The Retirement Account Threat Most Washington Public Employees Aren’t Thinking About

The examples and case studies in this article are hypothetical but represent real situations I have encountered in my practice working with Washington State public employees.

One of the things I ask clients about is their account security. How they protect their online logins. Whether they use unique passwords. What kind of verification they have set up on their financial accounts.

The answer is almost always the same.

Same password across most accounts. Verification codes sent by text message. Maybe a vague sense that they should probably do more, but it hasn’t felt urgent enough to act on.

These are people who have done everything right when it comes to saving. They’ve been contributing to their DCP for years. They’ve maxed out Roth IRAs. They’re sitting on solid PERS, LEOFF, or TRS pensions. And yet this one area, the security around their accounts, almost never gets any attention.

I get it. It doesn’t feel like financial planning. But after looking at the latest data on cybercrime, I think it might be one of the most important financial planning conversations we’re not having.

It’s not your investments that keep me up at night

I spend a lot of time helping clients think about pension options, Roth conversions, tax-efficient withdrawal strategies, and building a proper war chest for early retirement. Those are the big, tangible planning decisions.

But here’s what I’ve started telling people more often: a gap in your cybersecurity can do just as much damage to your retirement as picking a bad investment. If not more.

According to the FBI’s 2025 Internet Crime Report, Americans lost nearly $20.9 billion to cyber-enabled fraud last year.1 That was a 26% increase from the year before. And investment-related fraud was the single largest category, accounting for more than $8.6 billion of those losses.1

The people losing money aren’t careless. They’re retirement savers. People who spent decades building a nest egg.

How a six-digit code can unlock your entire retirement

Here’s what I think most people don’t realize. When you log into a financial account, you assume there are three separate things protecting you: your username, your password, and that multi-factor authentication code that gets texted to your phone.

Three layers sounds pretty safe.

But think about what happens when you forget your password. Most financial institutions ask you to verify a few pieces of personal information, like your name, date of birth, the last four digits of your Social Security number, and your zip code. Then they send you a verification code to reset everything.

After years of large-scale data breaches, that personal information may already be out there for a lot of Americans. Which means that six-digit verification code might be one of the last real barriers protecting your retirement savings.
Account takeover fraud, where someone gains access to your financial accounts through social engineering, resulted in roughly $360 million in reported losses across approximately 4,700 incidents last year.1 And since that only reflects what was actually reported, the real number is almost certainly higher.

The pattern to watch for

What I’ve learned from studying these situations is that the scam almost always follows the same pattern. Someone contacts you, claims to be from your bank or brokerage, and says there’s suspicious activity on your account. They create a sense of urgency. Then they ask you to verify your identity by reading back a code that was just sent to your phone.

And that’s it. That one code can give a thief full access.

The FBI actually has a term for people who show up at the exact moment you feel most vulnerable. They call them "rescue merchants." They present themselves as the helpful professional rushing in to save you.

It works because when someone tells you your money is at risk, your instinct is to act, not to pause.

Why this matters for Washington public employees specifically

If you’re a Washington public employee approaching retirement, you likely have money spread across multiple accounts: your DRS pension, a DCP 457(b) plan, maybe a Roth IRA or traditional IRA, and possibly a taxable brokerage account.

Each of those accounts is a potential target. And the more accounts you have, the more entry points exist.
Washington residents filed over 25,600 cybercrime complaints in 2025, with total losses exceeding $458 million.1 For Washingtonians over 60, the numbers were especially concerning: more than 5,300 complaints and nearly $180 million in losses.1

Your pension itself is protected by the state retirement system. Nobody is draining that. But your DCP account, your IRAs, your brokerage accounts? Those are held at financial custodians, and they’re only as safe as your login credentials and the security practices you put around them.

What you can do about it

Never share a verification code with anyone who contacts you. If your bank or brokerage calls, don’t give them anything. Hang up, then call the number on the back of your card or type the institution’s website directly into your browser. If there truly was suspicious activity, they’ll know about it when you call them.

Switch to an authenticator app. If your financial institution offers one, use it. Authenticator apps generate codes directly on your device, which makes them much harder to intercept than codes sent via text message.

Add a verbal password to your accounts. Some institutions allow you to set up an extra PIN or verbal password before any changes can be made over the phone. It’s a simple step, but one more hurdle for anyone trying to access your money.

Freeze your credit. This won’t stop every scam, but it prevents someone from opening new accounts in your name. You can freeze and unfreeze your credit for free at each of the three major bureaus.

Consider a password manager. Using the same password across accounts is one of the most common vulnerabilities I see. A password manager generates unique, complex passwords for each account so you don’t have to remember them all.

The bigger picture

I think there’s a reason most people focus on their investments and not their security. Investment decisions feel tangible. They feel like you’re doing something productive. Figuring out how to freeze your credit or set up an authenticator app feels like a chore.

But here’s the thing. You could have the perfect pension option selected, a beautifully diversified portfolio, and a tax-efficient withdrawal strategy, and a single text message and a six-digit code could put a meaningful chunk of that progress at risk.

It’s one of those areas where a small amount of effort up front can save you from a devastating outcome later. And if you’re within a few years of retirement, the stakes are even higher, because you may not have the time or the earning years to recover from a significant loss.

So take an hour this weekend. Update your passwords. Turn on an authenticator app. Freeze your credit if you haven’t already. These aren’t exciting steps. But they’re the kind of thing that protects everything else you’ve worked so hard to build.

Sources
​1. Federal Bureau of Investigation. “2025 Internet Crime Report.” Internet Crime Complaint Center (IC3). 2025. https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf
2. Securities Investor Protection Corporation. “What is SIPC?” https://www.sipc.org/for-investors/what-sipc-protects
3. Fidelity Investments. “What is SIPC coverage?” April 23, 2025. https://www.fidelity.com/learning-center/smart-money/sipc