Retirement plans are particularly attractive to fraudsters who are targeting retirement savers with increasingly sophisticated tactics, exploiting technology and human behavior.
While plan sponsors can implement their own strong security measures, it's also crucial for participants to take an active role in protecting their own accounts.
As a fiduciary, plan sponsors have a duty to act with prudence, care, and diligence – including actively safeguarding participants’ retirement assets against cybercrime.
Defined contribution (DC) plan participants face a range of risks, including market volatility, inflation, and the risk of outliving their savings. But one growing threat often overlooked is cybercrime. Cybercriminals are targeting retirement savers with increasingly sophisticated tactics that exploit both technology and human behavior. In 2024 alone, Americans over 60 reported more than $4.8 billion in losses due to cybercrime — the highest of any age group.1
Retirement plans are particularly attractive to fraudsters. Accounts often hold large balances, aren't regularly monitored like checking accounts, and rely on self-service platforms where the participant is the gatekeeper. While many plan sponsors have strengthened their own cybersecurity practices, participants remain a critical yet vulnerable link in the chain. As fiduciaries, sponsors have a responsibility to protect participants by encouraging proactive behaviors and raising awareness about this evolving threat.
The shift away from defined benefit plans has left participants to shoulder more retirement risk than ever before. Employers once provided guaranteed income for life, but today’s savers are confronted with a wider array of financial risks:
These risks are well known to plan sponsors and communicated to participants. However, cybersecurity is often left out of the conversation. The reality is that cyber risk can directly threaten a participant’s ability to retire, especially if account assets are compromised. The financial and emotional fallout from a single breach can be significant.
From phone scams that clone familiar voices to phishing and fake websites, today’s criminals manipulate human behavior and trick people into divulging confidential and/or financial information.
Participants commonly expose their retirement accounts by clicking on phishing emails, opening suspicious links, and using unsecured networks at home or on public Wi-Fi. Even as plan providers and recordkeepers enhance their technical defenses, attackers are shifting their focus to the participant as the easiest access point.
This threat is especially alarming given how many workers rely on their 401(k) or similar accounts as their primary source of retirement income. As of December 31, 2024, US retirement assets totaled $44.1 trillion and accounted for 34% of all household financial assets.2 If those funds are lost to fraud, many participants simply won’t be able to retire as planned.
From a plan sponsor's perspective, the consequences can ripple throughout the workforce. A participant forced to delay retirement can create benefit cost pressures, succession delays, and career advancement bottlenecks. Although many recordkeepers offer fraud protection and even reimbursement policies, restoration is never guaranteed, and a negative experience can erode trust in the plan.
Plan sponsors don’t need to become cybersecurity experts, but they can play a critical role in participant protection. The Department of Labor’s 2021 guidance established that plan fiduciaries are responsible for selecting service providers with strong cybersecurity practices. It also emphasized the importance of participant education.
As nearly all aspects of our lives have become digitally connected, the attack surface for cyber actors has grown exponentially, and scammers are increasingly using the Internet to steal Americans’ hard-earned savings.
The DOL created a participant-friendly checklist of cybersecurity best practices, including:
These tips should be distributed regularly and documented as part of your plan communications. All are available at dol.gov. Consider including them in onboarding materials, annual notices, or plan newsletters.
Fraudsters employ schemes that look legitimate: Fake websites, AI-generated voicemails, spoofed phone numbers, and emails that appear to come from known contacts. Participants may receive messages that prompt urgent action, such as “Click here to unlock your account” or “Press 1 to speak with an agent.” These are designed to trigger fear and bypass reason.
Sponsors can help combat this by providing real-world examples of these scams. The more familiar participants are with the tactics, the more likely they are to pause, question and protect themselves. Highlighting subtle red flags can help people recognize the signs before it’s too late.
Work with your recordkeeper to identify participants who haven’t registered their online account, haven’t changed their password in over 90 days, or haven’t set up multi-factor authentication. These groups are usually the most vulnerable and may benefit from targeted outreach. Also, consider that near-retirees and retirees who stay in-plan may benefit from more frequent or simplified cybersecurity education. These participants may be less familiar with evolving cyber threats and may not realize their retirement savings are at risk until it’s too late.
Cybersecurity is more than a one-time initiative. Sponsors should add it to the retirement plan committee agenda at least once a year. Continuously review recent threats, litigation trends, audit updates, and participant education efforts. Document any decisions made and evaluate what additional steps might reduce plan risk, including vendor reviews and updates to your incident response protocol.
Even as scams grow more complex, many rely on familiar patterns. Sponsors can help participants defend themselves by reinforcing these warning signs:
Fraud prevention isn’t about mastering technology – it’s about forming smart habits and seeking help when needed. Participants should be encouraged to speak with a trusted family member, advisor, or even their HR team when something feels off. And if they’ve already been targeted, reporting it promptly to the FBI’s Internet Crime Complaint Center (IC3) or to plan providers can help limit the damage.
Cybersecurity may feel like a technical issue, but it’s really a broader retirement readiness issue. A single scam can devastate a participant’s entire financial picture, especially if they’re near retirement and relying heavily on those assets, as most are.
Plan sponsors are in a unique position to raise awareness, share resources, and foster a culture of digital caution. Education has the dual benefit of helping to protect the individual and the long-term health of the plan. By taking simple, proactive steps today, sponsors can strengthen participant resilience and uphold their fiduciary responsibility in an age when digital threats are only growing more robust and complex.
Invesco’s Talk, plan, act: Guiding you to a financially secure retirement presentation offers tips to help participants protect their assets from cybercrime. To learn more, contact your Invesco representative.
The impact of Loper Bright Enterprises v. Raimondo and the potential implications on DC plan litigation in a post-Chevron world.
DC plan committees can help reduce litigation risk by establishing and following proper plan governance policies and procedures.
Fred Reish discusses three steps committees should take when adding retirement income options to their DC plans.
Important information
NA4577268
This material is for illustrative, informational, and educational purposes only. It is not intended to be legal or tax advice or to offer a comprehensive resource for tax-qualified retirement plans.
The opinions expressed are those of the presenter(s), are based on current market conditions and are subject to change without notice. These opinions may differ from those of other Invesco investment professionals.
This link takes you to a site not affiliated with Invesco. The site is for informational purposes only. Invesco does not guarantee nor take any responsibility for any of the content.
