I'm a cybersecurity expert - this is how thieves hacked into your super fund and why it could happen again

Several of Australia's biggest superannuation funds person suffered a suspected coordinated cyberattack, with scammers stealing hundreds of thousands of dollars of members' status savings.

Superannuation funds including Rest, HostPlus, Insignia, Australian Retirement and AustralianSuper person each reportedly been targeted. However, truthful acold AustralianSuper appears to beryllium the worst affected.

It is Australia's largest superannuation fund. It has astir 3.5 cardinal members and manages much than $365 cardinal successful status savings. In this cyberattack, a fistful of its members person mislaid astir $500,000 successful combined savings.

AustralianSuper is reportedly assisting authorities retrieve the money. It has not yet confirmed if immoderate remediation volition occur.

It's not yet wide whether the affected accounts had mandatory multi-factor authentication for login oregon wealth transfers. But this is simply a important measurement to trim the hazard of a akin cyberattack happening successful the future.

Strategic timing, stolen passwords 

Details of the cyberattack are inactive sparse. But we bash cognize that it began successful the aboriginal hours of past weekend. This timing was apt strategic: relationship holders wouldn't person noticed thing suspicious arsenic they would person astir apt been sleeping.

Cyber criminals are believed to person obtained stolen passwords – either from the acheronian web oregon different hacked websites. They past utilized these passwords to effort to entree people's superannuation accounts.

In a statement, AustralianSuper's Chief Member Officer Rose Kerlin said scammers had accessed up to 600 lawsuit passwords to log into accounts.

So acold lone 4 accounts person really been breached. In those cases, the scammers changed login details and transferred retired lump sums of money.

Although members of different superannuation funds bash not look to person mislaid immoderate money, their idiosyncratic accusation whitethorn person been compromised.

Different from different hacks

There person been cases successful the past of radical being scammed retired of their status savings.

For example, successful 2020, Australian antheral Lee Braz mislaid each of his status savings, worthy $180,000, to scammers. The scammers utilized fraudulent documents to instrumentality his fund, Intrust Super (now owned by HostPlus), into authorising the transfer.

After a four-year ineligible conflict with the fund, Braz retrieved one-third of the wealth helium had lost. However, this magnitude didn't screen his ineligible fees.

But this caller scam seems precise antithetic successful nature. It didn't impact scammers utilizing immoderate fraudulent documents oregon elaborate trickery. Instead, the perpetrators look to person pulled it disconnected simply by utilizing stolen passwords to entree accounts.

Tighter information is crucial

Australian Taxation Office information indicates the mean ace equilibrium for men is astir $180,000, portion for women it is astir $146,000.

To guarantee each of this wealth is decently protected, fiscal organisations should instrumentality mandatory multi-factor authentication for idiosyncratic accounts. This would necessitate radical to beryllium who they are with thing successful summation to a password.

This could include, for example, utilizing a one-time codification oregon an authenticator app connected their smartphone. This makes it overmuch harder for criminals who get idiosyncratic passwords to instrumentality implicit their accounts.

Other fiscal organisations, including banks and immoderate superannuation funds, already usage multi-factor authentication. 

But it's particularly important for each superannuation funds to instrumentality it, fixed galore radical don't cheque their status savings for months astatine a clip and are little apt to announcement consecutive distant if they've been hacked.

In the aftermath of this cyberattack, the Association of Superannuations Funds of Australia says it is moving to amended information crossed the industry, but it is unclear precisely what this volition involve.

Consumers besides request to bash their portion by making definite they bash not reuse passwords betwixt websites. This is particularly important for passwords utilized to support accounts connected fiscal organisations specified arsenic their ace money oregon online banking.

Using a password manager is simply a large mode to marque it casual to person unsocial passwords for each website you visit.

Finally, customers should beryllium connected the lookout for imaginable scams that whitethorn people them successful the coming days. 

Scammers person been known to exploit fearfulness and disorder successful the aftermath of information breaches to effort to lure victims into giving distant idiosyncratic accusation oregon money.

Anyone receiving messages purporting to beryllium from their ace money and who wants to respond to them should telephone up their ace supplier directly, utilizing a telephone fig from their website. 

Avoid clicking links oregon phoning numbers listed successful messages that purport to beryllium from your ace fund.

Anyone receiving messages they fishy are scams tin study them to Scamwatch.