Using the personal information of a handful of retirees of Austin-based Employees Retirement System of Texas, two men set up fake accounts on the $33.9 billion plan's internet portal to reroute nearly $11,000 in annuity payments, buying and shipping used cars abroad, among other things.
That amount could have increased to a total of $131,461, had their efforts not been detected in 2017, federal charging documents show.
The story of the pair's money-laundering scheme closed its final chapter late July, when the second of two conspirators was sentenced to eight years in prison and ordered to repay nearly $976,000 to multiple victims, including Texas Employees' defined benefit plan.
Cybersecurity experts say the actions of Olumide Bankole Morakinyo, a Nigerian citizen residing in Canada, and his New Hampshire-based co-conspirator, Lukman Shina Aminu, shine a bright light on the importance of vigilance among plan sponsors.
Asset owners are on cyberthieves radar, sources said.
"Pension funds are a very desirable target for the bad guys because of all the personal information they have stored online, the amount of money they manage and (the fact that) a lot of funds are fairly small enterprises," said Steven J. Ross, senior consultant at Funston Advisory Group LLC, Bloomfield, Mich., a governance consultant.
"A thousand intrusions a day is not uncommon," Mr. Ross added.
According to court documents, Mr. Morakinyo pleaded guilty to conspiracy to commit money laundering.
During his July 28 sentencing hearing in U.S. District Court in Austin, Judge Robert Pitman ordered that Mr. Morakinyo serve three years of supervised release in addition to prison sentence and pay restitution to victims of his fraud scheme, according to a news release from the Department of Justice.
Mr. Aminu, charged in a second indictment, was sentenced Dec. 18, 2019, to a little more than four years in prison, the release said.
Mr. Morakinyo set up unauthorized accounts for ERS participants via the system's internet portal and used their personal identification information to make changes to their accounts. By using bank deposit information on file in the internet portal, the men rerouted annuity payments to debit cards, the Justice Department release said.
Mr. Aminu controlled the debit cards, which were used for cash withdrawals, transfers, deposits and money orders for personal expenses on Mr. Morakinyo's orders, the DOJ said.
Money on the debit cards also was utilized to buy used vehicles that were shipped to Nigeria and the West African nation of Benin for resale, according to the release.
"With these international automobile transactions, (Mr.) Morakinyo and his conspirators laundered the fraud proceeds by concealing the source of the funds and making the money appear to be legitimate income," the DOJ said in the release.
Texas Employees staffers first detected the unauthorized attempts to access retirees' accounts in October 2017 and contacted the Texas Department of Public Safety to report the suspicious activity, which appeared to be criminal in nature, system spokeswoman Mary Jane Wardlow said in an email.
A total of $10,605 was stolen from four retirees receiving annuity payments from Texas Employees' defined benefit plan as part of a money-laundering scheme, Ms. Wardlow said.
Mr. Morakinyo breached Texas Employees' internet portal and created 30 accounts for retirees on ERS' internet portal and changed the bank accounts for 26 of those people with a potential loss of $131,461, according to a July 19, 2019, criminal complaint.
Ms. Wardlow stressed that money was stolen from only four accounts.
In addition to working with the Texas Department of Public Safety, pension fund staff also worked closely with the Texas Rangers, a division of DPS, as they began the investigation that ultimately led to the arrests and convictions of the two defendants, Ms. Wardlow said.
During the investigation, Ms. Wardlow said the Texas Rangers learned that Messrs. Morakinyo and Aminu had obtained information regarding ERS retirees from sources not related to ERS.
The defendants then used that information to gain access to the retirees' accounts, she said.
The pension system reimbursed the four retirees whose annuity payments were redirected and offered credit monitoring to annuitants whose accounts could have been impacted by the defendants' conduct, Ms. Wardlow said.
"ERS also has taken steps to enhance already robust security features," but Ms. Wardlow declined to provide more information, stressing, "We can't provide additional details related to cybersecurity due to potential risks associated with the disclosure of cybersecurity information."
"ERS applauds the Texas Rangers, the FBI and the U.S. attorney' office for their excellent work in this matter. The Texas Rangers swiftly commenced a thorough and effective investigation that helped prevent ERS retirees from suffering more substantial loses," Ms. Wardlow said.
The cyberfraud experienced by Texas Employees fund is much less common now, four years after the incident, than it once was, said Timothy B. Rouse, executive director of SPARK Institute Inc., Simford, Conn., in an interview.
Mr. Rouse distinguished between cyberfraud of the type the Texas Employees fund suffered and cyberattacks.
Historically, most cyberfraud was perpetrated by family members of plan participants, Mr. Rouse said, noting that there was "an alarming spike in non-family related fraud about three or four years ago," around the same time of the attack on the Texas fund took place.
SPARK set up a fraud committee about two years ago and developed 13 recommendations about how to prevent fraud, which Mr. Rouse said boiled down to participant and asset owner education; intelligence gathering and sharing; and industry-best fraud-protection practices for money managers, asset owners and record keepers.
The effort seems to have worked well as systems and users have become more sophisticated and protective through the use of multifactor authentication, biometrics and the use of IP addresses, he said, noting, "It's very infrequent to see cyberfraud these days."
Cyberattacks remain relentless, but Mr. Rouse said many record keepers, money managers, asset owners have added much more protection against these kinds of attacks with the use of multifactor authentication, Internet Protocol addresses and biometrics.
Cybersecurity is becoming a high priority for investment staff and boards of trustees of institutional investors given the very high rate of attacks, sources said.
"Cybersecurity is top of mind for asset owners. There is a very high level of interest from boards of trustees to include cybersecurity as a governance issue," said Frederick "Rick" Funston, managing partner and CEO of Funston Advisory Services, in the same interview with Mr. Ross.
Mr. Funston said many pension funds now are relying on outsourced vendors to handle their cybersecurity, noting, "The whole supply chain of a pension fund can be impacted by cyberattacks and can benefit from the heft that specialist vendors offer."
Gloss