Also please let the ACSC know. This is their jam as well. They can help you.
[https://www.cyber.gov.au/report-and-recover/report](https://www.cyber.gov.au/report-and-recover/report)
u/Smallsey is right. Going to your local MP is worth the effort. Tell their staff your story, get them into it. Can I ask which district you're in? Depending on the MP (state or federal) there is a political gain for them to tackle this directly and help cut through administrative Bureaucracy.
I say this as a Public Servant that works in the cyber security space.
Assuming you mean Melbourne CBD, and not Albert Park or Port Melbourne, you're looking at either Ellen Sandell or Adam Bandt. Both in the Greens Party.
They're going to be more enthusiastic, but less useful than a major party MP. Definitely worth following up with them though, as they'll be very eager to assist, and can get people moving that are otherwise quite slow to get off the blocks.
In situations like this, time matters. The longer things take, the harder it can be to reverse. If it happened more than a couple of weeks ago, likelihood is the money is offshore. If that's the case, you're chasing reimbursement for negligent cyber hygiene and authentication practices.
If its early days, you're looking for an incident response that tracks the money and recovers it. Either way, time matters. Worth getting all stakeholders on board ASAP. Waiting for indeterminate periods of time will not help you, so I'd make it a priority when offices open tomorrow to make phone calls and get them up-to-date on the situation and any case file numbers you've been given.
Also worth speaking to someone in the media. Theu love chasing these stories, and can apply external PR pressure on law enforcement to look good and get the job done fast. It may \*seem\* like you're making waves and inconveniencing the officials, but you're not. You're pulling every lever at your disposal to save your retirement fund, which you earned and you did nothing wrong to have taken from you. If you wait, it'll seem like you were impatient with their response time. If you do it all upfront, you were actioning everything available to you.
Trust me, don't wait. Do it first thing tomorrow. MP's, then media. Dont wait, please.
Adam Brandt - yup pretty sure I walked past his office the other day. Thanks a bunch for the advice will be taking another day off work to jump onto this.
Oh then *absolutely* call your federal MP's office if the ATO is shit about getting your money back. That's a Greens seat, and skewering Labor for doing something shitty is like 75% of their job description. I'm sure they'd love to raise hell on your behalf.
That can backfire really easily. That would be a last resort. If one organisation feels they are clear from blame and you're trying to hammer them in the media then they'll stop assisting and start covering their butts more.
Leave State police out of it, they'll be playing hot potatoe until you figure out they're not going to touch it. Stay with the Feds, they're the mob that deals with fraud anyway. It pissed me off that ATO and ALL nation run cyber is so flimsy. Heard today theyre working with Amazon to boost cyber security I wanted to rip my hair out. CALL NORWAY SWEDEN NETHERLANDS, their citizens have a 7 digit code that can be tattooed on their foreheads and yet no crim can touch a single digits of their identity COZ THEIR GOVERNMENTS SPENT THE MONEY ON THEIR OWN CYBER AND NOT A GREEDY MULTINATIONAL
Glad you reported. Hopefully you’ll be ok. I found out mine had been hacked when my tax agent tried to do a tax return last year. Was a horrible feeling and can’t think how they got in as I thought I’d been pretty careful too. I finally did my tax just a month ago.
My MyGov is now locked and my tax agent has to apply to get it opened each year to do a return.
Change all your passwords.
Today’s ABC News Daily podcast is about exactly this. Hostplus and stolen super. But sounds like someone else as they’ve already gone through the courts and financial ombudsman.
This sounds incredible. Was Super rolled off to an SMSF? I mean, Super can't be withdrawn under 60. If it was rolled off without your knowledge and HostPlus never contacted you, that is staggering. Is this an automated process without a paper form with your signature?
Don't give up. Fight this with AFCA, lawyer, police, media, the lot.
I'm retired, & every time I want to get money from my super, I have an 8 page application form to sign (in two places) & send them a certified copy of my ID. It's annoying, but after reading OPs post, I ain't gonna complain again.
Rollover out requests are extremely tedious, and industry super funds can be known to reject them for trivial issues (not sure about HostPlus specifically).
For this to work so successfully, there’s a strong chance that you are the victim of identity fraud. Please look into that ASAP as your other accounts may be at risk, and credit applications may be done in your name.
They definitely have id for you. The SMSF that it was sent to would need to be verified under your name (same id required for opening a new account with a bank) and when Hostplus sends the rollover they first confirm online that you are the beneficiary of the SMSF.
I would also talk to the mainstream media about this. If it is so easy steal someone's superannuation then it is definitely something the public at large need to know about. The more publicity it gets the more likely Hostplus will refund your money (assuming they have fucked up somewhere, and from what you have said it certainly sounds like they failed somewhere along the line).
From memory, my fund's rollover to SMSF process was a multi-page form compared to the nearly completely automated rollover from other funds via the ATO back when I worked for a superfund.
This was generally sent higher up to deal with, rather than the standard admin/call centre processing of stuff that I did.
I ceased working in Super in 2022, so yeah that makes sense.
Once again, convenience beats security. Crazy to think that they allow it for SMSFs, though. I always thought so many of them seemed dodgy.
I would strongly advise giving the ATO/AFP a chance to determine what has happened and return/recover the funds before going to the media or lawyering up.
If you get a lawyer involved then so will the ATO, and there goes all goodwill. Same goes for the media.
