In this guide
- The gap in protection
- Which super funds were hit?
- Multi-factor authentication (MFA)
- Which funds use MFA?
- Investment scams
- Fake celebrity investment platform scams
- Impersonation scams
- Identity theft investment scams
- Remote access scams
- Early access to super scams
- How to avoid scams
- What to do if you are scammed
- How, and if, you can recover your funds
Several major Australian super funds have recently been hit by cyber attacks, putting members’ retirement savings and personal information at risk. What’s more, the dangers are constantly evolving. As technology advances, so do cybercriminals. They’re becoming more sophisticated and are increasingly setting their sights on some of the largest funds.
These attacks are an important reminder to be vigilant, so read on to ensure you’re doing all you can to protect your super savings.
The gap in protection
In February 2025, the government launched the Scams Prevention Framework in order to enforce strengthened security measures for banks, telcos and digital platforms. However, super funds weren’t included in the government’s framework and consumer groups are calling for equal protection across all financial institutions, including super funds.
Which super funds were hit?
Several of the largest super funds have been targeted in cyber attacks so far in 2025. Many of the attacks were due to stolen passwords and other personal information.
- Australian Retirement Trust (ART): Unusual logins were detected on several accounts, but no funds were missing.
- AustralianSuper: Around 600 accounts were hacked through stolen passwords, resulting in 10 members losing a total of $500,000. The fund has since apologised and is fast-tracking improved security measures.
- Hostplus: Early detection of suspicious login attempts allowed Hostplus to prevent any breaches with its multi-layered security system.
- Insignia Financial (MLC Expand): Around 100 suspicious login attempts were flagged. The investigation is still ongoing.
- Rest Super: Suspicious activity was detected on up to 8,000 accounts. The fund shut down its member portal for investigation but, fortunately, no money was reported as stolen.
Tip: Be Connected is a government initiative that has useful tips on internet safety.
Multi-factor authentication (MFA)
Many consumer groups have recommended that all super funds adopt multi-factor authentication, which adds an extra layer of security to your account. It’s almost like having a second lock on your door. Even if a hacker manages to steal your password, without the second key your account will still be protected.
If MFA is enabled on your account, logging in requires:
- Something you know (your password), and
- Something you have (mobile phone, email, authentication app).
Which funds use MFA?
MFA might not be applied across the board just yet, but some of the major funds are using it, or are soon rolling it out.
- AustralianSuper: MFA is rolling out by May 2025
- Australian Retirement Trust: Already has MFA for online logins
- Hostplus: MFA is active on their website and app
- Insignia Financial: MFA is used for withdrawals and other sensitive actions
- Rest Super: MFA is required when you first register, with plans to extend it to all logins
- Cbus, NGS Super and TelstraSuper: These funds all use some form of MFA.
Need to know: How to protect your super fund account
You don’t have to wait for your super fund to catch up, you can take proactive steps now to protect yourself.
- Turn on extra security: If your fund offers MFA, set it up today.
- Use strong passwords: Don’t reuse passwords from other websites.
- Check your account regularly: Look out for any transactions you don’t recognise. The earlier you spot something, the quicker you can act.
- Be suspicious of unexpected contacts: Your fund won’t call or email asking for your password.
- Keep your contact details up to date: Make sure your super fund has the correct information so you get security alerts.
- Learn to spot scams: Be wary of messages creating urgency or asking for personal information.
Investment scams
It’s also important to watch out for investment scams.
Australians lost over $318 million to scams in 2024, according to the Australian Competition & Consumer Commission’s scam statistics, much of it ($192 million) in investment scams.
A ray of light is that overall scam losses fell around one-third compared to 2023, and thousands of investment scam websites have been knocked out since the launch in July 2023 of the Australian Securities and Investment Commission’s (ASIC’s) scam website takedown capability.
But some trends persist. Men lose more money to investment scams than women – $173 million compared to $141 million (in 2024). And people aged over 65 were more likely to lose money than younger investors, with the 65-years-plus group recording the biggest aggregate losses of any age group at $100 million, with the median amount lost being around $1,000.
While the government’s efforts are commendable, scams and fraudsters are becoming increasingly sophisticated, making it more important than ever to be aware of how easy it can be to be scammed.
Fake celebrity investment platform scams
Technology is evolving rapidly and with the help of artificial intelligence (AI) scamsters can now create deepfake videos of celebrities and famous people promoting investment platforms.
Leave a Reply
You must be logged in to post a comment.