What measures to protect super accounts from cyberattacks?
Learn the top security measures to protect your superannuation account from cyberattacks and credential stuffing. Expert tips for all Australians.
Vincent
Created: April 4, 2025
Updated: March 12, 2026
What security measures should I take to protect my superannuation account from cyberattacks?#
To protect your superannuation account from cyberattacks, use a strong, unique password, enable multi-factor authentication (MFA) and regularly check your account for suspicious activity. Most recent super fund breaches - including AustralianSuper, Rest, and Insignia - used credential stuffing, meaning attackers logged in using passwords leaked in past breaches.
Super Fund Passkeys Whitepaper:
Want to learn how to deploy passkeys as a Super Fund? Get our 50-page Whitepaper and avoid common mistakes.
Top security measures#
- Use a unique password that’s long, random, and never reused across services.
- Enable multi-factor authentication (MFA) if your super fund supports it.
- Review account activity and update details regularly.
- Avoid clicking on links in emails or SMS claiming to be from your fund.
- Use a password manager to store and generate secure logins.
These small habits can prevent massive financial loss—especially since super accounts often go unchecked for long periods.
- Protect your super account by using strong, unique passwords and enabling MFA.
- Review your login history and account details regularly for unauthorized changes.
- Avoid phishing by accessing your super fund only through official websites.
- Use a password manager to prevent password reuse across services.
Why Super Accounts Are High-Value Targets#
Superannuation accounts are attractive to cybercriminals because:
- They contain large balances, especially for retirees.
- Users don’t log in frequently, giving hackers time to act unnoticed.
- Super funds often allow bank detail changes and withdrawals online, making them vulnerable without MFA.
How Hackers Access Accounts#
In the April 2025 attack, criminals didn’t hack the systems of AustralianSuper or Rest - they simply logged in using stolen passwords from previous data breaches. This method is known as credential stuffing.
They then attempted to:
- Change email and mobile numbers
- Update bank account details
- Initiate withdrawals (particularly for users aged 60+)
Recommended Security Measures#
1. Use a Password Manager#
These tools help you:
- Generate unique passwords for each account
- Store them securely
- Avoid password reuse (a major risk factor)
2. Enable Multi-Factor Authentication (MFA)#
MFA is one of the most effective ways to block unauthorized access—even if your password is stolen. Many super funds now offer:
- SMS codes
- Authenticator apps
- Passkeys or biometric options (rare but increasing)
If your fund doesn’t offer MFA, consider contacting them or even switching funds.
3. Stay Alert for Phishing#
Cybercriminals may follow up on breaches with phishing messages. Don’t:
- Click suspicious links
- Enter credentials on unknown sites
- Call numbers from emails or texts
Instead, always visit your super fund’s site directly or use official app stores.
4. Monitor Account Regularly#
- Log in at least once a month
- Check for contact or bank detail changes
- Review transaction history for unauthorized actions
5. Report Issues Promptly#
If you suspect a breach:
- Contact your fund immediately
- Report it to Scamwatch, IDCARE, or AFCA
- Consider a temporary account lock
Read the full article#
Share this article
Table of Contents