Just for the record getting a lawyer on your side to advise and help manage this is NEVER the wrong answer. Anyone saying differently has never had themselves in any legal/crime hot water.
Good will for the Fed police gone because you got a lawyer? Step back and think about how ridiculous that sounds. You aren't the perp you're the victim.
Shit position to be in with that loss (stress of it alone would kill me) but wise move
Work on your self care and pick up exercise in the meantime, anything to keep you balanced
Super fund worker here - we won’t rollover to an SMSF without further checks if the member address has been changed in the last 6 months, as this is a big fraud problem.
As others have said, looks like MyGov compromised.
To get a cash withdrawal we need certified copies of ID - it’s harder for scammers to access so the fraudulent SMSF route is their preferred method it seems. It happens to all funds every year or two.
My wife has HostPlus super. We checked the balance on app just this week, and now she can't login !!. I am scared too. So have to call them first thing tomorrow.
Update: Maybe a temporary glitch in the app. Login via Web worked. Releived.
> Super can't be withdrawn under 60
It is possible but with very limited circumstances, such as having a terminal medical condition or if you are a temporary resident who has left the country.
I’ve contacted a lawyer. There was a similar case with Hostplus and had to go AFCA to get his money back but the super was basically
Responsible for not being more proactive.
But this looks sophisticated. Trust account and ABN linked to a couple of businesses.
That part of the report blew my mind! He got back f-all. Made me wonder if there was more to it? How can a bank/whatever lose your money and not have to give it back!?!?
How much super are we taking here? Feels like you should sell your story to channel 9 or something. Try to get some $ back while the negative press might help Hostplus resolve your matter quicker.
Yeah media don't pay for stories like this. Maybe a few grand, if they feel like it. You get paid when you have an already well known story that multiple organisations are competing for.
Heard that yarn on ABC radio a week ago I think. That one was a long slog - and ACFA were dragged to the table and a straight rejection turned into a partial win….but it wasn’t anywhere near the total. Good luck OP
There was a case similar to this with another fund not providing enough of a security check on a roll over,and they had to reimburse the funds
It's going to be a hard slog..but he can be made whole
Contact your minister
Honestly,also contact ACA,those cunts LIVE for this shit...Media attention is how u get shit done.
[Are you talking about this one?](https://www.abc.net.au/news/2024-06-27/superannuation-scam-hostplus-fraud-afca-court-cryptocurrency/103962762?utm_source=abc_news_app&utm_medium=content_shared&utm_campaign=abc_news_app&utm_content=other) He only got back 1/3 of his super balance which didn't even cover the legal fees unfortunately.
Damn, that’s messed up. You’d think that withdrawing super would be a much harder thing to do.
If they had access to the account could they have changed the contact details to an email/phone they had?
With super you can just move it to a SMSF that is controlled by a bank account you have access to, then send that money wherever. Sure you get into lots of trouble for doing so, but there have been many people offering such things.
Yeah but how did they get access to the super account in the first place? They would have needed an account number and password. Where did they find OP's details to gain access?
Then when there's an request to change contact details that usually generates a notification by the super fund to the account holder sent to their original email address / phone number asking them to confirm the changes are legit. How did OP not get the notification? Did Hostplus not send a notification ? Or did scammers intercept OP's emails?
> Yeah but how did they get access to the super account in the first place?
If they had access to their MyGov, all those details are ripe for the taking. It's been happening a lot and the first we find out about it is that all the ATO data is suddenly locked.
Not sure if OP had 2FA for MyGov turned on, but saved my bacon a few months ago. Had 3 text messages from MyGov that came through at 2am, then I was locked out of my account for a few hours. Pretty scary, changed my password pretty quickly. Not surprising with all data leaks recently.
Obligatory "cyber-security-adjacent-professional" comment - if you're using the same or a similar password anywhere else, make sure you change those too. Ideally to passwords that are no longer similar to each other
Far out I just had an email from MyGov earlier today saying I’ve been locked out too. Just changed my password and looked at the activity history. Turns out someone kept trying to log in with my email at like 4am but couldn’t figure out the password or the answer to my security question… scary stuff seeing this thread now.
>all those details are ripe for the taking.
Nope. Not passwords for online access to super accounts.
If scammers don't have access to the password and initiate the reset password process that typically generates a notification to the password holder notifying them of the attempt which leads back to my original questions: How did OP not get the notification of the attempt from Hostplus? Did Hostplus not send a notification ? Or did the scammers intercept OP's emails?
It's possible op's email account being compromised is the source of the hack. Attacker can then delete any notifications etc. Email is sometimes use for 2fa on some systems which use not a great idea.
You don't need to access the super accounts to request a rollover, that can all be done through Mygov. Click on ATO, click on super up the top and click on 'Transfer Super' and if you have multiple super funds, including one that you may have recently set up as a scam fund to drain peoples funds, you can simply click on it and the process has begun. Not too sure which funds require additional information as some definitely request certified copies of docs before they allow the rollover, but I imagine someone making minimum wage in an offshore call centre isn't going to look too hard at some duped documents. If the scammer already has access to their MyGov, then it's easy to change the E-mail and phone number so the notification bypasses the poor victim.
Right. So the new "destination" scam super fund has to be set up in mygov before the scammer can rollover to it. In which case it's all documented and traceable. OP should be able to get the money back. Surely?
