What measures to protect super accounts from cyberattacks?

To protect your superannuation account from cyberattacks, use a strong, unique password, enable multi-factor authentication (MFA) and regularly check your account for suspicious activity. Most recent super fund breaches - including AustralianSuper, Rest, and Insignia - used credential stuffing, meaning attackers logged in using passwords leaked in past breaches.

• Use a unique password that’s long, random, and never reused across services.
• Enable multi-factor authentication (MFA) if your super fund supports it.
• Review account activity and update details regularly.
• Avoid clicking on links in emails or SMS claiming to be from your fund.
• Use a password manager to store and generate secure logins.

These small habits can prevent massive financial loss—especially since super accounts often go unchecked for long periods.

---

Superannuation accounts are attractive to cybercriminals because:

• They contain large balances, especially for retirees.
• Users don’t log in frequently, giving hackers time to act unnoticed.
• Super funds often allow bank detail changes and withdrawals online, making them vulnerable without MFA.

In the April 2025 attack, criminals didn’t hack the systems of AustralianSuper or Rest - they simply logged in using stolen passwords from previous data breaches. This method is known as credential stuffing.

They then attempted to:

• Change email and mobile numbers
• Update bank account details
• Initiate withdrawals (particularly for users aged 60+)

These tools help you:

• Generate unique passwords for each account
• Store them securely
• Avoid password reuse (a major risk factor)

MFA is one of the most effective ways to block unauthorized access—even if your password is stolen. Many super funds now offer:

• SMS codes
• Authenticator apps
• Passkeys or biometric options (rare but increasing)

If your fund doesn’t offer MFA, consider contacting them or even switching funds.

Cybercriminals may follow up on breaches with phishing messages. Don’t:

• Click suspicious links
• Enter credentials on unknown sites
• Call numbers from emails or texts

Instead, always visit your super fund’s site directly or use official app stores.

• Log in at least once a month
• Check for contact or bank detail changes
• Review transaction history for unauthorized actions

If you suspect a breach:

• Contact your fund immediately
• Report it to Scamwatch, IDCARE, or AFCA
• Consider a temporary account lock

---