City employees in Chicago had an unpleasant surprise earlier this month.
Scammers got access to some retirement accounts and took fraudulent loans worth $2.6 million, reports said.
Initial reports said it was a hack in which the bad guys used the personal information of employees to set up online profiles with the city’s deferred compensation plan. They then took out the loans.
But now it’s looking more like a different kind of fraud.
“We believe somebody stole the information. It was not hacked,” said a spokesman for Nationwide Retirement Solutions, the company that administers the plan for the city.
When asked if it was an inside job, the spokesman wouldn’t comment, saying he couldn’t give any more detail because of an ongoing investigation.
A spokeswoman for Chicago’s comptroller would only say the fraud was “undertaken by an individual or group who fraudulently accessed personal information and established a web profile to take out a loan from the retirement account.”
In all, 91 accounts were breached, but only 58 of those had money withdrawn, the spokeswoman said.
Nationwide did say the “suspicious transactions” were noticed on June 1, and customer accounts were made whole by the end of the week. The company is also offering two years of free credit monitoring to affected customers.
You keep your personal information safe, and that’s good. You also need to make sure your children’s identities are not stolen.
It’s one thing to be the victim of a credit card hack, but to think a huckster could have enough private information about you to access your retirement accounts?
That’s scary business.
And whatever you think of public pensions and retirement systems here in New Jersey, state and municipal employees should know how — and if — their accounts are protected.
First, the protections you have depend on what kind of account you have.
(Put on your acronym hat.)
In New Jersey, public workers may have a defined contribution plan such as DCRP (Defined Contribution Retirement Program) or NJSEDCP (New Jersey State Employees Deferred Compensation Plan). Both are managed by Prudential, while other plans are managed by other custodians.
All outside vendors must meet certain security requirements when they bid to manage the programs, said Treasury spokesman Joseph Perone. The vendors also follow their own security procedures, he said.
Then there are defined benefit plans that are managed by the state. Those include PERS (Public Employees’ Retirement System), PFRS (Police and Firemen’s Retirement System), TPAF (The Teachers’ Pension and Annuity Fund), SPRS (State Police Retirement System) and JRS (The Judicial Retirement System).
“The state employs extensive technology for safeguarding the data stored about the members of these plans, just as it does for all sensitive data under state control,” Perone said. “This includes close coordination with the New Jersey Cybersecurity & Communications Integration Cell, which is designed to assist the private and public sectors in the prevention of hacking.”
That all sounds well and good, but what happens, in reality, if one of these accounts is breached?
It depends on the nature of the breach.
How to protect yourself if your private information is taken by scammers
The Employee Retirement Income Security Act of 1974 (ERISA) is a federal law that sets minimum protection standards for most voluntarily established pension and health plans in private industry, said Mitch Feather of Creative Associates, a Madison-based cybersecurity and infrastructure consulting firm.
He said ERISA generally does not cover retirement plans established or maintained by governmental entities, churches for their employees, or plans which are maintained solely to comply with applicable workers compensation, unemployment or disability laws. ERISA also does not cover plans maintained outside the United States primarily for the benefit of nonresident aliens or unfunded excess benefit plans, he said.
But, he said, many sections of ERISA do apply to public-sector plans.
“If a pension fund manager’s computer systems fall victim to a cyber breach and it is found that the pension fund manager did not exercise due care and/or due diligence, the pension fund manager may found to be in breach of their fiduciary responsibility and may be held liable to restore those losses,” Feather said.
Feather said in many cases, pension fund assets are held by a third party known as a custodian. If the custodian is a bank and the funds are in bank accounts, your account may be protected and insured by the Federal Deposit Insurance Corporation (FDIC). If the custodian is a brokerage and the assets are held in brokerage accounts, your account may be protected and insured by Securities Investor Protection Corporation (SIPC). Custodians can also now buy cyber insurance to protect themselves from the financial impact of a cyber breach.
But it’s not all on the financial institution.
If you don’t take steps to protect your own personal information or you carelessly click on a link or open an attachment on an email that results in your account getting compromised, you may not have any protections.
Feather said some pension fund managers publish their policies regarding cyber fraud (Vanguard, Schwab, and Fidelity are three examples), and they all have a common point: if you are negligent, it is your fault and you are responsible.
Feather offered these 10 action moves so you don’t wait to become a victim.
1. Ask your fiduciary or plan manager if it has a published cyber breach policy. Ask specific questions about what cyber security measures it takes and what kind of coverage is guaranteed in case the firm, its systems or the user’s account is breached. Don’t be shocked if you don’t like what you hear. A 2015 Securities and Exchange Commission (SEC) study found only 15 percent of broker-dealers and 9 percent of investment advisors offered security guarantees to protect their clients against cyber-related losses.
2. If you have online access to your account, take advantage of two-factor authentication if it’s offered.
3. Create a strong password, protect your password and change it regularly. Do not use the same password on multiple accounts.
4. Do not log into your accounts while using public/free WiFi service and/or public computers.
5. Use caution before clicking on links or opening attachments sent to you.
6. Do not reply to emails or inbound phone calls that ask you for your account information or any personal identifiable information (PII).
7. Monitor your account statements, checking asset balances and transaction activity every month — or even more often.
8. If you have online access to your account, see if the site offers an activity log or “last logged in” information. You want to watch out for any online activity that wasn’t yours.
9. Be sure to keep your computer’s patches, updates and security software all up-to-date.
10. Finally, these are your assets. Take the time to protect them and to ask questions.
If a computer is involved, take the time to stop and think about what you’re about to do, click on or open, Feather said.
“The few minutes you spend may save you from months of grief and losses,” he said. “You may never realize it but that small investment today may reap the biggest returns of all.”
Have you been Bamboozled? Reach Karin Price Mueller atBamboozled@NJAdvanceMedia.com. Follow her on Twitter @KPMueller. FindBamboozled on Facebook. Mueller is also the founder of NJMoneyHelp.com. Stay informed and sign up for NJMoneyHelp.com’s weekly e-newsletter.