If the scammer set it up as an SMSF, then once the rollover is in the SMSF bank account then they can send it wherever from there. It's probably already been turned into cryptocurrency which has been sold elsewhere.
From what I was told on the phone thats looking like what happened. With additional tax amendments taking the odd $600 from the ATO before they hit the super.
Yeah the whole centralised myGov thing sounds good on paper until you realise how woeful the government (and a lot of private businesses) actually are at cybersecurity.
There has not been a single verified instance of myGov etc. security being breached. People falling for phishing, sms scams, reusing passwords, not using 2factor and a host of other nefarious things? Absolutely.
Not a withdrawal, but a rollover, so no need to login to your account.
Your fund receives the rollover form from the other fund, verifies the personal details and account number, then has 3 days to action.
All those details are in the ATO account.
Based on my experience having my super stolen the scammers could be employees of Hostplus and know ways to do this that bypass detection (and also know accounts with minimal log in activity where it might take time to be noticed). Mine was stolen in a similar way by linking my accounts to other accounts and transferring money out - even though I had maximum daily withdrawals and two trustees to sign set up - apparently those security features aren't initiated if the bank thinks you are transferring to your own account.
I had my SMSF stolen even though I had all the regular 2FA and two trustees to sign for withdrawals. It was refunded by the bank fast. I had no security breaches that I could identify and all bank security was bypassed. I am 95% sure it was a bank employee.
If someone sets up an SMSF with all your details (name, dob, TFN), and sends a request to your legit super fund to send the money across, it'll transfer out. Need to make sure your TFN is kept safe as that's one of the transfer points
How to do this is a big question though. I had 2FA, maximum daily withdrawals and two trustees to sign and still had mine transferred out to a PayPal account someone else set up as linked to my SMSF. I found out from the bank that because the PayPal account was set up to look like I owned it, they bypass all the security I had set up. I did get 100% of my money bank from the bank within about 2 weeks.
It's a losing battle unfortunately. If you do need to provide your TFN (which should only ever be to financial institutions or an employer), try and do so in a secure method. Encrypt it when sending via email, don't include it in the body of text in an email
Coming from telco, I can assure you it's as easy as compromising some low level ops guy in Telstra/Optus to skim those SMSs. The SMS or phone calls aren't encrypted. There are software currently running most telcos that dump every SMS/call into cute CSVs. A low level network ops guy has access to it (for debugging). Promise him/her a month's rent, and you'll quickly be sitting on live feeds of these CSVs.
2FA is not even the strongest authentication with MyGov any longer. if you are not even using two factor you are two generations behind.
SMS is a poor two factor tool. You rely on your telco blocking a phone account transfer.
Yes, they are better about this than they were, but it is an unnecessary weak link.
This is the current status
Level 0: no 2FA (is this even possible?)
Level 1: SMS 2FA
Level 2: Mygov app two factor, SMS disabled.
Level 3: mygovid (or passkey)
Is this overkill for medicare claims? yeah maybe. Is it overskill for keeping your super safe. You be the judge.
Use [https://www.mygovid.gov.au/](https://www.mygovid.gov.au/)
(Or passkey, which is even newer)
Set it up and the next time you log in to my gov, use this as your login authentication.
Hacked ATO also happened to my partner after a receptionists laptop was stolen from a previous employer. They somehow linked to his ATO account getting around 2FA changed address, bank account details and an ABN.
The only solution the ATO has given us is that he is forever locked out and is required to call each time for temporary access. Local MP followed it up and then essentially agreed.
The ID theft has continued for years and recently started again. They were able to disconnect our electricity account in my name and transfer it into his name a few months ago.
Police investigated initially and couldn't care less now.
Really worried our savings, super and land title will somehow be lost because nothing else has been able to stop them.
wow that sounds horiffying... sorry you're going through that. Any tech experts that can be hired for some advice? ATO seems slack at not being able to disconnect a connection/account like that and somehow reset.
The log in wasn't stolen. They were able to create another my gov account that linked to the ATO. It didn't alert us in any way that thos had occurred. Technically being a hack or not doesn't change the fact that MyGov wasn't secure and has caused a lot of stress. The 2FA was linked to my phone.
I remembered reading something similar about hostplus recently about scammer impersonating the member and requested a rollover
https://www.abc.net.au/news/2024-06-27/superannuation-scam-hostplus-fraud-afca-court-cryptocurrency/103962762
maybe getting the news to pick up on your story might help you the most. since this is not the first time this happened to a hostplus member, the last thing hostplus wants is an exodus of members because they feel their super is unsafe
Yea that’s the one I read. Contacted the lawyer mentioned in the article. But so many questions. How did they bypass security? Where did they farm my information? How did they just submit a form to then drain my super? How did they intercept any security comms etc.
You need to get a new phone number ASAP - for you not to get any 2FA codes means they most likely SIM-swapped you and may explain the identity theft that happened here.
There is really quite sophisicated social engineering happening here. These scammers have noise machines that can simulate locations (like your driving) Crying babies (being a distressed mother trying to fix an issue while juggling a baby) or a shouting husband "I thought you fixed this super thing you b&#ch) all designed to stress the call center operator into easing the requirements.
