A criminal called Alight Solutions, the recordkeeper for Colgate-Palmolive’s 401(k) plan, posing as an employee. She provided the victim’s name, last four digits of the Social Security number, date of birth, and mailing address. That was enough to clear security. She changed the contact information, and Alight mailed a temporary password to the new address. Within weeks, the entire $751,430 balance was sent in a lump sum to a Las Vegas address and bank account. The real account holder, Paula Disberry, was living in South Africa.
Disberry sued Alight, Colgate’s benefits committee, and BNY Mellon. The case was settled on undisclosed terms. In February 2026, the Government Accountability Office told the Department of Labor to issue new guidance on retirement plan data security. The GAO cited eleven ERISA lawsuits filed between 2009 and 2024.
When a 401(k) is taken over, the fraud protections for credit cards do not apply. The FBI’s 2025 Internet Crime Report shows Americans 60 and older lost $7.7 billion, a 59% increase from the prior year.
Protection steps: Enable multi-factor authentication on the recordkeeper portal. Set up email and text alerts for any account changes. Confirm waiting periods between address changes and distributions. Review statements quarterly. Get an IRS Identity Protection PIN. Freeze credit at all three bureaus.