Australia markets close in 2 hours 15 minutes

    -97.60 (-1.19%)
  • ASX 200

    -88.80 (-1.12%)

    -0.0029 (-0.45%)
  • OIL

    -0.62 (-0.80%)
  • GOLD

    -41.70 (-1.73%)
  • Bitcoin AUD

    -3,061.12 (-3.04%)
  • CMC Crypto 200

    -58.54 (-4.29%)

    -0.0025 (-0.41%)

    -0.0023 (-0.21%)
  • NZX 50

    -85.96 (-0.69%)

    -721.91 (-3.65%)
  • FTSE

    -13.68 (-0.17%)
  • Dow Jones

    -504.23 (-1.25%)
  • DAX

    -170.24 (-0.92%)
  • Hang Seng

    -247.07 (-1.43%)
  • NIKKEI 225

    -1,186.40 (-3.03%)

Fresh super twist after Aussie worker's $100,000 'violation': 'Rapidly emerging threat'

Aaron was terrified when he discovered his retirement nest egg had been transferred to someone else without his approval.

Aaron Willcox standing in the snow
Aaron Willcox is worried his retirement will have to be delayed if he can't get the money back. (Source: Supplied)

An Australian worker fearing for his retirement after his $100,000 superannuation was drained still has no answers about how his myGov account was breached. Aaron Willcox's world was turned upside down last week when he discovered his retirement nest egg had vanished.

The Melbourne man told Yahoo Finance he discovered his Hostplus superannuation "didn't exist" when he reset his Australian Taxation Office (ATO) account after someone changed his bank account details and siphoned off hundreds of dollars. He said he felt "violated and absolutely devastated".

"There was nothing there except for four documents, and those documents outlined how, on the 16th of June, someone had decided to roll over my super into another super fund and then close my account," he said.


"What does retirement mean now? Do I have to start again? Do I have to work till I die?"

Hostplus and the ATO told Yahoo Finance they were investigating and hours after publication, the superannuation fund was able to deliver some good news.

"Hostplus can confirm that a freeze has been placed on the transferred funds and they are in the process of being returned to the member’s account," a spokesperson told Yahoo Finance.

"Hostplus wants to reassure members that this matter was not caused by a breach of our systems or controls, but occurred as a result of a compromised myGov account.

"The security of the myGov platform is outside of the control of Hostplus however, proactive monitoring remains in place to identify and mitigate unauthorised transactions on our member accounts."

Services Australia told Yahoo Finance Willcox's breached account was not emblematic of a wider issue with myGov.

"The myGov platform remains secure and has not been compromised. We have robust protections in place and regularly update and strengthen our systems," a spokesperson said.

The ATO added that if an individual sees "unusual activity" on their account, it may be related to identity theft.

"When the ATO has intelligence that a taxpayer’s identity may be compromised, we activate stringent security measures to protect the taxpayer," the ATO told Yahoo Finance.

Willcox said the funds being frozen was a great step forward but he still had big concerns about how his account was accessed and his superannuation transferred without his consent, or even a forged signature.

"When they gain access to the ATO...I guess it's one of your most private possessions in some way," he said. "It's your setup, your nest egg.

"And they can just get in, and they're pushing out rollovers to whoever's super. And they've [ATO and Hostplus] just accepted that it's all great."

The fairly "tech savvy" man, who has systems in place to protect his accounts and passwords, is terrified his identity has been stolen by a hacker who could be anywhere in the world.

He has no idea how far the violation could go.

Hostplus urged all members to "take precautions" and to "familiarise themselves with the signs of a scam" to help prevent them from becoming another victim.

Willcox said a general rule, he doesn't click on any link he's not 100 per cent sure of and has no idea how his account was infiltrated.

myGov said this was a "timely reminder" for Aussies to keep their accounts secure by having unique passwords for every account.

Get the latest Yahoo Finance news - follow us on Facebook, LinkedIn and Instagram.

Consumer group CHOICE claimed not all super funds thoroughly check ID, "even for high-risk actions like moving super into a new fund".

Other Australians could be vulnerable to the same type of attack.

Jo Brennan, chief operating officer at Aware Super, said hackers trying to get into Aussies' super accounts "is one of the most rapidly emerging threats to members".

She has urged everyone to set up multi-factor authentication to protect themselves from unauthorised transactions and scams.

There are three distinct types of superannuation scams in Australia at the moment:

  • An account holder can be tricked into transferring their super to a scammer after being promised the money would have a big return on investment

  • Scammers can convince someone to withdraw their super early illegally and the criminal can charge a high fee or use the process to steal the person's private information, which can be used down the track to steal more money

  • Fraud or identity theft is the third type where hackers gain access to a person's account without their knowledge and then steal personal information or money

If an investigation into superannuation fraud ends without the desired resolution, you can make a formal complaint to the Australian Financial Complaints Authority (AFCA).

The AFCA can force a super fund to repay a victim if the fund is liable for the loss.

Services Australia told Yahoo Finance there are several ways for Aussies to keep their myGov accounts away from scammers and hackers:

  • Having a strong sign-in option helps keep your myGov account safe.

    • Passkeys are now available in myGov and are more secure than passwords. Creating a passkey and turning off your myGov password as a sign-in option makes it harder for scammers to access accounts using stolen usernames and passwords.

    • A Digital ID is another strong sign-in option, and it can also prove who you are when using online services.

    • Or you can use a strong and unique passphrase and 2-factor authentication, such as getting a code sent by SMS.

  • myGov won’t send you a text message or email with a hyperlink asking you to sign in to myGov or share your personal information.

    • Always type my-dot-gov-dot-au into your website browser so you know you have the real myGov website, or use the official myGov app.

  • Where myGov detects unusual activity on your account, myGov will send you a security notification to your preferred email address. myGov may also make you change your password.

  • If you think someone has tried to access your myGov account, check your myGov account history for suspicious activity, and update your sign-in options or change your password.