She opened a Roth IRA decades ago, hasn’t contributed in years, and listed her husband as the primary beneficiary. Recently she received the standard five-year account review letter and noticed something she hadn’t put there. Two contingent beneficiaries had been added to the account, a man identified by initials and a woman identified by initials, each listed at 50%. She has no idea who either of them is. Her husband doesn’t recognize them either. She’s already initiated a fraud investigation with the account holder and is trying to understand how this could have happened and what else she should be doing.
The representative she spoke with told her that beneficiaries can’t withdraw money from the account while she’s alive, which is technically accurate but doesn’t address the actual problem, which is that someone gained access to her retirement account and changed it without her knowledge or consent.
💸 Take Back Control of Your Finances in 2025 💸
Get Instant Access to our free mini course
5 DAYS TO A BETTER BUDGET
How beneficiary changes typically happen and where the breach likely occurred
Most financial institutions allow beneficiary designations to be updated online, by phone, or through written forms. The online route is the most common vector for unauthorized changes because it requires only that someone be able to log into the account, and login credentials are among the most commonly compromised pieces of personal information in data breaches.
She mentioned receiving multiple breach notifications from various companies over the years, which means her email address, passwords, and potentially other identifying information have likely been exposed in at least some of those breaches. If she reused passwords across accounts or if her email account was compromised at any point, someone with access to her email could have requested a password reset on her Roth IRA account and then made changes from inside the account before she noticed anything.
Some institutions also allow beneficiary changes by phone with minimal verification, and social engineering, where someone calls pretending to be the account holder and provides enough personal information to pass security questions, is another route that has been used successfully against financial accounts. The initials on the beneficiary designations suggest specific individuals were named rather than random placeholders, which points toward someone who knew what they were doing and had a purpose in mind.
What the contingent beneficiary designation actually means
The representative’s reassurance that beneficiaries can’t withdraw money while she’s alive is correct but incomplete. A contingent beneficiary has no access to the account while the primary beneficiary, her husband, is alive and while she is alive. The contingent beneficiaries would only inherit if both she and her husband died. So the practical effect of this change is that two strangers are currently positioned to receive 100% of her Roth IRA if both she and her husband die before she removes them.
That’s not a theoretical concern to dismiss. It’s an unauthorized designation that directs her retirement assets to unknown individuals, and it needs to be removed regardless of when it would take effect.
Steps beyond the fraud investigation already underway
The fraud investigation she’s initiated is the right first move, but there are additional steps worth taking in parallel. She should request a complete account history from the financial institution showing every change made to the account, including when the contingent beneficiaries were added, what method was used to make the change, what IP address or device was associated with the session if it was done online, and whether any contact information on the account was altered around the same time.
She should also change her account password and enable the strongest available multi-factor authentication on the Roth IRA account and on the email address associated with it. If her email account uses the same password as it did when any of the breach notifications arrived, that password needs to change immediately and the email account needs its own strong multi-factor authentication enabled.
Freezing her credit with all three major bureaus if she hasn’t already done so limits what someone with her personal information can do beyond the account they’ve already accessed. She should also check whether any other financial accounts have beneficiary designations that may have been altered, since someone who accessed one account may have attempted the same thing elsewhere.
Filing a complaint with the appropriate regulators
Beyond the internal fraud investigation, she can file a complaint with the Consumer Financial Protection Bureau and with FINRA if the account is held through a brokerage. These complaints create official records outside the financial institution itself and sometimes produce more thorough responses than internal investigations alone. If the institution is a bank, a complaint with the OCC or FDIC depending on the charter type is also an option.
The FBI’s Internet Crime Complaint Center accepts reports of financial account fraud, and filing there creates a federal record that can be relevant if law enforcement becomes involved or if she eventually learns who the named individuals are and wants to pursue further action.
Featured on Cents + Purpose: