In the wake of recent cyber-attacks on several large Australian super funds, you might be wondering how to protect your retirement savings.

The past few years have seen significant data breaches from well-known Australian companies outside of the superannuation sector, exposing a huge amount of consumer personal identity information. The cyber-attacks on superannuation funds reportedly used a technique called “credential stuffing” where cyber criminals used personal information stolen in previous data breaches (like email addresses and passwords) to attempt to access member accounts.

The attacks were timed for the early hours of the morning when most account holders would be asleep and unlikely to notice suspicious login attempts or account changes, and targeted members in the pension drawdown phase who are able to request lump sum withdrawals.

Most funds indicated that their member accounts and retirement savings were secure and that members had not lost any money following the attacks. One super fund revealed a small number of members had lost a combined $500,000 during the cyber-attack, but said it would make remediations out of fund reserves.

Here are some practical steps you can take to help keep your super safe:

• Keep track of your super account: The best defence is regular monitoring. Check your balance periodically, verify employer contributions are coming through, review your insurance cover, examine your annual statement, and ensure your contact details are current.
• Upgrade your passwords to passphrases: Never reuse passwords across different accounts. Instead, create a passphrase, which is a sentence or mix of four or more words that’s easy for you to remember but difficult for others to guess. Include a combination of upper and lowercase letters, symbols and numbers, and aim for at least 14 characters.
• Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of protection by requiring two or more verification methods to access your account. This typically combines something you know (password/PIN), something you have (mobile device/security token), or something you are (fingerprint/facial recognition). Check if your super fund offers MFA and enable it if available.
• Protect your devices: Secure all devices you use to access your super account. Use strong passwords or passcodes, set up biometrics where possible, enable auto-lock when not in use, and activate “find your device” services so you can lock or wipe your device if it’s stolen.
• Be wary of unsolicited communications: Take your time to verify the identity of anyone contacting you unexpectedly. Don’t click links in suspicious emails or texts. Contact your fund directly using the official contact details from their website.
• Report suspicious activity: Alert your super fund immediately if something doesn’t seem right with your account or if you receive suspicious communications.