What measures to protect super accounts from cyberattacks?

What security measures should I take to protect my superannuation account from cyberattacks?#

To protect your superannuation account from cyberattacks, use a strong, unique password, enable multi-factor authentication (MFA) and regularly check your account for suspicious activity. Most recent super fund breaches - including AustralianSuper, Rest, and Insignia - used credential stuffing, meaning attackers logged in using passwords leaked in past breaches.

Top security measures#

• Use a unique password that’s long, random, and never reused across services.
• Enable multi-factor authentication (MFA) if your super fund supports it.
• Review account activity and update details regularly.
• Avoid clicking on links in emails or SMS claiming to be from your fund.
• Use a password manager to store and generate secure logins.

These small habits can prevent massive financial loss—especially since super accounts often go unchecked for long periods.

---

Why Super Accounts Are High-Value Targets#

Superannuation accounts are attractive to cybercriminals because:

• They contain large balances, especially for retirees.
• Users don’t log in frequently, giving hackers time to act unnoticed.
• Super funds often allow bank detail changes and withdrawals online, making them vulnerable without MFA.

How Hackers Access Accounts#

In the April 2025 attack, criminals didn’t hack the systems of AustralianSuper or Rest - they simply logged in using stolen passwords from previous data breaches. This method is known as credential stuffing.

They then attempted to:

• Change email and mobile numbers
• Update bank account details
• Initiate withdrawals (particularly for users aged 60+)

Recommended Security Measures#

1. Use a Password Manager#

These tools help you:

• Generate unique passwords for each account
• Store them securely
• Avoid password reuse (a major risk factor)

2. Enable Multi-Factor Authentication (MFA)#

MFA is one of the most effective ways to block unauthorized access—even if your password is stolen. Many super funds now offer:

• SMS codes
• Authenticator apps
• Passkeys or biometric options (rare but increasing)

If your fund doesn’t offer MFA, consider contacting them or even switching funds.

3. Stay Alert for Phishing#

Cybercriminals may follow up on breaches with phishing messages. Don’t:

• Click suspicious links
• Enter credentials on unknown sites
• Call numbers from emails or texts

Instead, always visit your super fund’s site directly or use official app stores.

4. Monitor Account Regularly#

• Log in at least once a month
• Check for contact or bank detail changes
• Review transaction history for unauthorized actions

5. Report Issues Promptly#

If you suspect a breach:

• Contact your fund immediately
• Report it to Scamwatch, IDCARE, or AFCA
• Consider a temporary account lock

---

Read the full article#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →