Hackers have hit major super funds. A cyber expert explains how to stop it happening again

Several of Australia’s biggest superannuation funds have suffered a suspected coordinated cyberattack, with scammers stealing hundreds of thousands of dollars of members’ retirement savings.

Superannuation funds including Rest, HostPlus, Insignia, Australian Retirement and AustralianSuper have all reportedly been targeted. However, so far AustralianSuper appears to be the worst affected.

It is Australia’s largest superannuation fund. It has roughly 3.5 million members and manages more than $365 billion in retirement savings. In this cyberattack, a handful of its members have lost about A$500,000 in combined savings.

AustralianSuper is reportedly assisting authorities recover the money. It has not yet confirmed if any remediation will occur.

It’s not yet clear whether the affected accounts had mandatory multi-factor authentication for login or money transfers. But this is a crucial measure to reduce the risk of a similar cyberattack happening in the future.

Strategic timing, stolen passwords

Details of the cyberattack are still sparse. But we do know that it began in the early hours of last weekend. This timing was likely strategic: account holders wouldn’t have noticed anything suspicious as they would have most likely been sleeping.

Cyber criminals are believed to have obtained stolen passwords – either from the dark web or other hacked websites. They then used these passwords to try to access people’s superannuation accounts.

In a statement, AustralianSuper’s Chief Member Officer Rose Kerlin said scammers had accessed up to 600 customer passwords to log into accounts.

So far only four accounts have actually been breached. In those cases, the scammers changed login details and transferred out lump sums of money.

Although members of other superannuation funds do not seem to have lost any money, their personal information may have been compromised.

Different to other attacks

There have been cases in the past of people being scammed out of their retirement savings.

For example, in 2020, Australian man Lee Braz lost all of his retirement savings, worth $180,000, to scammers. The scammers used fraudulent documents to trick his fund, Intrust Super (now owned by HostPlus), into authorising the transfer.

After a four-year legal battle with the fund, Braz retrieved one-third of the money he had lost. However, this amount didn’t cover his legal fees.

But this recent scam seems very different in nature. It didn’t involve scammers using any fraudulent documents or elaborate trickery. Instead, the perpetrators appear to have pulled it off simply by using stolen passwords to access accounts.

Tighter security is crucial

Australian Taxation Office data indicates the average super balance for men is roughly A$180,000, while for women it is roughly A$146,000.

To ensure all of this money is properly protected, financial organisations should implement mandatory multi-factor authentication for user accounts. This would require people to prove who they are with something in addition to a password.

This could include, for example, using a one-time code or an authenticator app on their smartphone. This makes it much harder for criminals who obtain user passwords to take over their accounts.

Other financial organisations, including banks and some superannuation funds, already use multi-factor authentication. But it’s especially important for all superannuation funds to implement it, given many people don’t check their retirement savings for months at a time and are less likely to notice straight away if they’ve been hacked.

In the wake of this cyberattack, the Association of Superannuations Funds of Australia says it is working to improve security across the industry, but it is unclear exactly what this will involve.

Consumers also need to do their part by making sure they do not reuse passwords between websites. This is especially important for passwords used to protect accounts on financial organisations such as their super fund or online banking.

Using a password manager is a great way to make it easy to have unique passwords for each website you visit.

Finally, customers should be on the lookout for potential scams that may target them in the coming days. Scammers have been known to exploit fear and confusion in the wake of data breaches to try to lure victims into giving away personal information or money.

Anyone receiving messages purporting to be from their super fund and who wants to respond to them should call up their super provider directly, using a phone number from their website. Avoid clicking links or phoning numbers listed in messages that purport to be from your super fund.

Anyone receiving messages they suspect are scams can report them to Scamwatch.