For many Australians, superannuation is the nest egg we’re counting on for a comfortable retirement. It’s the result of decades of hard work, careful planning, and a little bit of hope that the system will look after us when we need it most.
So, the idea that someone could swoop in and steal your super is enough to send a chill down anyone’s spine, especially after the recent cyber attacks that have shaken the industry.
If you’ve just discovered your super account has been hacked, or you’re worried it could happen to you, you’re not alone. Let’s break down what happened, what you should do right now, and how to protect your future savings.
In early April 2025, several major Australian super funds—including AustralianSuper, Australian Retirement Trust, Hostplus, Insignia Financial, REST Super, and later CBUS Super—were targeted in a sophisticated cyber-attack.
Hackers used stolen login credentials found on the dark web to access members’ accounts. The result? Money was stolen from super accounts for the first time—about $500,000 from AustralianSuper members.
The breach was made possible, in part, by a lack of multi-factor authentication (MFA)—that extra step (like a text message code) that makes it much harder for criminals to get in, even if they have your password.
While only a few people lost money this time, the incident is a wake-up call for all of us. If you use the same password for multiple accounts, or if your details have ever been leaked in a data breach (and let’s face it, most of us have been caught up in one by now), you could be at risk.
Super funds are a goldmine for cybercriminals because they hold billions of dollars in assets, and most people don’t check their super accounts as often as their bank accounts.
Plus, with the rise of online account management, your super is only as secure as your login details. If you’re still using your dog’s name and birth year as your password, it’s time to rethink.
The Association of Superannuation Funds of Australia and individual funds are working to improve security, but the details are still emerging.
Some funds are now fast-tracking the rollout of MFA and reviewing their security protocols. But as we’ve seen, it pays to take your precautions rather than wait for the industry to catch up.
If your fund doesn’t offer MFA or you’re unhappy with its response, you might want to consider switching to a fund with stronger security measures.
Most common super scams
Let’s start by analysing the most common super scams and how they work.
1. Phishing for your personal details
Scammers might call, email, or message you pretending to be from your super fund, a bank, or even a government agency like the ATO.
They’ll often use official-sounding language and may even have some of your personal information already (especially if there’s been a recent data breach).
These are the signs to look out for:
- Unsolicited contact asking for your super or bank details
- Emails with links or attachments
- Requests for your myGov login or other sensitive info
Once they have your details, they can:
- Open a new super account in your name and transfer your funds out
- Access your myGov account and steal your super
- Commit identity theft or other fraud
2. Fake Self-Managed Super Fund (SMSF) offers
Some scammers will try to convince you to move your super into an SMSF that they control. They might promise:
- Higher returns or exclusive investment opportunities (often in things like cryptocurrency or overseas bonds)
- To ‘take care of everything’ so you don’t have to lift a finger
- Access to your super before you’re legally allowed
They may even show you fake apps or websites with impressive (but false) investment returns. Once your money is in their hands, it’s usually gone for good.
3. Early access scams
It’s illegal to access your super before you reach preservation age (usually 60) unless you meet particular conditions (like severe financial hardship or terminal illness).
Scammers might offer to help you ‘get your super out early’ for a fee, or by filling out paperwork on your behalf. Not only is this a scam, but you could also face hefty tax penalties and lose your retirement savings.
What to do if you think you’ve been targeted
If you suspect you’ve been scammed or notice something suspicious with your super, act quickly:
- Contact your super fund immediately and let them know what’s happened.
- Report the scam to Scamwatch and the ATO at 13 10 20.
- Change your passwords and review your account security.
- Speak to someone you trust—a family member, an accountant, or a licenced financial adviser.
How to protect yourself from super scams
Now that you know how these scams work, here’s what you should do to prevent them.
1. Check your super regularly.
Log in to your super fund’s website (using your bookmarked link, not one from an email or text) and check your balance and recent transactions. Look for:
- Unusual withdrawals or transfers
- Changes to your contact details
If anything looks off, contact your super fund immediately.
2. Strengthen your account security.
To enhance the security of your super and myGov accounts, it’s crucial to adopt strong and unique passwords. These passwords should be distinct from those used for any other online accounts.
Additionally, take advantage of multi-factor authentication if your super fund provides this option; it adds an extra layer of protection.
Don’t forget to update your contact details and your fund regularly. This ensures they can reach you promptly in case of suspicious activity, keeping your account secure and giving you peace of mind.
3. Be wary of unsolicited offers.
If someone contacts you out of the blue about your super, hang up or delete the message. Then, contact your super fund directly using a phone number or website you’ve found yourself (not one provided in the message).
4. Know the rules about accessing your super.
You generally can’t access your super until you’re at least 60 and retired, or meet specific conditions. Anyone who says otherwise is either misinformed or trying to scam you.
5. Only deal with licenced professionals.
Check if a financial adviser or company is licenced using ASIC’s Professional Registers. Be wary of anyone who can’t prove their credentials or tries to rush you into making decisions.
6. Protect your identity.
Before discarding any personal documents, take the time to shred them. This simple step helps prevent identity theft by ensuring others cannot easily access sensitive information.
Be mindful of the information you post on social media platforms. Avoid sharing personal details such as your date of birth, home address, or superannuation fund information. Malicious actors can exploit these details and put your privacy at risk.
Have you ever had a close call with your super, or do you have tips for staying secure online? Share your experiences and advice in the comments below—your story could help someone else avoid becoming a victim.
Also read: Survey reveals widespread opposition to Dutton’s proposed super changes
