Connect with us

Technology

Your 401(k) is the new identity theft target

Published

on

Your 401(k) is the new identity theft target

NEWYou can now listen to Fox News articles!

An impostor phoned Alight Solutions, the recordkeeper for Colgate-Palmolive’s 401(k) plan, and identified herself as a Colgate employee. She asked to update the contact information on an account. Months later, the entire $751,430 balance had been sent in a single lump sum to a Las Vegas address and bank account. The real account holder, Paula Disberry, was living in South Africa.

Disberry sued Alight, Colgate’s benefits committee and BNY Mellon, the plan’s custodian, to recover the money. The case was later settled on undisclosed terms. The court never ruled on whether Alight had to restore the funds.

In February 2026, the Government Accountability Office told the U.S. Department of Labor to issue new guidance on retirement plan participant data. The GAO cited eleven separate lawsuits filed between 2009 and 2024 under the Employee Retirement Income Security Act, the federal law governing private retirement plans.

When account takeover hits a 401(k), the consumer protections that govern credit card fraud do not apply.

Advertisement

 Sign up for my FREE CyberGuy Report

  • Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
  • For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com trusted by millions who watch CyberGuy on TV daily.
  • Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join. 

REMOVE YOUR DATA TO PROTECT YOUR RETIREMENT FROM SCAMMERS

A stolen 401(k) shows how one phone call, exposed personal details and weak account-change safeguards can drain retirement savings. (Kurt “CyberGuy” Knutsson)

How the 401(k) account was drained

The Disberry case began when an impostor called Alight’s Benefits Information Center. She gave Disberry’s name, the last four digits of her Social Security number, her date of birth and the mailing address Alight had on file. That was enough to clear the call center’s security check.

She then asked Alight to update the contact information on Disberry’s account. Alight did not send an alert to Disberry’s existing email address or phone number, both of which it had on file. Instead, the company issued a temporary password through the mail.

Disberry’s plan had a 14-day waiting period between an address change and any distribution. Her lawsuit alleged that Alight skipped it. Within weeks, the impostor logged in, requested a full payout, and BNY Mellon mailed a check to a Las Vegas address.

Advertisement

Why the 401(k) account takeover isn’t an isolated case

Heide Bartnett, a former Abbott Laboratories employee, sued Alight over a $245,000 401(k) distribution. She alleged that a hacker used the plan portal’s “forgot password” feature to reset her credentials and trigger the payout. Other retirement plan recordkeepers have faced similar cybertheft lawsuits.

The problem extends beyond 401(k) accounts. The FBI’s April 2026 Internet Crime Report found that Americans 60 and older lost $7.7 billion to internet crime in 2025, a 59% jump from the year before. Investment fraud accounted for $3.5 billion of those losses, making retirement-age savers a major target for online criminals. 

INSIDE A SCAMMER’S DAY AND HOW THEY TARGET YOU

Retirement account takeovers can start with leaked names, birth dates, partial Social Security numbers and reused passwords from past data breaches. (Kurt “CyberGuy” Knutsson)

How thieves take over retirement accounts

Account takeovers begin with information someone already has. Names, dates of birth, partial SSNs and email addresses appear in dark web breach dumps, often combined with leaked passwords from unrelated services. When the account holder reuses a password across accounts, hackers can test that breach data directly against the recordkeeper’s login portal.

Advertisement

Disberry’s takeover bypassed the login portal entirely. The impostor never logged in to Disberry’s account directly. She called Alight’s call center, used what she already knew about Disberry to clear identity verification and had the contact information changed. After that, the temporary password Alight mailed went somewhere only the impostor could intercept.

Some thieves skip the recordkeeper and go straight for the account holder. The New York Times documented the case of Barry Heitin, a 76-year-old retired lawyer, who lost $740,000 in 2024 after receiving a call from someone claiming to be a federal fraud investigator. The caller convinced Heitin that his retirement accounts were under attack and walked him through transferring the money out himself. He believed he was helping a federal investigation.

