Scam Exposes Risks in Retirement Accounts
A recent incident involves a scammer who contacted Alight Solutions, which manages Colgate-Palmolive’s 401(k) plan. Identifying himself as an employee, he requested updates to the contact details associated with the account. Months later, a staggering sum of $751,430 was transferred to a Las Vegas address and bank account, leaving the genuine account holder, Paula Disbury, who resides in South Africa, without her funds.
Disbury subsequently filed a lawsuit against Colgate’s benefits board, Alight, and BNY Mellon, the plan’s administrator, to recover the lost money. This lawsuit was settled under undisclosed conditions without a court ruling on whether Alight should be held responsible for the recovery of the funds.
In February 2026, the Government Accountability Office instructed the U.S. Department of Labor to provide updated guidelines regarding retirement plan participant data. The GAO pointed to 11 lawsuits filed under the Employee Retirement Income Security Act from 2009 to 2024, highlighting ongoing issues in retirement plan security.
Interestingly, unlike protections available for credit card fraud, consumer protections for 401(k) account takeovers are limited.
How the Scam Happened
The Disbury incident began with a simple phone call to Alight. The scammer had enough personal information—her Social Security number’s last four digits, her date of birth, and her mailing address—to pass Alight’s verification process. He then requested to update the contact information on the account. Unfortunately, Alight failed to send alerts to Disbury’s registered email and phone number, instead providing a temporary password via email.
Disbury’s plan contained a 14-day waiting period for address changes before any fund distribution. However, it is alleged that Alight overlooked this policy. Soon after, the impersonator accessed the account and requested full payment, leading to a check being mailed to Las Vegas.
The Bigger Picture of 401(k) Account Takeovers
This kind of account theft is not isolated. Heide Bartnett, a former employee of Abbott Laboratories, sued Alight over a $245,000 distribution after hackers exploited the “forgot password” feature in the plan portal. Many others have reported similar experiences, showing that this problem is widespread.
The issue transcends just retirement accounts; a report from the FBI in April 2026 found that Americans aged 60 and older lost approximately $7.7 billion to internet crimes in 2025, marking a 59% increase from the previous year, with a significant portion attributed to investment fraud. This clearly shows that seniors are becoming prime targets for fraudsters.
Protecting Against Retirement Account Theft
While federal safeguards for retirement accounts are often lacking, there are various steps individuals can take to enhance their security:
- Enable multi-factor authentication on the account portal—this can significantly reduce risks.
- Set up alerts for any account changes, such as password resets and contact updates.
- Contact your plan administrator about policies on holding distributions, particularly after an address change.
- Review financial statements quarterly to catch any unusual activities sooner.
- Obtain an IRS ID protection PIN to block fraudulent tax returns.
- Freeze your credit with major credit bureaus to prevent new accounts from being opened in your name.
The Importance of Identity Theft Monitoring
Alerts from the record keeper are only effective if they are sent. The Disbury case illustrates the consequences of not receiving these notices. A robust identity theft monitoring service can provide an added layer of security by tracking suspicious activity not only in retirement accounts but also across other financial services. Some services include elements like fraud resolution support and insurance for identity theft recovery.
Checking for Potential Compromises
If you suspect your information might be at risk, consider conducting a free identity breach scan to determine if your data has been part of any known breaches. Early detection allows for quicker responses, reducing the possibility of fraud spreading further.
Key Takeaways
Retirement accounts can easily become vulnerable to fraud if the proper precautions are lacking. The Disbury case offers a sobering reminder that having personal information can lead to significant financial loss. Since retirement accounts do not have the same protections as other financial tools, adhering to safety measures is imperative. Individuals should activate multi-factor authentication, leverage any account alerts available, and inquire about the protocol following changes to their account information. Being proactive can make a crucial difference in safeguarding your retirement savings.