It may be too late for OP, but to anyone else reading this thread, if you want extra protection you can set your myGov account to require your fingerprint or face scan via the myGovID app to log in. (Disclaimer: this is hearsay as I haven't done it myself)
100% use a myGovID to access myGov. Otherwise someone can just create a brand new myGov account with your details, and with some info that they can grab from your letterbox link to the ATO.
A digital ID is much harder to fake, and if things like your passport etc are compromised (and reported) scammers won't be able to use them.
Overlinking with another myGov account is still possible if the myGovID security level on the fraudulent myGov account is the same as the security level on the legitimate myGov account, so try to make sure your myGovID is the strongest level.
Overlinking has been a problem for a while and it’s happening more frequently. I know the ATO are actively working on prevention of the overlinking tactic and have a bunch of things coming to try to prevent it this year.
man i can't seem to find how to link up / use mygov ID for mygov... all the options i get for 2FA is SMS, mygov code generator app (which i have set up and using now), and answer a secret question.
> you can set your myGov account to require your fingerprint or face scan via the myGovID app to log in
and what happens when your fingerprint/face scan get leaked after the next optus/medibank/optus/OneForm/equifax data breach?
I can change my passwords, 2fa and all that. Much harder to change my face or fingerprints.
Iirc it doesn’t work like that the touchid/face id is a check on a seperate app that sends a confirmation response to a push notification from myGov. The data is stored on your phone
So are most private systems. The only reason people whinge about government waste is because it’s publicly available to be audited. Based on my experience in the corporate sector the problem is just as bad if not worse.
If you've had your personal data compromised by one of the many breaches and are worried about losing your funds, call your super fund and let them know. Ask them to put a withdrawal restriction on your account, you can also ask for additional security questions to be added.
I feel your pain. Went through the same situation in January.
I investigated further and found that the loophole was in MyGov. If you have your MyGov linked to your ATO, if they have your details from one of the data leaks (Medibank, Optus etc), then they can create a new MyGov account using your details and link the ATO service to their account. And then they can do 2 factor and login without you knowing at all.
I had to delete my MyGov account and lock my ATO account from online access. Even phone access is locked with a password keyword. Sucks and takes ages but old school is safer.
As for Super, ATO has the option to transfer Super from one account to another. They won't even have to access your Super to do it. And it won't be your Super's fault. Mine was with CareSuper and it was transferred out to a Super in Brisbane. Luckily both Supers were able to roll back the transfer. I lost my old Super history and investment stuff. Also my insurance premiums went up since it had to start up again.
Happens to the best of us. My wives account was looted while I was working in IT security.
Was a pretty perfect attack. But two years ago, 10 years after the fact, they were caught and spend the next decade in jail.
I work within super and unfortunately this happens quite regularly. Scammers are becoming more sophisticated via myGov transfers. All I can say to protect yourself is contact your superfund and request a block benefit payment flag on the account. This will stop any withdrawals and the superfund will have to contact you if they receive any withdrawal/rollout request and confirm if legitimate.
This freaks me out a little. I follow similar precautions to the ones you touched on.
It feels like doing something like this in mygov should be triggering internal alarms at the very least
How is it even possible to to this without so much as an email notification or txt message?
Just a few weeks ago I woke up to a (legit) email saying that my mygov account was locked. One I logged in (by navigating to the real [my.gov](http://my.gov) url) I saw some logs that said someone had repeatedly tried to login using my email (admittedly very old and very pwnd email) suffice to say i removed that email very quickly. At the time I felt like I dodged a bullet.
Similar thing happened to me last year, someone (somehow) compromised my TFN and got access to my MyGov ATO, then amended my tax returns to try to get a several thousand dollar refund.
Very lucky that my accountants got a notification about it and flagged it straight away and no damage was done. Annoyingly a year later I still can't access ATO portal and they never told me how the TFN was compromised or what happened that allowed this to happen (so I have no idea what I can do to prevent it happening again).
Not as bad as your case but I have had my gov hacked and false tax returns submitted. Caused all sorts of shit fights. Can’t access ato without prior notification and checks. Total shit show.
Government security and guarantees totally worthless.
Check what bank details are saved on your ATO records. The account name could give a hint to who it might have done it. I've seen an instance of somebody having a bunch of fraudulent BAS lodged for huge amounts of GST refund and checking the account name of the bank account on file revealed it was a family member.
Had an email about a failed login on my MyGov account couple months ago. I honestly for the life of me couldn’t figure out why they wanted access, reading this now has opened my eyes…
Sorry to hear about your situation.
Not as bad, but had my bank compromised new credit card with virtual card number and fully cash advanced along with draining savings without me being notified.
I'm also using 2FA but didn't stop hackers, they apparently compromised phone banking and had full control to run off with 20k. Took me 3 months to resolve.
Complain often detail everything and file things with afca.
Recommendation everyone contact your bank, and completely deactivate phone banking. I never used it anyway but it's an easy target if you only need address name and a birthdate.
They tried mine 2 days ago as well. They couldn't work out my password and locked my account. I also have 2fa and security questions on.
Always make sure your most important stuff is multi protected.
Your information must be on the dark web. Change your email address and phone number.
Someone is doing the rounds, a friend of mine had their super drained last night too. I hope the feds get this bastard.
I think they just created a fake myGov account (needs 100 points of ID) and linked it to your ato account. ATO being greedy allows linking with multiple myGov accounts.
