Latest News & Alerts:IDCARE Blog - It’s not about intelligence

When Super Goes Bad: What Australians Need to Know About Superannuation Scams

The Cyber Sushi


(serving up the cold facts, with some phish bytes)

Welcome back! Here's what we are covering in this issue:

  • When Super Goes Bad: What Australians Need to Know About Superannuation Scams
  • Introducing IDCARE’s Monthly Blog Series
  • Behind the mask: The Guide to New and Trending Scams
  • Ask IDCARE: ‘Are password managers really safe to use?’

When Super Goes Bad: What Australians Need to Know About Superannuation Scams

For many Australians, superannuation is one of the most important financial safety nets we have. It represents years of hard work and is meant to support us later in life. Unfortunately, superannuation is increasingly being targeted by criminals and scams are affecting people of all ages, not just retirees.

How people are losing their super

There are two common ways people end up losing their super.

The first is through unauthorised access, where criminals gain access to someone’s super account without their knowledge. This usually happens after another account, such as an email account, mobile phone number, or myGov, has already been compromised. Once criminals control these accounts, they can reset passwords, intercept security codes, and make changes to super accounts without the person realising.

The second is through scams, where people are deceived into withdrawing their own super and sending it to criminals. Investment scams are the most common. These scams often begin on familiar platforms like social media and appear professional and convincing. Victims are gradually reassured that the opportunity is legitimate and are encouraged to use their super to ‘invest’ or unlock higher returns.

In these cases, people believe they are making a sensible financial decision but the money is usually unrecoverable once it leaves the super system.

Early access and self‑managed super increase the risk

While many people think super is only at risk once they reach retirement, a significant number of losses happen before retirement age. Early access pathways and self‑managed super funds (SMSFs) can expose people to higher risk, particularly when decisions are made quickly or under pressure.

SMSFs are a common target for scammers because they give individuals greater control but fewer safeguards. Criminals often pose as trusted advisers and persuade people to move their entire super balance into high‑risk or fake investments. Once this happens, there is often no way to recover the funds.

Warning signs to watch for

Some common red flags include:

  • You receive notices about changes to your super account that you didn’t make
  • You lose access to your email, phone service, or myGov account
  • You are pushed to act quickly or discouraged from seeking independent advice
  • An investment opportunity promises high returns with little or no risk

Any of these signs should be taken seriously.

How to protect yourself

There are simple steps that can help reduce your risk:

  • Use strong, unique passwords and turn on multi‑factor authentication for email, myGov and banking accounts
  • Check your super account regularly, even if retirement feels far away
  • Be cautious of unsolicited investment offers, especially those found on social media
  • Seek independent advice before making changes to your super

Act quickly if something doesn’t feel right, early action can limit harm

Introducing IDCARE’s Monthly Blog Series


We’ve also recently launched a new monthly blog series exploring different aspects of scams and cybercrime. The series looks at how scams are not just about intelligence or awareness alone, but often about timing, pressure, and the psychological tactics used by criminals.

This is the first in an ongoing series, so keep an eye out as we release more. You can read the first blog and find future updates in our latest news section here:
https://www.idcare.org/news

Behind the mask: The Guide to New and Trending Scams

The Fake HotDoc Refund Scam

Australians are being targeted with convincing phishing messages that impersonate the HotDoc booking platform, often claiming you’re eligible for a Medicare refund or have a payment pending. These messages typically arrive via SMS or email and include a link prompting you to ‘update your details’ or ‘confirm your refund’.

In recent cases reported to us, the scam begins with a highly believable message referencing real healthcare activity. One client, who had recently booked multiple medical appointments, received a text that appeared legitimate and was directed to a page asking for personal details including name, address, phone number and card information. After entering these details, the scam escalated quickly.

Within minutes, victims have received follow-up calls from people claiming to be from major banks such as CommBank or ANZ fraud teams. These callers often already know personal details, which increases credibility and pressure. In several cases, scammers have claimed suspicious activity was detected and guided victims through ‘protecting’ their funds.

