Imagine checking on your super balance one morning, only to find the whole balance gone. Surely, there’s been a mistake, right?
You call your fund, and they confirm that the transaction is legitimate, and was made after a request to transfer the balance to a self-managed super fund (SMSF). But hang on, how can somebody else request a transfer of your super balance to their account?
Because they didn’t make the request. According to official records, you did. And it was your SMSF the funds were transferred to – or at least one with your name on it.
Super drained through ATO leak
This was the situation faced by one Reddit user earlier this week, who posted on the social media site detailing their experience. The user explained they were initially trying to access their account with the Australian Taxation Office (ATO), when they ran into a problem.
“Couldn’t log into ATO which I thought was strange,” the user said.
“Turned out it had been locked and then after contacting ATO, learned someone had managed to bypass security and proceeded to make small amendments to my tax returns, getting payments from the ATO.”
OK, so cybercriminals have gained access to someone’s tax account, how does that allow a scammer to steal all of your super?
“I then learned that they had them submitted a fund rollover to a trust account and took all my super,” the user said. Right then, that will do it.
The user explained that the hacker, using the tax file number (TFN) gleaned from the ATO website, had submitted a fund transfer request to the user’s super fund Hostplus.
Withdrawing super before reaching the preservation age is illegal, even if you’ve fully retired. But it is legal to transfer the balance to another super fund – including an SMSF. By their nature, these types of super funds can be difficult to police as they are being administered privately.
Once that money hits the account of the fraudulent SMSF, it is then funnelled out to the criminals through their normal laundering channels. By the time tax authorities are aware super has been withdrawn illegally, the money – and the criminals – are long gone.
“Still don’t know how it happened,” the Reddit user said.
“Somehow, they had faked my identity and gained access to ATO. What gets me is that with Hostplus there was no verification email, SMS, nothing.”
The user explained they had security measures in place for both the ATO and Hostplus accounts. Part of the problem in this situation is the fact that it takes relatively few pieces of identification in order to action a super transfer request.
As long as you have a person’s name, address, date of birth and crucially – their TFN – the transfer request should be honored.
“I feel violated and absolutely devastated,” the user’s post concludes.
How to avoid scams like these
Make sure you’re checking your super balance regularly through your super fund’s official website. Check for any unusual transfer requests, personal info changes or any other activity on the site not initiated by you.
If you’re not already, make sure you’re using two-factor authentication for all you online accounts and make sure all your personal details are up to date.
If you are contacted by anyone claiming to be acting on behalf of your super fund, end the communication and contact your fund to check. When contacting your fund, make sure you source any phone numbers or email addresses yourself.
Use a contact method you have sourced yourself, as the one you’ve been given may be fake. Your super fund will be able to verify if the contact was authorised by them.
Scammers may also try to convince you that they can help access your super early – which is only possible under very strict circumstances.
When was the last time you checked your super balance? Have you ever experienced a scam like this? Let us know in the comments section below.
Also read: Women still retire with 25 per cent less super, research finds