TSP Account Security: The Simple Habits That Block Big Headaches

November 10, 2025

Every federal employee and retiree relies on the Thrift Savings Plan (TSP) for long-term security.

That makes your online account a prime target.

A compromised TSP can lead to changed contact info, swapped bank links, or a fast withdrawal before you notice.

Most incidents start with a weak password or a hurried click. So the fix isn’t difficult.

In fact, it’s a handful of simple habits you can set up once and review monthly.

Your 10-Minute Setup

1) Turn on Multi-factor Authentication (MFA)

Use an authenticator app or hardware security key. Save backup codes in your password manager or a secure place, not your email.

2) Use a unique passphrase

At least 14 characters. No reuse from other sites. Let a password manager generate and store it.

3) Lock down change alerts

Enable notifications for logins, profile edits, beneficiary updates, bank-account changes, and any withdrawal requests.

4) Secure your devices

Update to the latest operating system and browser, use a screen lock, and avoid public Wi-Fi for account changes.

5) Separate your “money email”

Use a dedicated email for financial accounts and protect it with MFA. Your email is the reset key to everything.

Phishing & Social Engineering: Spot It Fast

Common red flags

  • “Urgent account lock in 24 hours — click here.”

  • Requests for your one-time code or backup codes that you didn’t initiate.

  • Odd sender domains, misspellings, or links that don’t match the display text.

  • Unsolicited attachments (especially .html or macro-enabled files).

  • Callers asking you to install remote-access software.

Safer behaviors

  • Type the official website into your browser — don’t click account links in messages.

  • If someone calls you, hang up and call the published number.

  • Never read MFA codes to anyone. Legitimate support never needs them.

If You Suspect Fraud

Minutes 0–10: Cut access

1) From a clean device, change your TSP password.
2) Log out all sessions and regenerate backup codes.
3) Confirm MFA is enabled with the strongest method you have.

Minutes 10–30: Lock down the perimeter

4) Review recent activity: logins, profile changes, bank updates, transactions.
5) Call the ThriftLine using the number on the official site. Report the issue and request a temporary hold on changes/withdrawals if appropriate.
6) Contact your bank about possible unauthorized transfers and ask about ACH recall options.

Minutes 30–60: Contain identity risk

7) Place a credit freeze with Equifax, Experian, and TransUnion. Add a fraud alert.
8) File an identity theft report at IdentityTheft.gov and save the case number.
9) If you clicked a suspicious link or opened a strange file, run a malware scan.
10) Document dates, times, and names — this helps TSP support and law enforcement.

Small Moves for Strong Defense

Your TSP is too important to leave to chance.

Most account takeovers are preventable with strong MFA, clean device hygiene, and a simple response plan.

Set it up once. Review monthly. Tweak if necessary.

Best,
—FWR