How to protect your 401(k) and retirement savings

Federal protections for retirement account theft are limited, but several account-level controls cost nothing and may make takeovers harder.

  • Turn on multi-factor authentication on the recordkeeper portal. A stolen password is far less useful when a one-time code is required.
  • Enable every account-change alert. Email and text alerts for password resets, contact information updates, address changes and bank account changes are the earliest signals that someone else has access to your account.
  • Ask your plan administrator about distribution holds. Some plans impose a waiting period between an address change and any distribution. Get the policy in writing and confirm what triggers the hold.
  • Review statements quarterly. A new bank account or a change in contact information shows up faster on a quarterly review than on an annual one.
  • Get an IRS Identity Protection PIN. The six-digit PIN, available at irs.gov/ippin, blocks fraudulent tax returns filed using your SSN.
  • Freeze your credit at all three bureaus. A freeze blocks new accounts from being opened in your name. Equifax, Experian and TransUnion have offered free freezes since September 2018.

HOW TO STOP IMPOSTOR BANK SCAMS BEFORE THEY DRAIN YOUR WALLET

Multi-factor authentication, account-change alerts, credit freezes and regular statement reviews can help protect your 401(k) before thieves strike. (Kurt “CyberGuy” Knutsson)

Where identity theft monitoring can help

Account-change alerts on the recordkeeper portal only work if the recordkeeper sends them. The Disberry case showed what can happen when those alerts go unsent.

Advertisement

A strong identity theft monitoring service can add another layer of protection by watching for suspicious activity beyond the retirement plan portal. Some services let you link bank, credit card and investment accounts so you can receive alerts when unfamiliar transactions appear. In a retirement account takeover, that could help flag suspicious money movement even if the recordkeeper misses the outgoing transfer.

Many identity theft monitoring services also watch for changes across your credit reports, scan the dark web for exposed personal information and search data broker or people-search sites for your details. Some plans also include fraud resolution support and identity theft insurance for eligible recovery costs.

How to check if your personal information was exposed

If you are unsure whether criminals have already exposed your information, take action now. Start with a free identity breach scan to see whether your data appears in known leaks. Early detection gives you more control and helps you respond before fraud spreads. You can also check whether your personal information is already being used for identity theft, fraud or appearing on the dark web.

See my tips and best picks on Best Identity Theft Protection at CyberGuy.com

Kurt’s key takeaways

Retirement accounts can feel separate from the everyday fraud risks we hear about with credit cards, email accounts and bank logins. But this case shows how quickly a 401(k) can become a target when someone has enough personal information to fool a call center or reset account access. The scary part is that a stolen retirement account may not come with the same consumer protections people expect from credit card fraud. That makes prevention and early warning signs even more important. Turn on multi-factor authentication, enable every account alert your plan offers and ask your employer or plan administrator what happens after an address, phone number or bank account change. No one should have to find out months later that their life savings disappeared. The earlier you spot suspicious activity, the better your chances of stopping the damage before it becomes a financial nightmare.

Advertisement

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Should retirement plans be required to send stronger alerts before any major account change or distribution, especially when someone’s life savings are on the line? Let us know by writing to us at CyberGuy.comCyberguy.com

 Sign up for my FREE CyberGuy Report

  • Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
  • For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com trusted by millions who watch CyberGuy on TV daily.
  • Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join. 

Copyright 2026 CyberGuy.com. All rights reserved.

Technology

Apple’s plot to crush OpenAI

Published

on

Apple’s plot to crush OpenAI

Apple is suing OpenAI. The complaint is readable and intense, as these things often are, though many experts seem to think many of the allegations are just the ways things are done. So what does Apple really want here, and why is it picking such a public fight with OpenAI?

On this episode of The Vergecast, Nilay and David go through the lawsuit, and look at Apple’s history of splashy litigation to determine whether Apple is worried about a possible competitor or simply looking to capitalize on a weak moment for OpenAI. All this is happening as Apple ships the public betas of its new software, headlined by the new Siri AI, and we have thoughts about what it all means — and whether the new Siri is actually any good.

