Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.
Benefits December 18, 2025
How to Talk to Participants About Cybersecurity
Protecting against scams is a ‘community sport,’ says Sastry Durvasula, TIAA’s chief operating, information and digital officer.
Reported by Emily Boyle
Art by James Yang
It may be the season of giving, but sharing retirement assets with a fraudster does not provide any cheer, holiday or otherwise.
Heading into 2026, plan sponsors, advisers, recordkeepers and participants should bear in mind that cybersecurity is a “community sport,” says Sastry Durvasula, TIAA’s chief operating, information and digital officer. “It is a shared accountability.”
“But much of the onus of fraud prevention falls on us as individuals,” wrote Luke Delorme, director of financial planning at Tableaux Wealth, in “Preventing Cyber Scams that Target Seniors,” a blog post for the Center for Retirement Research at Boston College.
To educate participants, Durvasula says the most important thing for plan sponsors and recordkeepers to communicate is that digital scams exist across an “evolving landscape.” Not only are there commonplace clickbait phishing emails, but also artificial intelligence-powered deepfake scams sophisticated enough to make even the most tech-savvy of participants fall prey.
Scams Targeting Seniors
According to the FBI’s 2023 “Internet Crime Report,” more than 100,000 people age 60 and older lost a combined $3.4 billion to fraud in 2023 alone.
The National Council on Aging reported that one of the most common scams targeting retirees today is the “grandparent scam,” in which a caller gains the trust of an older adult and tricks them into volunteering information such as their grandchild’s name. The caller then impersonates the grandchild and pretends to be in distress, asking for help with a medical emergency, late rent or other urgent financial need. More concerningly, with AI, scam artists can potentially clone the voices of real relatives to bolster their operations.
Delorme advises his clients to always verify any financial request that comes to them, no matter the medium through which is it delivered.
“Verify before you trust,” Delorme wrote in his blog post. “If someone claims to be from your bank or a tech company, or that they’re a grandchild in trouble, hang up and call back using a known number, not one provided by the caller.”
“Bringing [older adults’] trusted contacts into the protection ecosystem is critical,” suggests Durvasula. He explains while increased longevity among participants is good, cognitive decline is a side effect of living longer—leaving people far more susceptible to scams than they might have been at a younger age.
Best Practices for Sponsors and Recordkeepers
Julie Doran Stewart, senior vice president of fiduciary advisory services at the Sentinel Group, says cybersecurity messaging should come from both recordkeepers and plan sponsors. However, for active employees, receiving a nudge from an “internal champion,” like a leader within the participant’s human resources department, may be the extra push that is needed.
“Messaging from recordkeepers is important, but having that internal person [participants] actually know and trust is more critical … to steer participants in the right direction,” Stewart says. “It has to be a one-two punch.”
Stewart advises her plan sponsor clients to encourage their participants to activate and continually monitor their online accounts, as well as follow online security tips provided by the Department of Labor’s Employee Benefits Security Administration. The tips include recommendations to use multi-factor authentication, being wary of the risks that come from accessing free WiFi networks, and to close or delete unused accounts. She regularly encourages sponsors to communicate this guidance by distributing a copy of the tips to their employees.
In the age of automatic enrollment, accounts can be more susceptible to fraud if participants do not set up their “digital fingerprint,” Stewart says.
“There’s sometimes a misperception from participants that if [they] never log in, [they’re] somehow safer,” she adds. “That actually exposes [them] moreso to bad actors.”
On the recordkeeper front, Stewart recommends a “cooling-off period” between an account being updated with new contact information and the plan sending out requested distributions . Such a delay can give time for part of the plan sponsor’s or recordkeeper’s team to catch a scam before funds are lost.
Durvasula says “regular reinforcement” and communication of scam awareness education are also essential. TIAA sends booster messages to participants every few months, especially on the heels of a larger global attack.
“We want plan sponsors to … use their regular communications to keep the beat going on cyber fraud,” says Durvasula.
Stewart has similar thoughts.
“Cybersecurity is not a one-and-done deal,” Stewart advises her clients. “Make it a part of your periodic due diligence. Commit the time and attention.”
 |
How to Best Personalize Plan Communications |
 |
Communicating in the Digital Age |
 |
How ‘Building Knowledge’ Differs From ‘Driving Action’ |
 |
DOL Expects to Release Guidance on Paper Statements, E-Disclosures |
« Fred Reish Leaves Faegre Drinker, Joins Prime Capital Financial