Protect your TSP account
Protecting your TSP account is our top priority, and it’s a responsibility that we share with you as a TSP participant. While we create a secure connection to tsp.gov and give you control over your account settings, we strongly encourage you to take steps to protect your data when you’re online.
You can learn more about how to protect yourself on the internet, how to recognize scams that attempt to steal your information, and more about online security from the Federal Trade Commission.
If you’re concerned that your personal information or TSP account has been compromised, contact us immediately.
3 actions to take now to prevent fraud
1. Validate your contact information and confirm that the mailing address on your account is correct.
Go to My Account: Profile Settings to review and update your validated phone and email.
- If you have a civilian TSP account, you must validate your phone number in order to use two-step authentication and log in securely to My Account.
- If you have a uniformed services TSP account, we recommend that you validate a phone number as your primary verification method and use email as backup.
2. Protect your user ID, password, and PIN.
Create a user ID and secure password that are unique to your TSP account, and don’t share them with anyone. Your user ID, password, and PIN are your business, and no one at the TSP will ever need to know that information for any reason. If your browser offers autocomplete, disable it so it doesn’t store your My Account login credentials.
3. Consider adding a “hold” on your account to prevent fraudulent loan and withdrawal requests.
If you’re concerned about identity theft, data breaches, or someone else gaining access to your TSP account, you might consider requesting a hold to prevent new withdrawal and loan requests.
When you place a hold on your account, any pending or new request related to loans or withdrawals will not be processed. You can still access your account normally and manage your savings through interfund transfers and changes to your contribution allocation.
You can request a hold in My Account: Profile Settings by selecting “Participant Requested Hold” or by calling the ThriftLine and speaking to a TSP representative.
With a hold in place, you’ll continue to receive any installment payments that you set up previously with a withdrawal request. We will also continue making IRS required minimum distributions (RMDs) and any court-ordered payments from your account.
You will need to plan ahead to remove the hold when it’s time for you to make or change a withdrawal or loan request. You can request to remove the hold by calling the ThriftLine and speaking to a TSP representative. It usually takes up to two business days to remove the hold from your account after we receive and verify your request. In the meantime, you can be sure that you’ve done everything you can to keep your TSP savings safe.
Other ways to help prevent fraud
Take these steps to help further protect your TSP account:
- Make sure your contact methods are secure—Your account is only as secure as your login credentials and validated contact methods. Make sure you enable any additional security features, such as passcodes and two-step authentication, on your devices and for all online accounts.
- Check for a secure website connection—Before you submit data or attempt to log in to your account on tsp.gov, make sure you’re on the right website. In your browser’s address bar, look for a lock icon, a green bar, or “https://” at the beginning of the URL for tsp.gov.
- Close your browser after you log out—When you’re finished accessing your TSP account, clear your browser’s memory of your sensitive account information by closing the browser window.
- Block access to your account—You have the option to block all online access, ThriftLine access, or both to your TSP account. Make this request online through your My Account profile settings, by calling the ThriftLine and speaking to a Participant Service Representative, or by submitting a written request. Your written request must include your name, account number, date of birth, signature, and the date you signed the letter. Access to your account will remain blocked until you submit a written request to remove the block.
Be cautious with software and mobile applications
You may encounter third-party software or mobile applications that reference the Thrift Savings Plan and prompt you for your TSP account credentials. The TSP does not support these applications or services. We cannot endorse any information or advice you may receive from third-party software or applications. Providing your TSP account credentials to third-party software or applications may jeopardize your account security.
How two-step authentication helps prevent fraud
All TSP participants must use two-step authentication to log in to My Account. Two-step authentication helps you protect your account against fraud by prompting you for a one-time code each time you log in. This login process is more secure because it means that online access to your account requires something you know (your user ID and password) and something you have (a one-time code that you receive on your device). Someone who tries to log in to your account fraudulently won’t be able to gain access without the code.
Learn to identify real TSP communications
We may communicate with you in several different ways:
- By mail—We will most often contact you by mail, so you should make sure we have your correct mailing address. Read any TSP mail promptly and carefully. Take caution if you receive an account notice you weren’t expecting or a letter that asks you to “verify your account number” or other account information. Notify us immediately if you receive a letter that seems suspicious.
- By email—We may send you an email to confirm a transaction that you completed or a change you made to your account information. We also periodically send educational outreach emails such as the Thrift Savings Planner newsletter to the email address you provide in your My Account profile settings. We will never include your sensitive information in an email, and we will never ask you to send us sensitive information by email.
- By phone—A TSP Participant Service Representative or an official from the Federal Retirement Thrift Investment Board may call you on the telephone in response to communication that you initiated by completing a transaction or by contacting us.
We will not contact you about investment opportunities or authorize third parties to provide counseling or services related to your investment choices. We do not assign the terms “TSP Advisor” or “TSP Counselor” to any individual or group.
If you’re not sure whether correspondence or phone calls claiming to be from the TSP are authentic, do not provide any personal or financial information. Contact us directly if you have questions or if you need to report suspicious activity.
How we protect your TSP account
We offer you various ways to add layers of security to your account:
Secure website connection—We keep security certificates up to date for tsp.gov to ensure that your connection to our website is private. Our site uses encryption to protect your information as it travels between your computer and our server.
Secure login credentials—You can only gain access to My Account on tsp.gov with your user ID and web password, which only you should know. Two-step authentication gives you an additional layer of security by requiring a one-time code sent to your device.
Temporary account lockout—To discourage unauthorized users from attempting to gain access to your account, our system will suspend login access for one hour after it detects three unsuccessful login attempts.
Automatic My Account logout—If you’re logged in to My Account and our system detects 10 minutes of inactivity, it will automatically end the session and log you out to prevent unwanted access to your account information.
Transaction confirmations by mail—When you make changes to your account, we’ll mail you a confirmation notice. If you receive confirmation of an action on your account that you did not request, contact us immediately.