Continue Reading

Technology

New bank scam laws could stop suspicious payments

Published

on

New bank scam laws could stop suspicious payments

NEWYou can now listen to Fox News articles!

Your phone rings, and the caller says your bank account is under attack. To protect your savings, you must move the money right now. The caller sounds calm. The instructions feel official. However, the “safe account” belongs to a scammer. That pressure can turn years of savings into an irreversible transfer. Georgia now gives some banks and credit unions another chance to interrupt the payment before the money leaves.

House Bill 945 took effect July 1, 2026. The law lets financial institutions pause certain transactions when they reasonably suspect financial exploitation. It protects adults age 65 or older. It also covers adults with qualifying physical or mental incapacities, Alzheimer’s disease or dementia. The idea sounds simple. Yet the details matter because your bank’s power may depend on your state, your account and the institution’s own policy.

YOUR FAMILY COULD BE ONE PHONE CALL FROM A BANK SCAM

Free live CyberGuy class: Sick of Spam? Join us July 22.

Advertisement

Join us Wednesday, July 22, at 1 PM ET for a free CyberGuy Live class that will help you cut down on robocalls, spam texts, junk email and other unwanted messages. Kurt “CyberGuy” Knutsson will walk you step by step through simple ways to filter spam, clean up your inbox and recognize the messages that could put your personal information at risk. No technical experience is needed. You’ll also receive our spam-stopping checklist, and every registrant will get a link to the class recording afterward.

Reserve your free spot today at CyberGuyLive.com.

Georgia’s new bank scam law lets financial institutions pause certain suspicious transactions involving older or vulnerable adults. (Getty)

Georgia’s new bank scam law can pause a suspicious payment

Under Georgia’s law, a financial institution may place a hold on a transaction linked to suspected exploitation. The law can cover an eligible adult’s account or an account where that adult is a beneficiary. It can also reach an account belonging to someone suspected of carrying out the exploitation. That last provision gives the law extra reach. In practice, it could help when suspicious money arrives in another customer’s account. The institution may have room to stop the payment from moving farther when the facts support concern.

However, the law gives banks discretion. It says a financial institution may place the hold, but it does not require one. Therefore, a worried teller or fraud analyst still has to notice the warning signs and act. The law also focuses on the suspicious transaction. It does not automatically shut down every payment or withdrawal connected to the account.

Advertisement

A possible 30-day delay comes with limits

A Georgia hold initially expires after 15 business days. The bank may add up to 15 more business days if its review still supports the exploitation concern. A court may shorten or extend that period. The bank must notify authorized account parties and any trusted contact within three business days. It can skip someone it reasonably suspects of taking part in the exploitation. The institution must also begin reviewing the facts behind its decision.

Before using this power, the institution must train the employees involved. It also needs written procedures for reviewing suspected exploitation. The law gives institutions liability protection when they act in good faith and use reasonable care.

A trusted contact can help without controlling your money

Georgia’s law also allows an eligible adult to name a trusted contact for an account. That person could be a relative, friend or another adult the account owner trusts. The bank may contact that person when it suspects exploitation. It may also ask for help confirming contact information, health status or the identity of someone holding power of attorney. In some cases, the institution may share only that it suspects exploitation.

A trusted contact does not automatically gain access to your balance. The role also does not grant authority to move your money or make decisions for you. Federal regulators describe the contact as a backup person whom the institution can alert when something looks wrong.

Which states let banks pause suspected scam payments?

Georgia is part of a much larger shift. As of today, at least 33 states have enacted laws that let banks, credit unions or other covered financial institutions delay certain transactions when they suspect financial exploitation.

Advertisement

The FTC’s most recent nationwide chart identified 24 states with these laws.

However, the agency warned that its chart was only a snapshot and advised readers to check current state statutes.

However, the agency warned that its chart was only a snapshot and advised readers to check current state statutes. Since that report, nine additional states have enacted protections.

