Fake retirement plan administrator claiming the target's retirement account beneficiary designation is missing or invalid and will revert to default distribution unless updated via email link within a deadline — credential-harvest; real beneficiary updates are managed through authenticated employer HR portals, never cold email link requests.

Fake retirement plan administrator or HR benefits department (impersonating Fidelity, Vanguard, TIAA, Empower Retirement, Principal Financial, or generic "Retirement Plan Administrator") claiming the target's retirement account beneficiary designation is missing, invalid, expired, or out of date and requiring them to click a link to update their beneficiary information before a deadline or their account will revert to the plan's default distribution rules — credential-harvest attack targeting retirement account holders. Real beneficiary designation update requests come from authenticated employer HR portals or plan administrator platforms; cold emails with "your retirement beneficiary is missing/invalid — update via link or account reverts to default" exploit both the urgency of estate planning and the complexity of retirement plan rules to harvest credentials. Beneficiary designations control potentially large asset transfers, making this a high-value attack. Distinct from 401k-early-withdrawal-penalty-phish (hardship withdrawal pretext) — this targets the retirement plan beneficiary designation / missing or invalid / update via link / revert to default distribution pretext. Detection: beneficiary designation + missing/invalid + retirement account/401k + update via link + revert to default distribution vocabulary + no List-Unsubscribe + no In-Reply-To + not protected sender. Trash score: +4. Source: GC1-R29; ERISA beneficiary designation rules; DOL retirement plan advisory; FTC retirement account fraud patterns 2025; FINRA beneficiary scam alert.