Scammers aren’t just interested in your Social Security number and credit cards these days. They’re also snatching cash right out of your kids’ college savings accounts.
On June 27, the Connecticut Higher Education Trust (CHET), which offers the state’s 529 savings plan, announced that fraudsters had snatched $1.4 million from 21 of its CHET Direct investors, accessing users’ accounts online and making withdrawals.
Here’s the surprise: the activity occurred in accounts that previously had no online access, according to Connecticut’s deputy treasurer Larry Wilson.
“This is one reason why we encourage our account holders to establish online access as a way to enhance the security around their accounts,” he said.
The affected customers have been made whole, Wilson said.
TIAA-CREF Tuition Financing Inc. or TFI is the program manager for CHET Direct.
"TFI’s ongoing investigation and analysis found no indication that the personal information used to steal money from CHET account holders was sourced or taken from CHET’s website, from TFI or any of its associated vendors,” said Chad Peterson, a spokesman for TIAA-CREF.
“The facts of this incident point to this fraudster as having personally identifiable information of account holders from a source other than CHET, TFI or its associated vendors and using it to gain unauthorized CHET account access and illegally redirect payments,” Peterson said.
Cybersecurity experts said the attack is a novel one, as college savings plans historically haven't been popular targets among fraudsters. They tend to hold modest amounts: The average 529 plan account balance was $24,057 as of the end of 2017, according to College Savings Plan Network.
"This is one of the first times I've seen a 529 plan system attacked," said David Dufour, vice president of engineering at Webroot.
Here’s what you need to know about safeguarding your college savings plan and other accounts.
“Everyone thinks of online banking accounts and credit cards, but we’ve seen thieves move to less obvious ways of moving money,” said Joe Nocera, a principal in PricewaterhouseCoopers’ U.S. advisory practice and cybersecurity financial services industry leader.
Those new potential sources of ill-gotten funds include 401(k)s, the cash value available in certain life insurance contracts and yes, your 529 college savings plan, he said.
All of these are pots of money that — unlike your checking account and credit card — may go unmonitored for long stretches of time.
“It’s the same set of fraudsters going to the new weakest link,” said Nocera.
Thieves have also stepped up their game, using tactics like cross-channel fraud.
In this case, they steal customer data from one access point on the internet — your e-mail address sign-in, for instance — and then use the information elsewhere to snag your cash.
“At some point, they will contact the call center with information that they’ve obtained online and put forward a transaction,” said Nocera of PricewaterhouseCoopers. “It’s a hybrid type of attack.”
Other times, thieves may call up victims, impersonating the account provider, and ask for personal details.
Even your own social media accounts can be used against you, Nocera said.
“If you post things about your family, even those non-traditional password questions could be derived from your social media interests,” he said.
While you may not interact with your 529 plan as much as you do your checking account, you can still take steps to safeguard your hard-earned savings.
Check in regularly: You may have decided to “set and forget” your 529 plan investments, but that doesn’t mean you should blow off your account altogether. Sign in often enough to identify any strange activity.
“Don’t check your account weekly or daily, but if you sit down to pay your bills, spend an extra two minutes to verify the balance,” said David Dufour, vice president of engineering at Webroot.
Use multi-factor authentication: Lock up your account by requiring another set of credentials in addition to signing in online. Multi-factor authentication, available at most banks, will require that you punch in a code that’s sent to your cell phone before you can access your account.
“If you can have that additional authentication, do it,” said Dufour. “For accounts you use frequently, you definitely want to do it.” Turn on real-time account activity alerts if they’re available.
Use complex passwords: Don’t recycle credentials for all of your accounts. Be sure to change your passwords periodically and keep them complex.
Watch what you share: If you’re sharing all the intimate details of your life on Twitter and Facebook, a hacker will have no problem answering questions your account provider may ask to confirm your identity.