For many Australians, super is their second biggest asset after their home.

It's vital, then, that the government and super funds do all they can to protect your hard-earned retirement income from thieves and scammers.

But Super Consumers Australia has found that not all funds have taken even the most basic measures, such as implementing multi-factor authentication to identify suspicious transactions and prevent scams and fraud. 

Scams and fraud are on the rise

Heather Gray, lead Ombudsman for superannuation at the Australian Financial Complaints Authority (AFCA), told Super Consumers Australia that scams in super can be "devastating" for Australians. 

"We've seen cases where somebody's whole superannuation account [has been stolen], and they're left without any superannuation savings that they've worked their entire life to build up."

There are two distinct types of scams that happen in super:

• A criminal tricks a fund member into transferring their super to them as a scam investment, either via establishing a self-managed super fund (SMSF) or – for retired members – transferring directly from their super account. The scammer then steals their money.
• Early access scams, where a scammer induces a fund member to withdraw their super early illegally. The scammer may charge a high fee for this service or use the information-gathering process to steal their personal details and take their money.

Then there are cases of fraud. This is where a thief gets access to someone's super account without their knowledge or involvement, for instance through a hacker stealing personal details from online databases.

Super funds falling behind banks on security

Gray says that AFCA has the "very strong impression" that super funds have fallen behind the banks in their ability to detect and prevent scams and fraud.

She urged funds to continue improving their scam prevention systems and to collaborate on a "shared understanding… as to what measures will be taken and to make sure that as far as possible, systems are strengthened so that it's very difficult for scams or frauds to get through".

Gray adds that the level of scam prevention at super funds varies widely.

Multi-factor authentication could protect members

Jo Brennan, chief operating officer at Aware Super says that all super funds should have multi-factor authentication (MFA) in place in their digital environments.

"MFA is an effective way to help protect members from unauthorised transactions and scams," she says.

Multi-factor authentication is an effective way to help protect members from unauthorised transactions and scams

Jo Brennan, COO Aware Super 

"Implementing MFA does result in some added complexity for members logging on but the benefits and risk mitigations significantly outweigh these costs."

Brennan says that scammers trying to fraudulently create super accounts to steal people's super "is one of the most rapidly emerging threats to members". She urges anyone who thinks they have been a victim of a scam or unauthorised transaction to contact their super fund immediately.

How AFCA rules on super scams

If people complain to their fund about a scam and the fund doesn't resolve the matter to their satisfaction, they can then take the complaint to AFCA. This dispute resolution body can order super funds to repay the victim where the fund is liable for the loss.

Super Consumers Australia has been calling for funds to be required to enable multi-factor authentication to prevent scams. Gray says whether funds have enabled this security measure isn't in itself enough to determine whether a fund is liable. 

AFCA can order super funds to repay the victim where the fund is liable for the loss

"We would look at the whole of the circumstances and then assess whether the [super fund] acted fairly and reasonably in not compensating the member for the loss they suffered."

Instead, AFCA determines whether a super fund has acted with proper prudence, by looking at:

• whether the fund followed its own business rules and administrative controls
• if there were any 'red flags' on the transaction that should have put the fund on notice
• whether the fund's actions met the standard of industry expectations
• whether the fund's decision was fair and reasonable in relation to the specific complaint (not an overall view of the fund's cybersecurity setup)
• any relevant prudential standards and guidance letters.

Rebekah Sarkoezy, policy manager at Super Consumers Australia, says funds should be held to a much higher standard.

Case study: No compensation for 'Charlie'

A company contacted Charlie (not his real name) and told him he could start an SMSF to have more control over how his super was invested. He gave them some personal information to facilitate them setting up an SMSF. 

Shortly after this, and without Charlie's knowledge, the company contacted his super fund and posed as him to submit a request to transfer the money into an SMSF controlled by the alleged scammer. The fund approved the transfer, and his money was gone.

Charlie lost more than $220,000, plus the earnings on this money. He complained to his fund, but they refused to pay him back. He then complained to AFCA.

