Super theft: check your super, check your password is unique

Cybercrims are targeting Australian super accounts and more than $500,000 has been lost in a recent sting - here's what you need to do to secure your super.

By Alex Brooks

You’d think robbing someone’s superannuation would require a mastermind thievery, cat burglars, vault codes or maybe a Tom Cruise cameo. Nope.

Turns out all it takes is a list of old passwords from the dark web, a few bots, and – hey presto – at least half a million stolen so far.

Retirement savings: gone faster than dignity during karaoke night

Australian superannuation funds have been hit by a coordinated cyberattack. Real money has been nicked and personal data has been compromised, according to the Australian Financial Review.

And all because people in the superannuation industry – who collected $32 billion in fees during 2023 – said, “Eh, SMS verification should be fine.”

The funds are being cagey about releasing details, but reporting so far says the breach targeted people who had already reached ‘preservation age’ and could access their money or lump sum.

Panicked super fund members then overwhelmed the bad superannuation login systems, so some people saw they only had $0 in their account, which funds say is an error and will be corrected.

That’s a big oopsie. One that proves the superannuation industry needs to step up.

Ever since my son had his first home deposit stolen by PEXA fraudsters, I have been investigating what I’m calling digital bank robbery – and it’s scary.

I had no idea that overseas organised crime syndicates were targeting Australians for their lucrative real estate and superannuation wealth – we lost $2 billion last year and are likely to continue losing more because our systems are all a little bit, well, shit.

Check your super - and secure it with a strong password and multi-factor authentication

So make sure you do your own super check to discover:

1. It’s all there - every cent of it. If it’s not, report it to your fund AND the police straight away.

2. Your employer is putting in the right amounts each month (there are new ‘payday’ super rules coming next year to make sure super is paid at the same time as your wage - right now it’s usually only paid monthly or quarterly).

3. Your super fund has strong enough security in place with multi-factor authentication (MFA) (not just SMS authentication, which can easily be breached).

4. You have a unique password, passkey or a paid password protection software like 1password in place.

5. You’re not using browser-based password solutions to remember your passwords, as cybercriminals can target these to steal logins using what’s known as ‘session cookie theft’.

You need to reign in your own breached data for super safety

This wasn’t some elite squad of international cybercriminals deploying never-before-seen tools. This was known as a ‘credential stuffing attack’.

That’s a fancy way of saying hackers took passwords and email addresses that were already leaked from other breaches – maybe years ago, maybe from shopping sites, newsletters, or loyalty programs – and then used automated systems to try logging into people’s super accounts in the middle of the night.

Why then? Because most of us are asleep, and unlikely to respond to alerts or verification requests.

If the credentials worked, the attackers changed the phone number linked to the account, giving them control over SMS-based two-factor authentication (2FA). In some cases, that was enough to allow withdrawals from accounts – especially for members in the pension phase who are legally allowed to access their super.

What you can do right now

You can check if your details are doing the rounds by using Troy Hunt’s Have I Been Pwned website or the Avast Leak Check.

Best practice is for financial service providers to use biometrics (fingerprint) or at least multi-factor ID through an authentication app like Google Authenticator. (Using SMS text messages for codes is no longer secure enough.)

If your details are circulating the web and your fund doesn’t have MFA in place, then ring them and demand to know why.

You can always change super funds, but this ALSO puts you at risk of fraudsters setting up fake accounts or stealing your money.

CHOICE did this story about super scams, with the general approach from fraudsters being:

1. Criminals claiming they can help you get your superannuation early. These crims get to know you over the phone and then steal your super once they have your vital login and account details.

2. Criminals claiming they can set you up a lucrative self-managed superannuation fund (SMSF) but then stealing all your money while sending you false statements. This was how Melissa Caddick committed her frauds.

Funds that were hit by the cyberattack

Some funds - and the Australian Superannuation Funds Association - are not being transparent about what happened, but the AFR says at least 5 big names were affected:

AustralianSuper – 600 accounts were targeted, $500,000 lost across four pension-phase members. The same fund that has just been destroyed for taking months to pay out super death benefits.

REST – Around 8000 members’ personal info accessed; no financial losses reported.

Australian Retirement Trust (ART) – Less than 200 accounts impacted, no financial loss.

Hostplus – Confirmed suspicious activity, still investigating.

Insignia (MLC Expand platform) – Around 100 accounts affected, but no money lost.

The funds say they acted quickly once the suspicious activity was noticed, locking accounts and alerting authorities. But for some members, it was too late.

Mass scale - spray and pray phishing - is a nightmare

Artificial Intelligence has made it a cinch for crims to group large amounts of breached data from multiple sources together to target people and find out how often they re-use passwords.

When I scroll Instagram or Facebook, I am hit with ads urging me to ‘compare my super’ to check it’s doing OK - DO NOT EVER ENTER YOUR SUPER FUND DETAILS INTO ONE OF THESE ADS!!

Crims use these types of online tools to harvest your data and mix it with any other breached data about you they can get your hands on (and given that Optus, Medibank and other large companies have breached data recently, there’s a lot of info floating around).

I will try to leave you smiling, not scared

Super is still one of the best ways to save your money in a tax sheltered environment.

Don’t abandon it! Just demand better security from your fund (and change your password to something tricky - not one that you use for Netflix or Amazon).

‍This article was originally published in Alex’s weekly Dueto newsletter: sign up here.

^{Feature image: iStock/FG Trade}

More ways to protect your money:

• 4 new ways banks keep your details safe
• Stay out of scams' way: how to avoid being milked
• How to spot an SMS scam before they steal from you