A stranger called a retirement plan recordkeeper, pretended to be an employee, and a $751,430 401(k) vanished to a Las Vegas address while the real owner lived in South Africa. This piece walks through how that happened, why call-center checks often fail, the legal fallout and what account holders can do right now to harden their retirement savings. It also looks at wider trends showing retirees are a favorite target for online criminals and why stronger alerts and identity monitoring matter more than ever.
An impostor reached Alight Solutions, the recordkeeper for a large company plan, and used basic personal data to clear the center’s verification. That was enough for Alight to change contact details and issue a temporary password by mail, which the impostor intercepted. Within weeks, the plan paid out the entire $751,430 balance to a Las Vegas address and bank account while the legitimate owner, Paula Disberry, lived abroad.
Disberry sued Alight, the employer’s benefits committee and the plan custodian, BNY Mellon, to try to recover the funds; the suit ended in an undisclosed settlement. Courts never made a final ruling that Alight must restore the money. The case is a warning: the legal path is long, uncertain and doesn’t guarantee victims get their retirement back.
In February 2026 the Government Accountability Office urged the Department of Labor to issue new guidance on participant data after identifying eleven separate lawsuits under ERISA between 2009 and 2024. Those suits show a pattern of recordkeepers being targeted and plan participants left scrambling. When a retirement account is hijacked, the consumer protections people expect with credit cards typically don’t apply to 401(k) distributions.
The wider numbers are worrying. The FBI’s 2026 Internet Crime Report found Americans 60 and older lost billions to internet crime, with investment fraud a massive portion of that loss. Older savers hold the bulk of retirement assets, and scammers know that; they use social engineering, dark web data and convincing scripts to get people or plan operators to hand over access or approvals.
Account takeovers tend to start with available personal data. Names, birth dates, partial Social Security numbers and recycled passwords often show up in breach dumps, and attackers test that stolen data against login portals or call centers. Sometimes they go straight to the plan administrator and social-engineer a change instead of breaking into an online account.
Other victims show how flexible the tactic is. A former employee alleged a hacker reset a portal password via the forgot-password flow and triggered a large payout, while another retiree was convinced to move funds himself by callers posing as investigators. Those scams prove attackers can get retirement money either by fooling the system or the saver.
There are inexpensive controls that make theft harder. Turn on multi-factor authentication, enable every account-change alert your plan offers and use strong, unique passwords. Ask your plan administrator what steps they take after an address, phone number or bank account change and whether they hold distributions for a cooling-off period that actually gets enforced.
Identity monitoring services add another layer by scanning credit reports, the dark web and people-search sites, and by flagging unfamiliar transactions across linked accounts. A free breach scan can help spot exposed data early so you can act before a takeover becomes irreversible. If you see a suspicious distribution or unapproved contact change, raise it immediately with your employer’s plan administrator and your bank.
Some phrases to notice in the conversation about protection are already familiar: “Sign up for my FREE CyberGuy Report” and “REMOVE YOUR DATA TO PROTECT YOUR RETIREMENT FROM SCAMMERS” are calls to action urging people to reduce exposed data and watch accounts closely. The core takeaway is practical: enable alerts, use identity monitoring, and question any unexpected contact or change. No one should discover months later that their life savings disappeared because a call center didn’t sound the alarm.
