SMSFs need to lift game on cybersecurity as scammers run rampant

Experts Shelly Banton at The Australian
SMSFs

Pic via Getty Images

The spectacular cyber attack on super was aimed at larger funds – but SMSFs are equally exposed to new risks – here’s what to do.

Words by Shelley Banton, head of technical at ASF Audits, for The Australian.

 

Security in self-managed super funds comes in all shapes and sizes. Tech-savvy SMSF trustees will have multi-factor authentication (MFA) enabled for all their investments, while others will happily rely on a sock drawer to store passwords.

In the wake of recent cyber attacks on APRA-regulated funds, it would be naive to assume that cybercriminals would ignore SMSFs with $1 trillion in total ­assets.

Key statistics from the National Anti-Scam Centre show more than $134m in losses between January 1 and June 30, 2024.

Most importantly, people aged 55 and over accounted for 47.6 per cent of those losses.

With 38 per cent of all SMSF members in retirement as of June 2024, SMSFs remain vulnerable to hackers who would readily take advantage of the technologically challenged in this cohort.

As a result, SMSFs remain high on the ATO’s and ASIC’s watchlists to ensure they stay ­protected.

While the controlling regulations around super, known as “SIS”, are silent on security technology, the operating standards under s52 SIS call for trustees to perform their “duties and exercise powers in the best financial interests of the beneficiaries”.

The rules also say trustees should exercise care, skill and diligence for fund investments.

Which raises the question: Where trustees are not em­ploying security measures to their ­fullest extent, are they acting in the best interests of the members?

Moreover, could this open the door to potential litigation if the fund incurred a financial loss and there was a dispute, divorce or disagreement?

The Australian Cyber Security Centre (ACSC) recommends using multi-factor authentication because it defends against the majority of password-related cyberattacks.

MFA requires a combination of two or more factors to access an account, such as a PIN, facial ­recognition or an authenticator app.

Using more factors distinguishes legitimate users from hackers, making it harder for attackers to impersonate good actors or employ brute force methods.

 

Are SMSFs cyber resilient?

There are two components to SMSFs being cyber resilient: direct and indirect risk management.

Trustees have direct control over investment accounts they have access to, such as bank and brokerage accounts. Enabling MFA will ensure maximum security and be the first line of defence against hackers.

As some high-risk investments are more prone to fraud than others, trustees must put in place sophisticated security measures to ensure the recoverability and safety of their members’ retirement savings.

In other words, a sock drawer no longer cuts it.

Cryptocurrency and digital assets attract criminal activity because they are not classified as financial products. SMSFs can be exploited through illegal operations resulting in phishing scams, theft and collapsed crypto trading platforms.

The best practice is for an SMSF to use a crypto exchange with an AFSL licence, which complies with Austrac-regulated AML/CTF legislation and has a sound reputation. Security of other investments, such as overseas assets, unlisted entities and property, also comes with its share of problems.

An unsolicited offer of an investment with high returns, encouraging early withdrawals and requesting high-level personal details, is a red flag.

While SMSF financial losses are bad enough, identity theft is often a worse outcome, with members experiencing personal financial ruin, credit issues and emotional distress.

ASIC has wound up 95 companies that may have been involved in facilitating scam activities and warns all consumers to remain vigilant.

The companies were associated with websites and apps to trick consumers into investing in phony foreign exchanges, digital assets or commodity trading.

Unfortunately, ASIC has said that these scams are like hydras; when one is shut down, two more take its place.

 

The following security measures are crucial to protect SMSFs:

 Avoid clicking on account sign-in hyperlinks received from SMS or emails.

 Do not share MFA codes or approve unknown sign-in attempts.

 Use MFA whenever possible.

 Select strong passwords.

 Regularly update computer software.

 Research websites before making any online payments.

 Review email addresses, bank statements and recipients of money beforehand.

Cyber resilience is most effective as a shared responsibility between all parties.

SMSF professionals should educate their trustee clients on adopting robust security measures to safeguard fund investments and personal data. Partnering with SMSF experts who use best-practice control technologies is the other step.

Shelley Banton is head of technical at ASF Audits.

This article first appeared in The Australian. 

Related Topics

Superannuation

Related Stories