What measures to protect super accounts from cyberattacks?
Learn the top security measures to protect your superannuation account from cyberattacks and credential stuffing. Expert tips for all Australians.
Vincent
Created: April 4, 2025
Updated: August 29, 2025
Read the full article
Discover why superannuation funds are vulnerable and how regulations, including FSC Standard No. 29, recommend MFA and phishing-resistant authentication.
Read the full articleRead by 5,000+ security leaders.
What security measures should I take to protect my superannuation account from cyberattacks?#
To protect your superannuation account from cyberattacks, use a strong, unique password, enable multi-factor authentication (MFA) and regularly check your account for suspicious activity. Most recent super fund breaches - including AustralianSuper, Rest, and Insignia - used credential stuffing, meaning attackers logged in using passwords leaked in past breaches.
Passkeys for Super Funds and Financial Institutions
Join our Webinar on 7th November to learn how Super Funds and Financial Institutions can implement passkeys
Top security measures#
- Use a unique password that’s long, random, and never reused across services.
- Enable multi-factor authentication (MFA) if your super fund supports it.
- Review account activity and update details regularly.
- Avoid clicking on links in emails or SMS claiming to be from your fund.
- Use a password manager to store and generate secure logins.
These small habits can prevent massive financial loss—especially since super accounts often go unchecked for long periods.
- Protect your super account by using strong, unique passwords and enabling MFA.
- Review your login history and account details regularly for unauthorized changes.
- Avoid phishing by accessing your super fund only through official websites.
- Use a password manager to prevent password reuse across services.
Why Super Accounts Are High-Value Targets#
Superannuation accounts are attractive to cybercriminals because:
- They contain large balances, especially for retirees.
- Users don’t log in frequently, giving hackers time to act unnoticed.
- Super funds often allow bank detail changes and withdrawals online, making them vulnerable without MFA.
How Hackers Access Accounts#
In the April 2025 attack, criminals didn’t hack the systems of AustralianSuper or Rest - they simply logged in using stolen passwords from previous data breaches. This method is known as credential stuffing.
They then attempted to:
- Change email and mobile numbers
- Update bank account details
- Initiate withdrawals (particularly for users aged 60+)
Recommended Security Measures#
1. Use a Password Manager#
These tools help you:
- Generate unique passwords for each account
- Store them securely
- Avoid password reuse (a major risk factor)
2. Enable Multi-Factor Authentication (MFA)#
MFA is one of the most effective ways to block unauthorized access—even if your password is stolen. Many super funds now offer:
- SMS codes
- Authenticator apps
- Passkeys or biometric options (rare but increasing)
If your fund doesn’t offer MFA, consider contacting them or even switching funds.
3. Stay Alert for Phishing#
Cybercriminals may follow up on breaches with phishing messages. Don’t:
- Click suspicious links
- Enter credentials on unknown sites
- Call numbers from emails or texts
Instead, always visit your super fund’s site directly or use official app stores.
4. Monitor Account Regularly#
- Log in at least once a month
- Check for contact or bank detail changes
- Review transaction history for unauthorized actions
5. Report Issues Promptly#
If you suspect a breach:
- Contact your fund immediately
- Report it to Scamwatch, IDCARE, or AFCA
- Consider a temporary account lock
Read the full article#
Read the full article
Discover why superannuation funds are vulnerable and how regulations, including FSC Standard No. 29, recommend MFA and phishing-resistant authentication.
Read the full articleRead by 5,000+ security leaders.
Share this article