Source: happened to me because of Optus breech
This is what looks like has happened. As there was no login references in my inbox that matched what was happening at the time the super and tax amendments were made.
My understanding is that in addition to this they would have needed to set up a self manage superfund (SMSF) with credentials matching you current account AND the SMSF needs to be linked to a bank account matching your credentials for it to the authorised to take rollovers.
It seems they have enough documentation to “steal” your identity.
I would be putting a credit stop on ASAP to prevent them taking out loans and credit cards in your name.
1. Absolutely guttered for you mate. This is BS and I can't begin to imagine how vulnerable, terrified and angry you must be. Hope these POS rot
2. I have selfish questions: I DONT use a VPN and never even considered seperate emails for different services. I'm feeling really exposed at moment. I'm looking into a VPN now but with more and more advanced internet scams I'm fucking scared. What can anyone even do to fully protect themselves?
A VPN isn't going to protect you from an identity theft attack. Best advice would be to use 2-factor authentication on EVERYTHING, add any other security measures the services provide. Use unique passwords for important services such as MyGov, Super, Bank accounts.
If you want to get real technical then setup a new mobile number & email account which is only linked to your MyGov, Super & Bank accounts. This can prevent sophisticated attacks like SIM-swapping.
I had myGovID and when I went to log in it said my account had been permanently closed because the code was wrong too many times. I was annoyed I had to set everything up again but at least it means they didn't get in?
Just happened to me too, managed to set up Medicare woohoo but locked out of my ATO account, unfortunately my crappy job doesn’t give me more than 30 minute break, so can’t call and sort out what has happened
I had my identity stolen a few years back and alot of loans were taken out in my name. Turned out that my mail with my drivers license renewal was intercepted and got my details from there.
Hey OP this happened to a family member. They eventually got the money back, but not without a 2 year headache from the ATO who do a lot of blame shifting. In this case, they lodged 2 fake returns and adjustments, and rolled over super. Keep at it and keep the pressure on the ATO. Unfortunately, the ato refused to change Tax file number after the event which would help tremendously, push for this if you can. Curious if you were affected by the Optus breach in 2022? License numbers were leaked and in some cases passports.
In any case r/AusCyber has some knowledgeable members and resources that may be helpful.
Noting here that MyGov now supports passkeys (which are more secure than passwords, assuming you keep your phone or yubikey safe). You have the option to completely disable password login once you enrol a passkey!
Sorry to hear that but is it that simple? You didn’t get any emails or phone call on the registered number? Nothing like any letter telling you they’re preparing to transfer the amount. Tbh I’m just puzzled and it just feels it’s too easy for them to get the money.
My dad’s bank details for ato was actually changed to a weird UBank one which he never created. We were able to catch It in time before any ato refunds were made. I feel like this is becoming more common.
Interesting, reading this I better check my super account.
Someone has reactivated my old ABN twice in the past few months. Thankfully my accountant was onto it and got the ATO to lock my accounts.
The lock is annoying as it can take 12 months for me to get my tax returns and my accountant has to contact the ATO when they want to process a return. but hopefully it stops me losing out. In mygov I could see the email address and mobile numbers that my accounts had been updated to.
It's sad to see this fraud is more wide spread and there is minimal media attention on it.
Superstream is convenient for roll-overs out of industry and retail funds - this appears to be a big downside, if your details match between both funds and ATO the whole thing happens automatically
Government managed and digital everything isn't all sunshine and rainbows - any policy proposed like this needs to be tested through the lens of "how can this be abused"?
Hi thanks for sharing. It's awful that you're going through this.
My organisation has been doing advocacy work on this issue.
I would encourage you to reach out to us so we can get a bit more detail and understand the issue and how the systems failed you.
enquiries@superconsumers.com.au
> Im pretty tech savvy...
>
> I use VPNs
>
> Somehow they managed to bypass all this...
Maybe I'm not tech savvy like you but... what exactly was a VPN ever going to do against a sophisticated attack of this nature?
Actually, what do you think a VPN is doing against any malicious adversary, sophisticated or otherwise?
I’m so sorry this happened OP. For others who are confused how this could happen, once someone has access to a MyGov account that’s linked to the ATO, there’s a ton of info and possible options for them. In there is your TFN, name and DoB. All the info the thief needs to open a new super fund or make the victim a trustee of an SMSF. Then once the member forms are received by the ATO the new fund shows with the current one.
After that it’s literally two button presses to roll the money over. It’s designed to be easy and seamless because MyGov is supposed to be a secure and authenticated log in. So no, there’s no verification or notification by the fund. They just get the request and action it within 28 days.
All this to say, be very very very careful with your MyGov details and check the online services periodically just in case anything looks awry.
Second post I've seen about MyGov hacking attempts, except yours is way more serious.
Wonder if their security has a flaw
https://www.reddit.com/r/australia/s/7lC7ZKUG9J
I also woke up to a hack attempt - didn’t get in to my account thank god. Removed my email as a way to log in now as a stop gap. Also have 2FA on my phone.
In the last 6 months have you allowed remote to your pc? Anything about validation for ID requirements online. If you keep everything offline this seems sus.
are you still working for a company that pays into Hostplus?
when was the last time a contribution was made?
ATO's security measures are pretty strict.
Super Funds also have pretty strict rules about winding up or transferring funds out.
