The 401(k) security briefing your plan sponsors need

AI-enabled fraud is targeting retirement plans. Here's how advisors can help sponsors.

Person sitting on top of a safe.

Key takeaways on 401(k) security:

  • Deepfake identity fraud is on track to surge nearly 500% over the course of 2026.
  • 401(k) plans are targeted by fraudsters due to large balances, infrequent logins, and a multi-party chain of custody where fraud can go undetected for weeks.
  • Most retirement fraud stems from social engineering—not data breaches—making participant education and basic hygiene (MFA, password managers, quarterly account checks) critical defenses.

Retirement plans are a high-value, low-vigilance target: big balances, infrequent logins, and multiple service provider touchpoints. AI has made the fraud landscape meaningfully worse in the last 18 months. This is the security briefing your plan sponsor clients probably haven't gotten yet.

Why 401(k) plans are uniquely exposed

Retirement assets sit at the intersection of everything fraudsters look for: They're often a participant's second-largest asset after their home, logins are infrequent enough that losses can go unnoticed for weeks, and money moves through a chain—advisor, sponsor, recordkeeper, TPA. Fraudsters may use publicly available information to target participants, plan sponsors, and advisors.

Here are 7 steps you can take to help protect your clients' security.

The 2026 threat landscape

The human verification layer that we’ve relied on for so long is no longer reliable.

As AI capabilities increase, fraudsters are finding ways to target retirement plans.

One type of attack involves voice-based phone calls, where a fraudster convincingly imitates a person's voice using AI, a technique known as a deepfake. Fraudsters are also using deepfake video and increasingly targeted social engineering, where attackers research their victims in advance to make impersonation attempts more convincing. Worryingly, deepfake identity fraud is on track to surge nearly 500% over the course of 2026.

What regulators now expect

The Department of Labor has issued cybersecurity guidance for ERISA plans that sets a clear bar for what plan sponsors should look for from providers. Key requirements include a documented security program, controls that match today's threat environment—multi-factor authentication (MFA), active monitoring, encryption—diligence on third-party vendors, and an incident response plan that's actually been tested, not just written down and filed away.

You can learn more about the DOL guidance and how Betterment addresses it here.

Your plan sponsor clients may not know this guidance exists. That's an opening: Cyber diligence is now part of what it means to select a prudent provider, and advisors who can walk sponsors through that checklist are delivering real value.

Practical protection for participants

Most retirement-plan fraud doesn't come from databases getting breached. It comes from people getting tricked—a convincing phone call, a fake login page, a weeks-long relationship that turns out to be a scam.

The basics go a long way:

  • Turn on MFA—app-based, not just SMS.
  • Use a password manager.
  • Add a trusted contact to the account.
  • Check the account balance and activity once a quarter.

None of these are complicated, but few participants have done all four.

If a participant's email gets compromised, here's the playbook to walk them through:

  1. Lock down access. Help them reset credentials to their email account, the plan portal, and any other financial institutions. Force a logout of all active sessions.
  2. Re-enroll MFA from a different device. If the attacker had access to the phone or computer the client normally uses, that device may still be compromised—and any new MFA factors enrolled on it could be captured too. Use a phone, tablet, or computer the attacker hasn't touched. Brand-new isn't required; just different.
  3. Audit the last 30–90 days. Look at distributions, loans, beneficiary designations, and address changes.
  4. Watch for rollover requests. They're the most common follow-on to an account takeover — flag anything that comes in shortly after.
  5. Document everything and notify the recordkeeper and the plan sponsor. The paper trail matters.

How sponsor-level controls work

A key control in managing a retirement plan is the application of access controls to ensure that high-risk activities are restricted to authorized parties. Roles such as advisors or plan sponsors may be established with some plan administration capabilities; however, transactions such as distributions, signer changes, plan amendments, and payroll-related changes require authentication directly from the plan sponsor. A forwarded email, even one that looks completely legitimate, does not authenticate a transaction.

The reason the line is drawn there is to make social engineering hard. Fraudsters try to impersonate advisors, plan sponsors, and service providers.

How to use this in your practice

Security is a natural way to reopen a conversation with plan sponsors who haven't reviewed their provider in a while.

The entry point isn't "you should switch providers"—it's "when was the last time anyone walked you through the cyber-diligence side of your plan?"

Betterment's Trust Portal and the 401(k) security brochure give sponsors something concrete to work from. Both are available through your Client Success Manager or at trust.betterment.com.

Ready to bring a sponsor into the conversation?

If you already have an account with Betterment Advisor Solutions, use the Request a Proposal button in your advisor dashboard—it reaches the right team within one business day.

If you or a plan sponsor that you support would like to access documentation to support due diligence activities, the Betterment trust portal can be used to access independent SOC audit reports, key policies, and other supporting documentation.

If you're exploring offering a 401(k) with Betterment for the first time, learn more here.