Protecting your super from cyber attacks and scams

Several major Australian super funds have recently been hit by cyber attacks, putting members’ retirement savings and personal information at risk. What’s more, the dangers are constantly evolving. As technology advances, so do cybercriminals. They’re becoming more sophisticated and are increasingly setting their sights on some of the largest funds.

These attacks are an important reminder to be vigilant, so read on to ensure you’re doing all you can to protect your super savings.

The gap in protection

In February 2025, the government launched the Scams Prevention Framework in order to enforce strengthened security measures for banks, telcos and digital platforms. However, super funds weren’t included in the government’s framework and consumer groups are calling for equal protection across all financial institutions, including super funds.

Which super funds were hit?

Several of the largest super funds have been targeted in cyber attacks so far in 2025. Many of the attacks were due to stolen passwords and other personal information.

• Australian Retirement Trust (ART): Unusual logins were detected on several accounts, but no funds were missing.
• AustralianSuper: Around 600 accounts were hacked through stolen passwords, resulting in 10 members losing a total of $500,000. The fund has since apologised and is fast-tracking improved security measures.
• Hostplus: Early detection of suspicious login attempts allowed Hostplus to prevent any breaches with its multi-layered security system.
• Insignia Financial (MLC Expand): Around 100 suspicious login attempts were flagged. The investigation is still ongoing.
• Rest Super: Suspicious activity was detected on up to 8,000 accounts. The fund shut down its member portal for investigation but, fortunately, no money was reported as stolen.

Multi-factor authentication (MFA)

Many consumer groups have recommended that all super funds adopt multi-factor authentication, which adds an extra layer of security to your account. It’s almost like having a second lock on your door. Even if a hacker manages to steal your password, without the second key your account will still be protected. 

If MFA is enabled on your account, logging in requires:

1. Something you know (your password), and
2. Something you have (mobile phone, email, authentication app).

Which funds use MFA?

MFA might not be applied across the board just yet, but some of the major funds are using it, or are soon rolling it out.

• AustralianSuper: MFA is rolling out by May 2025
• Australian Retirement Trust: Already has MFA for online logins
• Hostplus: MFA is active on their website and app
• Insignia Financial: MFA is used for withdrawals and other sensitive actions
• Rest Super: MFA is required when you first register, with plans to extend it to all logins
• Cbus, NGS Super and TelstraSuper: These funds all use some form of MFA.

Investment scams

It’s also important to watch out for investment scams.

Australians lost over $318 million to scams in 2024, according to the Australian Competition & Consumer Commission’s scam statistics, much of it ($192 million) in investment scams.

A ray of light is that overall scam losses fell around one-third compared to 2023, and thousands of investment scam websites have been knocked out since the launch in July 2023 of the Australian Securities and Investment Commission’s (ASIC’s) scam website takedown capability.

But some trends persist. Men lose more money to investment scams than women – $173 million compared to $141 million (in 2024). And people aged over 65 were more likely to lose money than younger investors, with the 65-years-plus group recording the biggest aggregate losses of any age group at $100 million, with the median amount lost being around $1,000.

While the government’s efforts are commendable, scams and fraudsters are becoming increasingly sophisticated, making it more important than ever to be aware of how easy it can be to be scammed.

Fake celebrity investment platform scams

Technology is evolving rapidly and with the help of artificial intelligence (AI) scamsters can now create deepfake videos of celebrities and famous people promoting investment platforms.

“Scammers are creating fake news articles and deepfake videos to convince people that celebrities and well-known public figures are making huge sums of money using online investment trading platforms, when in fact it is a scam,” Australian Competition & Consumer Commission (ACCC) deputy chair Catriona Lowe says.

“We are urging Australians to take their time and do their research before taking up an investment opportunity – particularly those seen on social media.”

In one case somebody lost $80,000 in cryptocurrency after seeing a deepfake Elon Musk video interview on social media.

Impersonation scams

Social media was recently awash with the story of a financial advice columnist who was somehow convinced to hand over $50,000 in a shoebox in an Amazon scam. She wrote about it in The Cut and what seemed to be key in her experience was the scammer’s ability to keep her on the phone for more than three hours. During that time, they were able to gradually wear her down and make her abandon her normal common sense.

It started with a cold call and something that was seemingly plausible – her Amazon account being hacked. Through a series of phone transfers to other people in the ‘company’ she was told she needed to deposit the money to avoid losing more money.