These 33 states have enacted transaction-hold protections

The states are:

  • Alabama, Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia and Idaho
  • Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi and Montana
  • Nebraska, Nevada, New Hampshire, North Carolina, North Dakota, Oklahoma, Oregon and Rhode Island
  • South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and Wyoming

The laws do not give every bank the same power. Some let an institution pause a payment on its own. Others require a report to law enforcement or adult protective services. The protected age can also vary, while several states include younger adults with qualifying disabilities. Hold periods differ even more. A delay may last only a few business days in one state. Elsewhere, an investigation or court order can keep the payment on hold much longer.

HOW FLORIDA RETIREE LOST $200K IN FAKE PAYPAL REFUND SCAM

Advertisement

Scammers often pressure victims to move money quickly, while transaction-hold laws aim to create time for review. (Photo by Nikolas Kokovlis/NurPhoto via Getty Images)

Nine states have joined the list since the FTC’s last review

Here is what the newer state laws do.

Colorado

Colorado’s HB 26-1110 created the Adults’ Security and Safeguards from Exploitation in Transactions Act, known as the ASSET Act. It lets a bank or credit union delay a disbursement when it reasonably believes a vulnerable adult faces financial exploitation. The institution must notify law enforcement or adult protective services. A decision generally must be made within 90 days. That period can reach 180 days when an agency investigation remains underway. The law takes effect August 12, 2026.

Georgia

Advertisement

Georgia’s HB 945 lets a financial institution place a hold on a suspicious transaction involving an eligible adult. The law also reaches accounts where the adult is a beneficiary. In some cases, it can cover an account belonging to the suspected perpetrator. The initial hold lasts up to 15 business days. A bank may extend it for another 15 business days when its review continues to support the concern. The law also includes trusted contacts, employee training and written notice requirements.

Idaho

Idaho enacted HB 182, known as the Report and Hold law, in 2025. It covers a broad range of financial businesses, including banks, credit unions, lenders, money transmitters and investment firms. Covered professionals may temporarily pause suspicious transactions and report suspected exploitation. The law also gives them liability protection when they act in good faith.

Maine

Maine’s 2025 law covers adults age 65 or older and people protected by the state’s Adult Protective Services Act. A bank or credit union may delay a disbursement when it reasonably believes the payment could result in exploitation. The institution must notify the Maine attorney general within two business days. The hold generally ends within 15 business days unless a court extends it. Customers may also be able to designate a trusted contact.

Advertisement

Maryland

Maryland’s Vulnerable Adult Banking Protection Act covers residents age 65 or older and vulnerable adults who cannot provide for their daily needs. A financial institution may delay or deny a suspicious disbursement. An initial delay can last 15 business days. The institution or an investigating agency can extend it for up to 25 business days from the original request date. The law takes effect October 1, 2026.

North Carolina

North Carolina’s SB 595 gives financial institutions broad authority to delay or refuse transactions involving suspected exploitation of older or disabled adults. The law covers withdrawals, transfers and some requested account changes. An initial delay can last up to 30 business days. The institution may extend it for another 30 business days if it continues to believe exploitation is occurring. Banks may also alert a trusted contact.

Oklahoma

Advertisement

Oklahoma’s SB 2067 requires financial institution employees to report suspicious activity internally and notify an appropriate agency. Banks and credit unions may place a temporary hold on a reported account. They can also contact someone previously designated by the account holder. The law takes effect November 1, 2026.

South Dakota

South Dakota’s HB 1238 lets a financial institution delay or refuse certain transactions when it reasonably believes exploitation may have occurred or is being attempted. The law protects senior and vulnerable adults. It also covers a consenting adult who asks the institution to take protective action.

Vermont

Vermont’s Act 106 lets covered financial institutions delay a transaction when they reasonably believe a customer faces financial exploitation. The initial delay can last 15 business days. The institution may add another 15 days when it believes the exploitation may continue. Vermont approved the law on May 20, 2026.