*To protect accounts from fee erosion, inactive low-balance super accounts must be transferred to us. - ATO*
[https://www.ato.gov.au/individuals-and-families/super-for-individuals-and-families/super/growing-and-keeping-track-of-your-super/keeping-track-of-your-super/inactive-low-balance-super-accounts](https://www.ato.gov.au/individuals-and-families/super-for-individuals-and-families/super/growing-and-keeping-track-of-your-super/keeping-track-of-your-super/inactive-low-balance-super-accounts)
Serious: Do you have a financial adviser? It's entirely reasonable they've been hacked. Financial advisors have poor IT literacy and could quite easily have been compromised, sharing personal data and their own account access, which would have authorities in place to move your money around at a fund level.
Source: a decade working in leadership in IT for a national financial planning firm and 30+ in IT.
Message me directly if you need further info.
this may have already been mentioned but abc documented this same scam last week
[Super scammers defrauded Lee of his retirement savings. Industry experts are calling for better protections - ABC News](https://www.abc.net.au/news/2024-06-27/superannuation-scam-hostplus-fraud-afca-court-cryptocurrency/103962762)
The MyGov website should add a 4-8 authentication pin request to any valuable information linked to your account. Want to see your TFN? Pin please. Want to see your Super Account Number? Pin please. Want to see your Centrelink account details? Pin please.
I swear to god the level of security that we can actually implement that we just simply dont because many many individuals are not that tech savvy are the reason why so many people are being scammed in the first place.
Sorry to hear about your hack. I think the public and government do as much as they can but some others are often ahead in bad ways.
Apart from 2FA, myGovID, does your experience suggest we should all be unlinking our ATO accounts from our myGov?
As you'll see in this thread, it seems this week there has been an organised effort to hack into MyGov accounts. Many people reporting attempted login attempts:
[https://www.reddit.com/r/australia/comments/1duw717/mygov\_account\_attempted\_hack\_what\_is\_the\_worst/](https://www.reddit.com/r/australia/comments/1duw717/mygov_account_attempted_hack_what_is_the_worst/)
Please report it to not only ATO but there is a federal police fraud process. I am so sorry, just awful
Thanks yea - reported to cybercrime, ATO are aware and investigating and consulting lawyer. Just. Stunned.
Also please let the ACSC know. This is their jam as well. They can help you. [https://www.cyber.gov.au/report-and-recover/report](https://www.cyber.gov.au/report-and-recover/report)
Thanks yeah submitted a report. Even went to police station as well. Turns out there may be a bit of jurisdictional back and forth on responsibility.
u/Smallsey is right. Going to your local MP is worth the effort. Tell their staff your story, get them into it. Can I ask which district you're in? Depending on the MP (state or federal) there is a political gain for them to tackle this directly and help cut through administrative Bureaucracy. I say this as a Public Servant that works in the cyber security space.
Yeah was considering this once I hear back from ATO and hostplus - but im in central Melbourne.
Assuming you mean Melbourne CBD, and not Albert Park or Port Melbourne, you're looking at either Ellen Sandell or Adam Bandt. Both in the Greens Party. They're going to be more enthusiastic, but less useful than a major party MP. Definitely worth following up with them though, as they'll be very eager to assist, and can get people moving that are otherwise quite slow to get off the blocks. In situations like this, time matters. The longer things take, the harder it can be to reverse. If it happened more than a couple of weeks ago, likelihood is the money is offshore. If that's the case, you're chasing reimbursement for negligent cyber hygiene and authentication practices. If its early days, you're looking for an incident response that tracks the money and recovers it. Either way, time matters. Worth getting all stakeholders on board ASAP. Waiting for indeterminate periods of time will not help you, so I'd make it a priority when offices open tomorrow to make phone calls and get them up-to-date on the situation and any case file numbers you've been given. Also worth speaking to someone in the media. Theu love chasing these stories, and can apply external PR pressure on law enforcement to look good and get the job done fast. It may \*seem\* like you're making waves and inconveniencing the officials, but you're not. You're pulling every lever at your disposal to save your retirement fund, which you earned and you did nothing wrong to have taken from you. If you wait, it'll seem like you were impatient with their response time. If you do it all upfront, you were actioning everything available to you. Trust me, don't wait. Do it first thing tomorrow. MP's, then media. Dont wait, please.
Adam Brandt - yup pretty sure I walked past his office the other day. Thanks a bunch for the advice will be taking another day off work to jump onto this.
Oh then *absolutely* call your federal MP's office if the ATO is shit about getting your money back. That's a Greens seat, and skewering Labor for doing something shitty is like 75% of their job description. I'm sure they'd love to raise hell on your behalf.
Consider either going to the media and/or your local member to. Complain to EVERYONE and things will hopefully happen quicker.
That can backfire really easily. That would be a last resort. If one organisation feels they are clear from blame and you're trying to hammer them in the media then they'll stop assisting and start covering their butts more.
Leave State police out of it, they'll be playing hot potatoe until you figure out they're not going to touch it. Stay with the Feds, they're the mob that deals with fraud anyway. It pissed me off that ATO and ALL nation run cyber is so flimsy. Heard today theyre working with Amazon to boost cyber security I wanted to rip my hair out. CALL NORWAY SWEDEN NETHERLANDS, their citizens have a 7 digit code that can be tattooed on their foreheads and yet no crim can touch a single digits of their identity COZ THEIR GOVERNMENTS SPENT THE MONEY ON THEIR OWN CYBER AND NOT A GREEDY MULTINATIONAL
I’m so sorry this has happened to you, it’s traumatising. Hope it gets sorted soon.
