How to check if my super account has been compromised?

To check if your superannuation account has been compromised, log in to your super fund’s online portal and verify your account details - especially your recent activity, contact information, and linked bank account. If anything looks unfamiliar or has been changed without your knowledge, it may be a sign of unauthorized access. You should also look out for alerts from your fund and contact their support team directly if you notice anything unusual.

Here’s what you should do:

• Log in to your super fund's online account via their official website or mobile app (avoid links in emails).
• Check your recent activity (e.g., login times, withdrawals, contact updates).
• Verify your personal details such as email, phone number, and bank account.
• Look for suspicious changes like updates to your beneficiary list or transfer attempts.
• Enable multi-factor authentication (MFA) if your fund offers it.

Funds like AustralianSuper and Rest have already notified affected members and urged everyone to take precautionary steps. Even if you haven’t been contacted, it's crucial to stay vigilant.

---

The recent cyberattack on Australian superannuation funds was primarily executed through a method called credential stuffing, where attackers used stolen usernames and passwords from unrelated data breaches to log in to super accounts.

Even if no funds were stolen from your account, compromised login credentials could allow attackers to:

• Change your email, phone number, or postal address
• Update your linked bank account
• Modify beneficiaries
• Attempt unauthorized withdrawals if you're eligible for drawdown (commonly over 60)

Super funds like AustralianSuper, Rest, and Insignia Financial have reported such suspicious activities, and in some cases, users were locked out of their accounts or saw erroneous balances.

Attackers are becoming more sophisticated. Even if you're not affected now, they may test your credentials again in the future. Because many Australians rarely log in to their super accounts, fraudulent changes can go unnoticed for weeks or even months.

That's why all members - especially those aged 60+ who may be in drawdown - should:

• Review accounts regularly
• Use a unique password
• Never reuse passwords across services
• Set up MFA

If you're unsure about anything, do not click on links in messages claiming to be from your fund. Instead, call them using a phone number on their official website.

---