At least two pending federal cases deal with attacks on individual 401(k) plan accounts. The fact patterns are similar: a participant submits an electronic benefit withdrawal request to the employer or the plan's record keeper. The request is passed on to the plan's custodian for implementation.

The custodian, as holder of the plan assets, then transfers the requested funds to the participant's bank account This is a routine transaction and the distribution has been implemented as intended.


What follows is not routine because a cybercriminal has fraudulently obtained a copy of the withdrawal request and the participant's associated personal information. The fraudster then poses as the participant and submits an additional electronic withdrawal request. This request is processed and paid on behalf of the plan; however, the funds are transferred to an account designated by the impostor. Additional unauthorized withdrawals may follow.


In Leventhal v. The Marblestone Group LLC et al., a Pennsylvania case, the participant, a lawyer and a principal in a law firm that sponsored the 401(k) plan, incurred an uninsured loss of over $400,000 in a series of unauthorized withdrawals resulting from an "unknown method of cyber-fraud." The lawyer filed an action against the plan's record keeper and custodian alleging breaches of their ERISA fiduciary duties.

**The case survived a motion to dismiss as the trial court determined **that the allegations of fiduciary status and fiduciary misconduct of both plan service providers were adequate as a matter of law.

**Note: The Leventhal case may be unique in that the law firm sponsoring the plan **was not sued for its role in the unauthorized account withdrawals. Because Leventhal was a principal in the law firm sponsor of the plan, suing the firm would be tantamount to suing himself! Any non-owner participant would likely join the employer-sponsor as a co-defendant.

**Berman v. Estee Lauder Inc., a pending California case, illustrates a more likely approach. **The participant in Berman sued both the employer and the record keeper for processing a series of fraudulent transactions that depleted her 401(k) account. The alleged misconduct included:

  • failure to confirm distribution authorizations,

  • failure to provide timely notices of distributions by telephone or email, and

  • failure to recognize suspicious distribution requests (which, in this case, included multiple distribution requests involving transfers to different banks).


The assets of 401(k) and other retirement plans represent a significant financial asset and present an inviting target for cybercriminals. Information openly available in the public record identifies these plans, their sponsors, and related information that may be useful to cyber-thieves.

**Employers who sponsor these plans are almost always plan fiduciaries and likely targets of suits **over unauthorized plan withdrawals. Plan sponsors should consider their own cybersecurity protective measures and make sure that plan service providers have taken appropriate steps to secure the confidentiality of participants' personal information.  

Plan service providers may want to implement additional steps in processing plan withdrawal requests. Implementing an additional verification step could not only prevent cybercrime but also could establish a better defense based on the provider's claim of non-fiduciary status.

Leave a comment

Your Email will not be published with a comment

This website uses cookies to enhance your browsing experience and provide you with personalized services. By continuing to use this site, you consent to the use of cookies. See our Terms of Engagement to learn more.