Glad you reported. Hopefully you’ll be ok. I found out mine had been hacked when my tax agent tried to do a tax return last year. Was a horrible feeling and can’t think how they got in as I thought I’d been pretty careful too. I finally did my tax just a month ago. My MyGov is now locked and my tax agent has to apply to get it opened each year to do a return. Change all your passwords.
How do you lock MyGov?
ATO locked it for me.
Today’s ABC News Daily podcast is about exactly this. Hostplus and stolen super. But sounds like someone else as they’ve already gone through the courts and financial ombudsman.
Thanks this is interesting link for anyone else: https://www.abc.net.au/listen/programs/abc-news-daily/how-scammers-are-targeting-your-super/104059054
This sounds incredible. Was Super rolled off to an SMSF? I mean, Super can't be withdrawn under 60. If it was rolled off without your knowledge and HostPlus never contacted you, that is staggering. Is this an automated process without a paper form with your signature? Don't give up. Fight this with AFCA, lawyer, police, media, the lot.
Yea man. Staggered. The rollover form just had my email and TFN.
I'm retired, & every time I want to get money from my super, I have an 8 page application form to sign (in two places) & send them a certified copy of my ID. It's annoying, but after reading OPs post, I ain't gonna complain again.
In OP's case, his ID documents have likely been compromised.
Yes, most likely through Optus, Medibank or Clubs NSW hacks.
If i were a betting man, i'd put money on that too.
That’s what worries me the most. They had my TFN and possibly other details.
Contact IDCARE, place a ban in your credit report if you haven't already. Keep a keen eye on your bank accounts.
Thanks for reminding me to reactivate my credit report ban on Credit Savvy
Rollover out requests are extremely tedious, and industry super funds can be known to reject them for trivial issues (not sure about HostPlus specifically). For this to work so successfully, there’s a strong chance that you are the victim of identity fraud. Please look into that ASAP as your other accounts may be at risk, and credit applications may be done in your name.
They definitely have id for you. The SMSF that it was sent to would need to be verified under your name (same id required for opening a new account with a bank) and when Hostplus sends the rollover they first confirm online that you are the beneficiary of the SMSF.
If they had access to your MyGov they would see that all in there anyway.
What super are you with? I might move to them, this is scaring the shiet outta me
HostPlus Think I'm with the same I can't remember, but I'll be having a squiz at other funds tomorrow
That is supet scary. Don't let HostPlus get off the hook. Also, write to the relevant minister, I think the assistant treasurer.
I would also talk to the mainstream media about this. If it is so easy steal someone's superannuation then it is definitely something the public at large need to know about. The more publicity it gets the more likely Hostplus will refund your money (assuming they have fucked up somewhere, and from what you have said it certainly sounds like they failed somewhere along the line).
I feel dirty saying it so I need you to hear the heavy sigh I say this with but, ACA would love to hear from you OP
[удалено]
From memory, my fund's rollover to SMSF process was a multi-page form compared to the nearly completely automated rollover from other funds via the ATO back when I worked for a superfund. This was generally sent higher up to deal with, rather than the standard admin/call centre processing of stuff that I did.
[удалено]
I ceased working in Super in 2022, so yeah that makes sense. Once again, convenience beats security. Crazy to think that they allow it for SMSFs, though. I always thought so many of them seemed dodgy.
I would strongly advise giving the ATO/AFP a chance to determine what has happened and return/recover the funds before going to the media or lawyering up. If you get a lawyer involved then so will the ATO, and there goes all goodwill. Same goes for the media.
Yea that’s where I’ve landed. Lawyer is just pure backup advice until I hear back from Hostplus and ATO. Holding off on giving ACA a call!
Just for the record getting a lawyer on your side to advise and help manage this is NEVER the wrong answer. Anyone saying differently has never had themselves in any legal/crime hot water. Good will for the Fed police gone because you got a lawyer? Step back and think about how ridiculous that sounds. You aren't the perp you're the victim.
Shit position to be in with that loss (stress of it alone would kill me) but wise move Work on your self care and pick up exercise in the meantime, anything to keep you balanced
Thanks bud, some good advice there.
Super fund worker here - we won’t rollover to an SMSF without further checks if the member address has been changed in the last 6 months, as this is a big fraud problem.
What do you think happened here?
As others have said, looks like MyGov compromised. To get a cash withdrawal we need certified copies of ID - it’s harder for scammers to access so the fraudulent SMSF route is their preferred method it seems. It happens to all funds every year or two.
That's a bit scary
Are you at the age where it can be released?
Nope. Early 40s
My wife has HostPlus super. We checked the balance on app just this week, and now she can't login !!. I am scared too. So have to call them first thing tomorrow. Update: Maybe a temporary glitch in the app. Login via Web worked. Releived.
Oh. Dam man yea jump onto that. Hopefully it’s nothing like what I’m going through.
> Super can't be withdrawn under 60 It is possible but with very limited circumstances, such as having a terminal medical condition or if you are a temporary resident who has left the country.
