How to Protect Your Retirement Savings from Cyber Threats
In the wake of recent cyber-attacks on several large Australian superannuation funds, you might be wondering how to protect your retirement savings. These attacks compromised members’ personal data and, in some cases, resulted in money being withdrawn from their accounts.
Here’s what happened—and what you can do to help safeguard your super.
What happened?
In recent years, high-profile data breaches across various Australian companies have exposed large volumes of personal information. Cybercriminals have used this stolen data—such as email addresses and passwords—in targeted attacks on superannuation funds.
The technique, known as credential stuffing, involves using login details obtained from earlier breaches to attempt access to members’ super accounts. These attacks were typically carried out in the early hours of the morning, when account holders were less likely to notice suspicious login attempts or unauthorised transactions.
Members in the pension drawdown phase—those able to request lump sum withdrawals—were specifically targeted.
In response, super funds acted quickly by identifying and notifying affected members. Some temporarily restricted the ability to change bank or contact details via mobile apps or online portals while investigating the incidents. Others advised members to log in, review their account activity, and change their passwords.
While most funds reported that retirement savings remained secure, one revealed that a small number of members lost a combined total of $500,000. That fund has since committed to reimbursing affected members using its own reserves.
Practical Steps to Protect Your Super
Keeping your super safe is a shared responsibility between you and your fund. Here are some simple but effective actions you can take:
- Monitor your super regularly
- Log in to your account periodically to check your balance.
- Ensure your employer contributions are being paid correctly.
- Review your insurance cover and annual statement.
- Keep your contact information up to date.
- Use strong passphrases
- Avoid reusing passwords across accounts.
- Create a passphrase—a sentence or mix of four or more words that’s easy for you to remember but hard for others to guess.
- Include a mix of uppercase and lowercase letters, symbols, and numbers.
- Aim for at least 14 characters, and avoid obvious choices like birthdates, names, or hobbies.
- Enable Multi-Factor Authentication (MFA)
- MFA provides extra security by requiring two or more forms of verification—such as a password plus a code sent to your phone.
- If your super fund offers MFA, enable it.
- Secure your devices
- Use strong passwords or biometrics to lock your phone, tablet, or computer.
- Enable auto-lock and “find my device” features in case your device is lost or stolen.
- Keep your software up to date.
- Be cautious with unexpected contact
- Never click on suspicious links in emails or texts.
- If someone contacts you unexpectedly, verify their identity by reaching out directly through your fund’s official contact channels.
- Report anything suspicious
- If you notice unusual activity or receive a suspicious message, contact your super fund immediately.
For more cybersecurity tips, visit the Australian Government’s cyber.gov.au website, which provides information in English and other languages. Your super fund may also offer tailored security advice to help you stay protected.
Disclaimer: The information on this page is for general information purposes only and is not specific to any particular person or situation. There are many factors that may affect your particular circumstances. We advise that you contact Mathews Tax Lawyers before making any decisions.