Advertisement

Why bank scam protections vary by state

The federal Senior Safe Act encourages financial professionals to report suspected exploitation. It also offers liability protection to covered institutions and trained employees who make qualifying reports. However, the law does not create one nationwide transaction-hold rule for checking and savings accounts. Investment accounts follow a different framework. FINRA Rule 2165 lets a brokerage firm temporarily hold certain disbursements or securities transactions when it reasonably believes an eligible adult faces financial exploitation.

The rule generally covers adults age 65 or older along with some younger adults who have qualifying impairments. As a result, a brokerage firm may have national regulatory authority to pause a suspicious request. A bank handling your checking account may depend more heavily on the law in your state.

A state law still cannot guarantee your payment will stop

Most state laws give a bank permission to act rather than requiring it to block every suspicious payment. The institution still needs to recognize the warning signs and have enough information to reasonably suspect exploitation. Your protection may depend on your age, the account involved and where you live. Your bank’s internal policies and employee training also play a role. Even in a state with a transaction-hold law, a payment may go through before anyone realizes a scam is underway.

Scammers know speed works in their favor

CyberGuy has reported on grandparent scams that use urgent calls, stolen details and AI-cloned voices. We have also covered crypto kiosk scamswhere frightened victims followed a caller’s instructions while the money moved beyond easy recovery. Georgia also used HB 945 to add safeguards for virtual currency kiosks, another payment method scammers use to move money quickly.

In both cases, the scammer wants to keep you isolated. They may warn you not to call your family or bank. They might claim that an employee is part of the investigation. A transaction hold attacks that pressure tactic. It adds time, which gives someone a chance to ask a basic question: Does this story make sense? Of course, no law will catch every scam. A payment can move through a different state, another financial service or a crypto wallet. Also, a bank may miss the warning signs or choose not to place a hold.

Advertisement

THE GIFT THAT PROTECTS YOUR DAD FROM SCAMMERS

House Bill 945 took effect July 1, 2026, giving Georgia banks more authority to delay payments tied to suspected exploitation. (Kurt “CyberGuy” Knutsson)

Do these bank scam transaction hold laws work?

An ABA Foundation survey commissioned from 158 banks offers an early view. Half of the responding banks in states with hold laws said they had used the authority to delay, refuse or hold transactions. Nearly 90% of respondents in states without such laws supported adopting them. The survey reflects the banking industry’s experience rather than a nationwide independent study. Even so, it shows that banks see value in having time to investigate.

That time can also create a difficult balance. Banks need enough authority to stop a devastating payment. Yet they must avoid blocking legitimate transactions based on age alone. Georgia tries to address that concern with a reasonable-cause standard. It also requires notice, employee training and an internal review. Whether the law succeeds will depend on how institutions use those tools.

How to protect your money from bank scams

You should not assume your bank can reverse a scam payment. You also cannot count on it pausing every suspicious transaction. The safest approach is to put protections in place before an urgent call, text or email catches you off guard.

Advertisement

1) Ask your bank about trusted contacts and transaction holds

Call your bank’s fraud department and ask whether you can add a trusted contact to your account. Then ask what the bank does when an employee suspects financial exploitation. You should also find out whether your state allows the bank to delay a suspicious transaction. The answer may differ between your checking account and your brokerage account.

2) Turn on instant alerts for account activity

Enable notifications for withdrawals, transfers and card purchases. Choose the lowest available dollar threshold so you hear about unusual activity quickly. Also review your bank’s daily transfer and wire limits. Lower limits can make it harder for a scammer to move a large amount of money in one transaction.

3) Make sure your trusted contact understands the role

Choose someone who will answer quickly and question an unusual request. Make sure that person knows your bank may call if something appears wrong. A trusted contact does not automatically gain access to your money. The role gives your bank another way to reach someone you trust during a possible emergency.

4) Create a family code word for emergencies

Choose a private word or phrase that family members can use to verify a real emergency. If someone calls claiming a loved one needs money, ask for the code word. Then hang up and contact your relative through a phone number you already have. Never call a number provided by the person demanding payment.

