another path for fraudsters to access accounts.

RA: Fraud has existed as long as there has been something of value to obtain and fraud will continue to persist and will never cease being a threat. So, it’s imperative that recordkeepers continue to factor fraud prevention into everything they do. As each new product or service is designed, as each new procedure is created, the fraud risks need to be understood and the appropriate controls built in from day one. Helping participants save and invest for their retirement is pointless if someone can steal it before they retire. Recordkeepers need to prioritize fraud prevention right along with their priorities of helping participants to save and invest for their retirement.

Patrick Ring, ASA, volunteers as chair of the SOA Retirement Section Council’s Communications Team. He can be reached at pringactuary@gmail.com.