--- url: 'https://www.corbado.com/faq/protect-superannuation-account-cybersecurity' title: 'What measures to protect super accounts from cyberattacks?' description: 'Learn the top security measures to protect your superannuation account from cyberattacks and credential stuffing. Expert tips for all Australians.' lang: 'en' --- # What measures to protect super accounts from cyberattacks? ## What security measures should I take to protect my superannuation account from cyberattacks? To protect your superannuation account from cyberattacks, use a strong, unique password, enable multi-factor authentication (MFA) and regularly check your account for suspicious activity. Most recent super fund breaches - including AustralianSuper, Rest, and Insignia - used [credential stuffing](https://www.corbado.com/glossary/credential-stuffing), meaning attackers logged in using passwords leaked in past breaches. ## Top security measures - **Use a unique password** that’s long, random, and never reused across services. - **Enable multi-factor authentication (MFA)** if your super fund supports it. - **Review account activity** and update details regularly. - **Avoid clicking on links in emails or SMS claiming to be from your fund.** - **Use a password manager** to store and generate secure logins. These small habits can prevent massive financial loss—especially since super accounts often go unchecked for long periods. > - Protect your super account by using strong, unique passwords and enabling MFA. > - Review your login history and account details regularly for unauthorized changes. > - Avoid [phishing](https://www.corbado.com/glossary/phishing) by accessing your super fund only through official > websites. > - Use a [password manager](https://www.corbado.com/blog/passkeys-vs-password-managers) to prevent password reuse > across services. --- ## Why Super Accounts Are High-Value Targets Superannuation accounts are attractive to cybercriminals because: - They contain **large balances**, especially for retirees. - Users don’t log in frequently, giving hackers time to act unnoticed. - [Super funds](https://www.corbado.com/blog/superannuation-funds-mfa-fsc-29) often allow **bank detail changes and withdrawals online**, making them vulnerable without MFA. ## How Hackers Access Accounts In the April 2025 attack, criminals didn’t hack the systems of AustralianSuper or Rest - they simply logged in using **stolen passwords** from previous data breaches. This method is known as **credential stuffing**. They then attempted to: - Change email and mobile numbers - Update bank account details - Initiate withdrawals (particularly for users aged 60+) ## Recommended Security Measures ### 1. Use a Password Manager These tools help you: - Generate unique passwords for each account - Store them securely - Avoid password reuse (a major risk factor) ### 2. Enable Multi-Factor Authentication (MFA) MFA is one of the most effective ways to block unauthorized access—even if your password is stolen. Many [super funds](https://www.corbado.com/blog/superannuation-funds-mfa-fsc-29) now offer: - SMS codes - [Authenticator](https://www.corbado.com/glossary/authenticator) apps - Passkeys or biometric options (rare but increasing) If your fund doesn’t offer MFA, consider contacting them or even switching funds. ### 3. Stay Alert for Phishing Cybercriminals may follow up on breaches with [phishing](https://www.corbado.com/glossary/phishing) messages. Don’t: - Click suspicious links - Enter credentials on unknown sites - Call numbers from emails or texts Instead, always visit your super fund’s site directly or use official app stores. ### 4. Monitor Account Regularly - Log in at least once a month - Check for contact or bank detail changes - Review transaction history for unauthorized actions ### 5. Report Issues Promptly If you suspect a breach: - Contact your fund immediately - Report it to **Scamwatch**, **IDCARE**, or **AFCA** - Consider a temporary account lock --- ## Read the full article