It’s the culmination of a life’s work. But that superannuation balance, and all it offers, is not just your golden ticket — increasingly, scammers see it that way, too.
The Australian Criminal Intelligence Commission says law enforcement activity and intelligence gathering suggests organised criminal involvement in superannuation fraud in Australia may be more significant than previously thought.
David Lacey is on the front line protecting victims from scammers at the charity IDCare, and said they have dealt with six such cases in the past four weeks.
For one victim, the first sign something was wrong was when an application for a car loan was rejected. He looked up his credit score and saw applications for phone contracts and financial products he’d never authorised. The real horror of the identity theft came a few months later, when he received a statement from his superannuation provider showing that $145,000 had been rolled over into a self-managed super fund in his name. That case is still in dispute, and it is up to the victim to track what identifying information was compromised.
“Superannuation is the perfect target because most of us won’t hear regularly from our super fund, particularly in the accumulation phase,” Lacey says. “A bank statement comes every 30 days, whereas a super statement comes a few times a year. For a criminal, that’s gold because it gives them time.”
Organised global criminal gangs have cottoned on to the large balances that pre-retirees and retirees are sitting on. They are targeted in investment scams and, because this cohort tends to be less tech-savvy, they are also easy targets for cyberfraud like identity theft.
According the ACCC’s Scamwatch portal, those nearing retirement age and those over 65 lost the most money to investment scams, with most of the $14 million lost so far this year lost by this age group. In 2018, almost $20m was fleeced from the 55-and-over cohort alone. Over 65s lost more than $3.5m in 2018 from identity theft.
According to Brendan Hopper, general manager at Commonwealth Bank’s cybersecurity centre, fraudsters are increasingly using social media to identify potential targets.
“We’re seeing them using social media platforms to find the most vulnerable customers, identifying people who are on the cusp of retirement age or who have retired and who have just lost someone, like widows, where there’s a chance there that the remaining member of the couple isn’t the one who managed the finance so will be more susceptible to fall for a scam,” he says.
Social media is also fertile territory for scammers to harvest information that could help crack passwords.
“Lots of people still use passwords that are easy to guess; their children’s names, their pet’s name, the name of a deceased loved one, maybe with a number on the end such as birth dates. Particularly, this generation of people may use those kind of passwords and also they may be less likely than other generations to be private with their social media, so a lot of that information is publicly available,” Hopper says.
The goal of the scammers is to get access to enough details to pass identity checks, either by impersonating victims over the phone, or by using that personal data to help crack victims’ email passwords, and account logins.
With far greater balances in a super account than the average bank account, criminals will use hacked passwords to intercept emails, watching over them and waiting for the right moment to strike.
“Customers need to be aware that scammers are increasingly targeting their nest eggs in their superannuation. Given the amount in super, they are more willing to invest time in a particular victim,” Hopper says.
“Once they have those details they’ll transfer the money out into another bank account, often offshore, then they’ll use a network to transfer it multiple times to make it more difficult for financial institutions to recover.”
One couple currently being assisted by IDCare lost $55,000 to a password-related scam. In this instance, they were tricked by a phone call from someone purporting to be tech support telling them their computer was hacked and they would fix the problem.
Once they gained access to their email password, the scammers probably used that password to access the autofill passwords on their device, allowing access to their super account. The victim fixed the email password issue immediately, but only discovered the money was stolen three weeks later.
“Never provide access to your accounts to someone who calls you out of the blue,” Lacey says. “These people will most likely be on welfare now.”
Phone or email-based contacts are still one of the most common methods of attack on victims. Phishing attacks come from fraudulent emails purported to come from a trusted institution such as a bank, and are aimed at getting the recipient to download malware, or put their details into a spoof site.
Hopper recommends that any message from an organisation requiring recipients to call a number should be treated with caution, and account holders should look up contact numbers directly via the phone book, or the company’s direct website — not via the link sent via email.
Hang up on someone pressuring you into making a financial decision, whether on the phone or via email. “Never allow them to get you panicked,” Hopper says.
Hopper adds that too many superannuants are not applying the same protections to the superannuation logins as they would their bank accounts.
He advises to never use the same password across multiple websites and add two-factor authentication to email accounts, preventing scammers from accessing emails remotely.
For more information go to fraudwatchaustralia.com.au
By Jackson Hewett
The Australian Business Review
18 June 2018