Call it a different kind of bank robbery: thieves are now reaching into retirement accounts, which frequently have far fewer protections than traditional banks.
As one suburban Chicago couple recently was stunned to learn, the burden of spotting this kind of fraud has recently been placed squarely on the shoulders of customers, many of whom deposited the money with an “invest it and forget it” mentality. That long-held practice can now be a very risky one.
We are calling them “K” and “J.” As recent victims of identity theft, the married couple of 46 years asked NBC5 Responds to omit their full names from this report. When they first shared the details of their story with NBC5, K and J said they wanted to share what they believed to be a cautionary tale.
At that time, they’d lost $40,000 to a thief who somehow impersonated his way into their Fidelity Investments retirement account, changed crucial contact details within that account, and syphoned out two separate $20,000 withdrawals. Their repeated pleas to the investment firm to return their money were denied, because the couple had not detected the fraud within the company’s required 30-day timeline to report it.
Feeling out of the loop? We'll catch you up on the Chicago news you need to know. Sign up for the weekly Chicago Catch-Up newsletter here.
The incident flipped on its head the retirees’ notion of safety in retirement accounts.
“I thought depositing funds at Fidelity would be as safe as if I had deposited my money at Fort Knox. That was my impression,” K told us. “We were both flabbergasted, stunned. Because when this was discovered we assumed that the money would be returned right away.”
K and J say they were only alerted to the theft by Chase Bank, which sent J three account statements in late 2020.
“Chase bank sent me three zero balance statements- and I’m saying, I don’t have an account there,” J told NBC5 Responds.
K and J say they soon learned the money that was deposited at Chase in J’s name came from their joint Fidelity account. As they unraveled the theft, the couple learned a thief impersonating J had somehow entered their Fidelity account online and changed one of their main contact details: a phone number. They say no one at Fidelity reached out to them to confirm that request.
"One phone call is all it would have taken," K says.
The couple says they noticed a dip in their Fidelity savings amount, but chalked it up to the wild pandemic-related swings of the stock market.
The money was moved out of their joint account in June of 2020 and into a separate, fraudulent account opened in J’s name at Fidelity. Days later, it was moved again: into accounts opened in J’s name at Chase Bank. Chase confirms to NBC5 Responds it has determined the accounts opened in J’s name were opened via fraudulent methods.
Fidelity also determined the activity to be of a “suspicious” nature, and froze access to K and J’s account, after that $40,00 was withdrawn. The couple says Fidelity told them it sent a letter in July outlining the security freeze, via USPS normal delivery. They say they never received it.
A potentially widespread risk non-profit Consumers’ Checkbook calls “a sleeping giant.”
“When you dig into investment firms’ policies themselves, you find that, well, no—really, it’s up to you the customer to protect yourself if there is a problem. There’s really no guarantee at all the investment company is going to return your money unless the fraud was completely their fault,” Checkbook Executive editor Kevin Brasler told NBC5 Responds.
A burden Checkbook says is squarely- and unfairly- put on customers’ shoulders. He says K and J’s story is a chilling case-in-point.
“The bigger problem isn’t that the fraud occurred, it’s that the investment company decided to take no responsibility for it and I think that is a big red flag, a big warning shot to consumers,” Brasler said.
Cyber intelligence group Financial Services Information Sharing and Analysis Center, which works with the financial services industry, shares in the worry.
“Cyber theft from retirement accounts is a growing concern. In the US, people tend to hold a substantial amount of their wealth in a retirement account so they are relatively high-value targets,” CEO Steven Silberstein said. “Customers often re-use the same passwords for different accounts, which increases the likelihood of their credentials being available for sale on the dark web.”
While it is clear the onus to spot fraud within a certain timeframe is now a responsibility facing investment customers, many say they have never heard that requirement.
In K and J’s case, that is main reason why their appeals for reimbursement were denied, three separate times.
"They said, we have determined that you did not tell us within 30 days. So we're sorry but we cannot honor your claim. Done," K told NBC5 Responds.
NBC5 asked Fidelity to speak to us about this case, specifically that its customers say no live phone call was made to warn them that suspicious activity was detected on their account.
Fidelity declined an on-camera interview. The company then reversed course on its previous denials, reimbursing K and J the full $40,000 stolen from their account.
Through its spokesperson, the company offered this statement to NBC5 Responds:
“To best protect our customers’ information and accounts against ongoing fraud and cyber threats, Fidelity has invested significantly in a full range of physical, electronic, and procedural controls. We began notifying the customers of the activity in question in May 2020 and continued via different means over several months. However, we were not contacted by the customers until over six months later. While well outside the 30-day deadline to be eligible for the Fidelity Customer Protection Guarantee, after further review, we decided to reimburse (the customers) due to exceptional circumstances over the past year. This is yet another example of Fidelity’s longstanding value of always putting the customer first. Customers can and should contact us at any time if they have questions or concerns about activity in their accounts.”
News of the company’s changed decision came as a relief to K and J, who said from day one they hoped their story could serve as helpful for others.
"I truly believe that without (NBC5 Responds) agreeing to investigate this case, and air this case-- we would be dead in the water,” K said. “We did nothing wrong. They allowed somebody to come into our account and steal money and their, their protections failed miserably."
Money back in their account the grandparents of 17 grandchildren say they will watch over, vigilantly.
"I think it's extremely important. I want to make clear that you are your best watchdog there is nobody else who is going to do it," K said.