This example highlights just how sophisticated scammers have become and how good they can be at their job.

Identity theft investment scams

These scams involve extracting information through phishing, social media sites, breaking into physical mailboxes and the like, then stealing your identity. Your identity can then be used to access bank accounts, credit card details and online shopping websites.

Never click on a link in one of these emails or text messages. For tips on how to spot a phishing scam and what to do if you receive one, see the Australian Cyper Security Centre (ACSC) website.

Identity theft can also be used to access super funds. In the past, organised syndicates have stolen identities to access millions in superannuation monies from several large super funds.

In one of these cases, ASIC and the Australian Federal Police (AFP) alleged identity information was purchased from dark net marketplaces and the syndicate used that information, along with single use SIM cards and fake email accounts, to undertake ‘identity takeover’.

These ‘identities’ then opened bank accounts, into which the syndicate transferred super and money from investment accounts.

Remote access scams

Remote access scams – whereby a scammer will contact you pretending to be from a well-known organisation (such as Telstra, Amazon or one of the big banks) and asks for remote access to your computer – are also on the rise according the ACCC’s Scamwatch. 

Once a computer is accessed, super fund details may be extracted just as easily as bank account details. So, it is vitally important not to let anyone who contacts you out of the blue access your devices.

Early access to super scams

Scammers may promise early access to super and encourage people to roll their super out of a large industry or retail fund into a self-managed super fund (SMSF) where it is easier to access.

The scammer may have convinced the person that they will be able to access the funds once they have set up the SMSF. Acting as a financial adviser for the fund’s rollover, the scammer steals a percentage, or all, of the funds.

Such spruikers may also trick investors into using SMSFs to buy fraudulent cryptocurrency assets or property. ASIC has reported an increasing number of scams involving crypto assets since the pandemic.

How to avoid scams

The saying ‘If something sounds too good to be true, it probably is’ is worth remembering when it comes to avoiding scams. 

• Don’t invest in anything from an unsolicited contact – such as phone calls, emails or even door knocking – promising a hot investment. Scammers will often call repeatedly and are known to target the vulnerable and elderly. Just hang up or shut the door.
• If you believe an unsolicited communication may have been legitimate, independently source the contact details for the organisation and contact them to verify the information. Don’t use the contact details in their communication or click on any links.
• Don’t invest in anything at an investment seminar. Always do your own due diligence and research into any kind of offer. Look up share values on the Australian Stock Exchange (ASX) and seek independent financial advice if needed (see our list of independent financial advisers).
• To avoid identity theft, and the investment scams that stem from it, use strong, hard-to-replicate passwords, don’t share them, don’t give away too much information on social media and don’t open emails (or especially links in emails) from unknown or unverified sources. Lock your letterbox, shred important documents and make sure your computer is secure.
• Consider getting two-factor or multi-factor authentication for important accounts and services that may be linked to your bank or super details.
• If you are interested in a celebrity endorsed investment product, verify through independent sources that the endorsement is genuine and not a deepfake.
• You can also check whether somebody calling themselves a financial adviser is registered as having an Australian Financial Services Licence on ASIC’s website. They also have a list of companies you should not deal with.

What to do if you are scammed

If you think you might have been caught up in a scam: 

• Contact your financial institution immediately to freeze your accounts and credit cards.
• Report it to the police if money has been stolen.
• ASIC also suggests getting a copy of your credit report to check who might be running up debts in your name.
• You can also report the scam at Scamwatch and at the Australian Cyber Security Centre

How, and if, you can recover your funds

It may be difficult to recover funds lost in a scam. There are some organisations (such as iDcare) that may be able to help you retrieve funds if they have been stolen as a result of identity theft and you can also apply for a Commonwealth Victim’s Certificate.

A Victim’s Certificate might help you negotiate with your financial institution or super fund to remove a fraudulent transaction.

Financial institutions and super funds also have their own systems in place to protect against fraud and will often contact customers if they notice irregular transactions and may reimburse them.

In the case of large-scale fraud, APRA-regulated super funds may be provided with compensation via Part 23 of the Superannuation Industry Supervision (SIS) Act. Compensation is funded via the APRA supervisory levy and can be used to recover money if the fund suffers a loss due to fraud or theft that substantially impacts its ability to pay benefits. In 2011 and 2012 this section provided compensation of nearly $55 million to super funds that were affected by the collapse of Trio capital. APRA regulated funds include industry, retail, and corporate funds but not SMSFs or public sector (government) funds.