Tactics used include:

  • Asking victims to confirm banking credentials and account balances
  • Directing them to move money between accounts
  • Introducing unfamiliar systems such as “PayTo” and claiming it ‘insures’ funds
  • Creating urgency by stating transactions are actively occurring
  • Using reference numbers, fake case managers, and follow-up instructions
  • Transferring funds out of accounts into crypto exchanges or third-party services
  • Staying on the phone for extended periods to maintain control and prevent verification

In one case, a victim was kept on the phone for over an hour and persuaded to transfer funds to what they believed was an ‘encrypted account’ for safekeeping. In another, scammers used a combination of fake emails and phone calls to move money through multiple accounts and into cryptocurrency purchases before the victim realised what had occurred. Losses have been significant, and recovery is often difficult once funds leave the banking system.

A key feature of this scam is the seamless transition from a realistic HotDoc phishing message into a sophisticated bank impersonation call, designed to overwhelm trust, urgency, and technical understanding.

Our Tips:

  • Treat unexpected refund or Medicare-related messages with caution, even if they reference real appointments
  • Never enter personal or card details via links in SMS or email
  • Remember that legitimate banks will never ask you to transfer money to ‘safe accounts’ or third-party wallets
  • Hang up and independently contact your bank using official numbers if you receive a suspicious call
  • Be especially cautious if someone pressures you to act quickly or stay on the line

If you’ve entered details, act immediately: contact your bank and change passwords straight away

Ask IDCARE: ‘Are password managers really safe to use?’


Have a Scam, Identity, or Cyber-Related Question? Ask IDCARE!

Every day, IDCARE supports people affected by scams, identity theft, and cybercrime. Our team draws on extensive real-world experience and deep insight into the online criminal environment to help individuals understand risks and take action.

In this edition of Cyber Sushi, we’re inviting you to submit your question - and the IDCARE team will answer it. Send your questions to [email protected].

Our question today came from someone attending our latest CROC (Cyber Resilience Outreach Clinic) in the Northern Territory, where we were presenting to a regular women’s group who meet at the Australian Red Cross. During a discussion about how to manage long, strong and unique passwords for every account, this question came up: ‘Are password managers really safe to use?’

Hi IDCARE,

We were talking about how hard it is to remember a different strong password for every account, and someone suggested using a password manager. I’m not sure how safe they are though.

Are password managers actually secure?

Answer:

Hi there,

Password managers are generally considered a safe and practical way to manage multiple strong passwords, and are often safer than reusing passwords or trying to remember them all.

They securely encrypt your passwords so they can’t be easily accessed, and they allow you to use long, unique passwords for every account without needing to memorise them.

The main thing to protect is your master password—the one you use to access the manager. This should be strong, unique, and never reused elsewhere. Turning on multi-factor authentication (MFA) adds an extra layer of security.

As with any tool, they’re not risk-free, but when set up properly, password managers are widely regarded as one of the best ways to improve your online security.

If you’d like to learn more, we also have a fact sheet with practical guidance on how password managers work and how to use them safely:
https://www.idcare.org/learning-centre/fact-sheets/password-managers

Kind regards,
The Cyber Sushi Team

SUBSCRIBE TO OUR NEWSLETTER
BACK TO NEWSLETTERS

Join the global list of organisations making a real difference in people’s lives by supporting our service.

SBS Bank
HSBC
ANZ
Department of home affairs
Queensland Government
Curtin University
Suncorp
Powercor Australia
ING
Regional Australia Bank
Culture Amp
Mercy Health
Queensland Country Bank
Sportsbet
NGM Group
City of Goldcoast
ConnectID
TPG
Western Sydney University
BOQ
Department of Premiere and Cabinet off of Digital Government
ABC
Coles
REA Group
Equip Super
Return to Work SA
Urban Utilities
Transurban
Westpac
Internal Affairs
Allianz
Commonwealth Bank
Bupa
Services Australia
Qantas
NAB
Australia Post
Victoria State Government
NBN
NDIS
BNZ
Kiwi Bank
Tasmanian Government
Telstra
UTS
Makesure
Australian Super
Australia Post
Urban Utilities
Vocus
Brisbane City Council

Contact

NZ: 0800 121 068 PNG: 0008 852 39 Fiji: 0080 026 98
Get help
Follow us
FacebookXLinkedInYouTube
X

Copyright © 2025, IDCARE. All Rights Reserved.

ABN 84 164 038 966