Dr. Ryan Aung is CIO/CISO of Slavic401k.
Every year, billions of dollars vanish from the retirement accounts of Americans at the hands of criminals. AARP reports that more than $28 billion is lost to fraud annually, and the toll on people’s life savings is devastating. Retirement funds are an especially tempting target. The money is substantial, and criminals know that many account holders, particularly seniors, are less savvy about the tricks being used against them. And the criminals are becoming bolder, more sophisticated and more creative with every passing year.
The Evolution Of Cyber Fraud
Cyber criminals once relied on sloppy email scams with obvious typos. Today, they impersonate banks, government agencies and even tech support with alarming accuracy. They run deceptive campaigns by phone (phishing) and text (smishing). They use AI to write flawless messages, generate fake voices and build convincing websites. Sometimes scammers even purchase Google ads to have fake institution login pages appear as top search results.
The FBI has warned about what’s called the “phantom hacker scam.” Criminals convince victims that their computers are compromised and set up a fake tech support call. Real hackers pose as bank representatives or even government officials, warning that to “protect” your savings, you need to move your retirement money into a more “secure” account—one they control and soon empty.
Criminals are arming themselves with AI, using it to scale their attacks and make them harder to detect. On the positive side, financial institutions are also leveraging AI to spot anomalies and strengthen authentication processes. It has become an AI-versus-AI battle, with people’s financial futures at stake.
A Shared Responsibility
So, how do we protect retirement funds in this environment? Security is a shared responsibility that requires businesses, individuals and government to work together.
Financial institutions have to lead with strong cyber defenses. That means robust security systems, including layers of authentication and human review for high-risk transactions. It’s not enough to just have a firewall or a fixed fraud-detection algorithm. “Defense in depth” is the model, meaning technology, processes and people working together.
At the same time, customers also play a critical role. Technology can’t block every bad actor. If you click on a fake link and willingly hand over your password, there’s only so much the system can do. That’s why awareness is vital.
- Think before you click. When in doubt, don’t respond to the suspicious email, text or link.
- Verify directly. Call your bank or retirement plan provider directly, using the official number from their website or your account statement. (If someone contacts you unexpectedly with urgent demands, that’s a big clue to stop and verify.)
- Check the URL. Verifying the browser address is crucial, as you might otherwise end up on an impersonated website.
Choosing strong authentication methods is key. We’re all used to one-time passcodes via SMS, but those are still vulnerable if you are entering the passcodes on an impersonated website. More phishing-resistant methods like passkeys or biometrics make it much harder for attackers to break in, especially when paired with a strong password. And always keep an eye on your account. The sooner you spot suspicious activity, the sooner your financial institution can help you respond. In many cases, quick reporting makes the difference between a minor disruption and a catastrophic loss.
Building A Culture Of Vigilance
One of the biggest challenges is communication. Companies can push out educational content through websites or email newsletters, but customers vary widely in their technical expertise. Some people need step-by-step guidance, while others just want the high-level warning. Getting the message across in a way that resonates is not easy, but it’s crucial.
On the customer service side, it’s becoming harder to verify identities. Institutions are evolving with technology to verify IDs, but customers also need to cooperate with added layers of verification. It can be inconvenient to have to go through multiple steps of authentication, but it’s part of the safeguarding process. Think of it like having multiple locks on your front door.
This battle isn’t going away anytime soon. Criminal tactics are evolving with technology, and financial institutions are adapting their responses. Vigilance, education and layered security make all the difference. The public and private sectors need to continue working together, with customers willing to play their important part.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?