Saturday, October 24, 2015

Panic At The Benefits Site

Bit of a panic moment, this morning. Got an email from my former employer's benefits plan administrator telling me "because your ESOP plan had less than the required minimum balance to be retained under the current program, your plan will be cashed out, taxes assessed and a check sent". This struck me as odd, because the only plan I was aware of that was managed by the brokerage was my 401(k), which, if it was below the minimum balance, would have meant that a not-inconsiderable chunk of money had somehow managed to go "poof".

The initial panic wasn't helped by the fact that, the link that the plan-administrator sent to me to view my plan info was erroring out in a way that could have been interpreted as my account having been deactivated.

Decided, "calm down. Go run your morning errands. Try the site again in a couple hours and see if it was just a transient problem and not something more serious."

Get home and try the link again. Same damned error. Opt to try logging in using a different method. The different method worked. Found all my funds still present an ESOP that I hadn't specifically known about.

And, no, the email wasn't bogus, just broken. I'd checked the headers before clicking the links ...and the fact that it was sent to an address set up specifically for use by the plan-administrator meant that, if it was a phish, they'd have had to have already compromised the administrator's site to get my address. Lastly, the site's URL and SSL certificate were all good. All those details in place, were it an exploit, they likely would have had a better effort-ROI by just extracting data directly from the site-owner than trying to phish me.

No comments:

Post a Comment