The Heist Nobody Talks About

An impostor called Alight Solutions — the recordkeeper managing Colgate-Palmolive's employee 401(k) plan — and claimed to be a Colgate employee. The request was simple: update the contact information on the account. Routine stuff.

Months later, the entire $751,430 balance was wired in a single lump sum to a Las Vegas address and bank account, according to Fox News. The real account holder had no idea until the money was gone.

Why 401(k)s Are the New Target

Criminals follow the money, and retirement accounts are where the real money sits.

The average American doesn't log into their 401(k) weekly — or even monthly. That inattention gives fraudsters a massive window. A thief who redirects your contact information has weeks, sometimes months, before the real account holder notices anything is wrong.

Fox News has been tracking an escalating pattern of 401(k) account takeover fraud throughout 2025 and into 2026. The Colgate-Palmolive case is the sharpest example yet — but it's not an isolated incident.

IDShield, in coverage dated 2026, specifically flagged Americans over 50 as the primary target demographic. Larger balances. Less frequent account monitoring. More likely to respond to phone-based social engineering.

The Attack Pattern

Step one: The scammer already has your personal data. Name, employer, partial account info — purchased from data brokers or pulled from any one of dozens of corporate breaches over the last five years. That's why the Colgate impersonator sounded credible. She had real information.

Step two: Call the plan recordkeeper — not you. Recordkeepers like Alight Solutions handle millions of accounts. Their phone reps process contact-information updates constantly. There's no face-to-face verification. The bar to pass identity checks is often shockingly low.

Step three: Once contact information is redirected, the scammer owns the communication channel. Password reset emails and SMS verification codes go to them, not you.

Step four: Request a lump-sum distribution. Wire it out. Done.

What Mainstream Coverage Is Getting Wrong

Most financial media frames this as a "cybersecurity" problem — urging people to use stronger passwords and enable two-factor authentication on their own accounts. That advice misses the real vulnerability.

In the Colgate case, the breach didn't happen because the victim had a weak password. It happened because the recordkeeper's phone verification process failed. The victim did nothing wrong. Alight Solutions got socially engineered.

Principal Financial Group's chief information security officer Russ Ayres, in guidance published September 11, 2025, emphasized that users should "register online for account access" and use multi-factor authentication. The advice is sound — but it doesn't protect you if someone calls your recordkeeper and changes your phone number before you ever log in.

The critical question: What verification standard did Alight Solutions use before processing that contact-information change? That answer matters more than any password tip.

The Regulatory Gap

401(k) accounts don't have the same fraud protections as bank accounts.

If someone drains your checking account fraudulently, federal Regulation E gives you rights to dispute and recover losses. No equivalent federal regulation covers 401(k) account takeover fraud with the same clarity. Recovery depends on plan documents, recordkeeper policies, and litigation — none of which are fast or guaranteed.

The DOL has issued cybersecurity guidance for plan administrators, but it's guidance, not enforceable regulation. Plan sponsors and recordkeepers set their own verification bars. Some are rigorous. Many are not.

What You Can Actually Do Right Now

Log into your 401(k) account today. Register online if you haven't. This prevents a scammer from establishing account access before you do. A recordkeeper can't create a fake online profile if yours already exists.

Call your plan administrator and ask specifically: What verification is required before contact information can be changed on my account? If the answer is vague, escalate to your HR department and demand a written policy.

Set up multi-factor authentication using an authenticator app — not SMS. SIM swap attacks can redirect text messages to a criminal's phone in under an hour.

Put a freeze on your credit. It won't stop 401(k) fraud directly, but it limits what additional damage scammers can do with your stolen identity once they've cashed out.

Check your account on a fixed schedule. Monthly is the minimum. Quarterly is gambling.

The Bottom Line

You spent decades building that retirement account. The people responsible for protecting it — plan recordkeepers — are using phone verification processes that a determined criminal can defeat with a five-minute call and stolen data from a breach that happened years ago.

One Colgate-Palmolive employee lost $751,430 before she knew anything was wrong. Your recordkeeper's verification process is the real line of defense.