The fund approved the transfer, and his money was gone

Charlie said the fund should have been put on notice that there was something strange about the rollover request and checked with him whether it was a legitimate request, or at least used two-factor authentication before releasing his money. He argued that things didn't add up about the transfer request – the home address on the SMSF documentation didn't match the home address the fund had on file. Charlie also said the alleged scammer provided documents that were clearly forged, including the stamp of a Justice of the Peace who lived in another state.  

AFCA said that the Australian Prudential Regulation Authority (APRA), the super fund regulator, doesn't specifically oblige a fund to check the SMSF documentation before making a transfer, nor does it legally require a fund to use multi-factor authorisation for money transfers. 

The AFCA decision said they were "extremely sympathetic" to Charlie, but they found the fund did nothing wrong. They suggested he take up the matter with the police. 

Super Consumers Australia has chosen not to name the fund.

Sarkoezy says that multi-factor authentication and proper checks and balances would have provided ag time and security barrier in this case.

Why new rules are needed to stop scams

Despite the clear harm these scams do, there are no specific consumer obligations for how super funds should respond to scams and fraud.

Super Consumers Australia is calling for the government to introduce an anti-scam code specifically for super, and the code should be enforced by the Australian Securities and Investments Commission (ASIC). The code would provide an added layer of protection and help the super industry respond to super scams. 

The Australian Securities and Investments Commission (ASIC) could enforce the anti-scam code. This code should:

• require super funds to put effective scam monitoring systems in place 
• prevent scams where a fund member is pressured into working with a scammer by collecting information to determine where a transaction raises a 'red flag'
• make sure any staff involved in preventing and responding to scams have enough training to do their job effectively
• require super funds to resource their customer services so they can effectively respond to member queries about potential scams. This should include having methods to respond quickly where there's an opportunity to prevent a loss
• compel super funds to participate in information sharing networks so they are up to date on scams and can identify and prevent new types of scams
• require funds to provide support services for scam victims
• require funds to work with banks to reimburse scam victims when they haven't met their obligations.

Sarkoezy says it's also important that APRA tighten the loopholes so that people like Charlie can stop transfer requests they didn't authorise.

How the UK cracked down on pension scams

This type of fraud was rife in the United Kingdom before the government introduced new measures to combat scams targeting retirement funds. 

In the pension system, the UK equivalent of super, an estimated 19 million pounds were lost in suspected scams between April 2015 and March 2016. The government reviewed the pension system and made some changes in 2016 to prevent scams. Some of the initiatives they implemented included:

• banning cold calls about retirement funds (see our call to prohibit these calls in Australia)
• Introducing restrictions around transferring money in retirement funds.
• Requiring more identification before people can open new retirement accounts.

Another important step came in 2021 when the government brought in new regulations around transferring retirement funds. These rules mean funds have to do certain checks before making a transfer – a step that provides the opportunity for funds to intervene when a proposed transaction looks like a scam.

The system may have prevented up to 40 million pounds worth of scams

These checks give people an extra layer of protection, as their fund has to collect information about the proposed transfer and identify whether it raises any "amber flags" or "red flags". When one of these flags is raised, the fund member needs to attend an appointment (called a "safeguarding meeting") with the Money and Pensions Service to make sure the transaction is legitimate. The UK government also provides guidance to funds on what suspicious transactions look like. 

In Australia, there have been cases where people want to legitimately move or withdraw their super and are unhappy when their fund is slow to process this request. But the UK experience shows this added layer of security shouldn't unreasonably delay access to funds, and only around 1% of transfer requests raised an amber or red flag in a 12-month period.

The UK government estimates that it stopped around 2000 possible scams that raised an amber or red flag between December 2021 and February 2023. The system may have prevented up to 40 million pounds worth of scams.

Time for action to protect Australians from scammers

Sarkoezy says it's time for a strong, industry-specific code that holds super funds to account when it comes to scams.

"It's devastating for any Australian to have their retirement plans shattered by a scam. We've already seen too many people losing their hard-earned money. It's time for strong action to hold super funds to account on preventing scams and fraud."

This content was produced by Super Consumers Australia which is an independent, nonprofit consumer organisation partnering with CHOICE to advance and protect the interests of people in the Australian superannuation system.

Stock images: Getty, unless otherwise stated.

Join the conversation

To share your thoughts or ask a question, visit the CHOICE Community forum.

Visit CHOICE Community