5) Never transfer money to a so-called safe account

A bank, government agency or law enforcement officer will not tell you to protect your savings by transferring them to another account. Scammers often use the phrase “safe account” to make a fraudulent transfer sound official. Do not send money through a wire transfer, cryptocurrency kiosk or payment app while someone is pressuring you to act immediately. End the conversation and call your bank using the number on the back of your card or its official website.

Advertisement

6) Use strong security software on your devices

Strong antivirus software can help detect malicious links, fake websites and downloads that scammers use to steal financial information. Keep the software updated on your phone and computer. Security software cannot stop every phone scam. However, it can block some of the digital tools criminals use before they reach your bank account. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at CyberGuy.com.

7) Reduce the personal information scammers can use

Scammers may pull your age, relatives’ names, phone number and address from data broker and people-search websites. They can use those details to make a fake emergency sound convincing. A data removal service can help reduce how much personal information appears on these sites. It cannot remove every record from the internet, but it can make it harder for criminals to build a detailed profile around you or your family. Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting CyberGuy.com.

8) Act quickly if money starts moving

Call your bank’s fraud department as soon as you suspect a scam. Ask the institution to stop, recall or flag the transaction. Change your online banking password from a trusted device and review recent account activity. If you shared login details, ask the bank whether it should lock online access or issue new account numbers. Next, report the incident to local law enforcement and the appropriate fraud agency. For suspected elder financial abuse, you can also contact Adult Protective Services in your state.

Kurt’s key takeaways

Georgia’s new law gives financial institutions explicit authority to pause certain transactions when they suspect financial exploitation. However, the hold remains optional, and the protection applies only in qualifying situations. The issue reaches far beyond Georgia. At least 33 states have enacted some form of transaction-hold authority for banks or credit unions, although several newer laws have later effective dates. The protections still vary, so your state and financial institution can shape what happens during the most urgent minutes of a scam. Add a trusted contact where available. Talk with your family about how to verify an emergency and learn how your bank handles suspicious payments. A five-minute conversation today could create the pause that saves someone’s life savings later.

Should a bank have the power to delay your payment when it believes a scammer is directing you, even if you insist the transfer is legitimate? Let us know by writing to us at CyberGuy.com.

Advertisement

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report

  • Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
  • For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com trusted by millions who watch CyberGuy on TV daily.
  • Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.

Copyright 2026 CyberGuy.com. All rights reserved.

Advertisement
Continue Reading

Technology

Fortnite is getting a bunch of AI-powered ‘personas’

Published

on

Fortnite is getting a bunch of AI-powered ‘personas’

Get ready for more AI characters in Fortnite. Developer Epic Games is going to let Fortnite creators publish experiences featuring characters with AI-powered voices starting on July 30th, and ahead of that launch, it’s created 36 characters with “consistent voices and personas” that creators can use as NPCs. The characters include Fortnite staples like Agent Jonesy, Peely (the banana), Fishstick (a walking fish), and Cuddle Team Leader (who wears a pink bear mascot head).

Epic tested the waters of AI characters with last year’s Darth Vader NPC that was powered by James Earl Jones’ voice — a collaboration that Jones’ estate signed off on. Even though players quickly got Vader to swear, something Epic fixed quickly, the company announced shortly after debuting Vader that Fortnite creators would be able to make AI-powered characters of their own.

The voices for these new personas rely on “performances captured from independent professional actors specifically for use in developer-made islands,” Epic says. “The actors agreed to have their performances used to develop voice models that create the spoken responses for these LLM-powered Fortnite characters.”

Down the line, it sounds like Epic wants to make characters featuring voices from the well-known actors that have appeared in the Fortnite universe, but it will have to secure the right approvals to do so. “Our next step is to work with the relevant guilds and character voice actors who have previously worked on Fortnite Battle Royale to explore opportunities to make their original voices available across the Fortnite ecosystem,” the company says.

Continue Reading
Advertisement

Trending