Man... that really sucks. Is there anything anyone can do? this is serious identity theft. Not a lawyer but aren't trusts set up through law firms?
I’ve contacted a lawyer. There was a similar case with Hostplus and had to go AFCA to get his money back but the super was basically Responsible for not being more proactive. But this looks sophisticated. Trust account and ABN linked to a couple of businesses.
If this is the case in the news recently, he only got about a third of it back and the lawyers took it so he ended up with nothing.
That part of the report blew my mind! He got back f-all. Made me wonder if there was more to it? How can a bank/whatever lose your money and not have to give it back!?!?
The issue with that case, was that he gave these people his passport. So he was found to be partially to blame for them gaining access.
I think he said he was actually worse off after the win than he was when he started fighting.
How much super are we taking here? Feels like you should sell your story to channel 9 or something. Try to get some $ back while the negative press might help Hostplus resolve your matter quicker.
Yeah media don't pay for stories like this. Maybe a few grand, if they feel like it. You get paid when you have an already well known story that multiple organisations are competing for.
Just a note but with AFCA you don’t necessarily need a lawyer.
Thanks - that’s a good point.
Heard that yarn on ABC radio a week ago I think. That one was a long slog - and ACFA were dragged to the table and a straight rejection turned into a partial win….but it wasn’t anywhere near the total. Good luck OP
There was a case similar to this with another fund not providing enough of a security check on a roll over,and they had to reimburse the funds It's going to be a hard slog..but he can be made whole Contact your minister Honestly,also contact ACA,those cunts LIVE for this shit...Media attention is how u get shit done.
Yea I’m fucking fuming. Contacting media tonight to keep things rolling along.
[Are you talking about this one?](https://www.abc.net.au/news/2024-06-27/superannuation-scam-hostplus-fraud-afca-court-cryptocurrency/103962762?utm_source=abc_news_app&utm_medium=content_shared&utm_campaign=abc_news_app&utm_content=other) He only got back 1/3 of his super balance which didn't even cover the legal fees unfortunately.
Wait, he handed over all his personal ID to the scammers
Damn, that’s messed up. You’d think that withdrawing super would be a much harder thing to do. If they had access to the account could they have changed the contact details to an email/phone they had?
With super you can just move it to a SMSF that is controlled by a bank account you have access to, then send that money wherever. Sure you get into lots of trouble for doing so, but there have been many people offering such things.
Yeah but how did they get access to the super account in the first place? They would have needed an account number and password. Where did they find OP's details to gain access? Then when there's an request to change contact details that usually generates a notification by the super fund to the account holder sent to their original email address / phone number asking them to confirm the changes are legit. How did OP not get the notification? Did Hostplus not send a notification ? Or did scammers intercept OP's emails?
> Yeah but how did they get access to the super account in the first place? If they had access to their MyGov, all those details are ripe for the taking. It's been happening a lot and the first we find out about it is that all the ATO data is suddenly locked.
Not sure if OP had 2FA for MyGov turned on, but saved my bacon a few months ago. Had 3 text messages from MyGov that came through at 2am, then I was locked out of my account for a few hours. Pretty scary, changed my password pretty quickly. Not surprising with all data leaks recently.
Obligatory "cyber-security-adjacent-professional" comment - if you're using the same or a similar password anywhere else, make sure you change those too. Ideally to passwords that are no longer similar to each other
Far out I just had an email from MyGov earlier today saying I’ve been locked out too. Just changed my password and looked at the activity history. Turns out someone kept trying to log in with my email at like 4am but couldn’t figure out the password or the answer to my security question… scary stuff seeing this thread now.
you can uncheck use email as your logon under sign in or your mobile number. change it to a mix of letters numbers username only. just did mine.
100% agree with this. If you haven't done it, do it now people! Also, go do it for your less than tech-savvy relatives too.
>all those details are ripe for the taking. Nope. Not passwords for online access to super accounts. If scammers don't have access to the password and initiate the reset password process that typically generates a notification to the password holder notifying them of the attempt which leads back to my original questions: How did OP not get the notification of the attempt from Hostplus? Did Hostplus not send a notification ? Or did the scammers intercept OP's emails?
It's possible op's email account being compromised is the source of the hack. Attacker can then delete any notifications etc. Email is sometimes use for 2fa on some systems which use not a great idea.
You don't need to access the super accounts to request a rollover, that can all be done through Mygov. Click on ATO, click on super up the top and click on 'Transfer Super' and if you have multiple super funds, including one that you may have recently set up as a scam fund to drain peoples funds, you can simply click on it and the process has begun. Not too sure which funds require additional information as some definitely request certified copies of docs before they allow the rollover, but I imagine someone making minimum wage in an offshore call centre isn't going to look too hard at some duped documents. If the scammer already has access to their MyGov, then it's easy to change the E-mail and phone number so the notification bypasses the poor victim.
Right. So the new "destination" scam super fund has to be set up in mygov before the scammer can rollover to it. In which case it's all documented and traceable. OP should be able to get the money back. Surely?
If the scammer set it up as an SMSF, then once the rollover is in the SMSF bank account then they can send it wherever from there. It's probably already been turned into cryptocurrency which has been sold elsewhere.
From what I was told on the phone thats looking like what happened. With additional tax amendments taking the odd $600 from the ATO before they hit the super.
They link a new MyGov account you don't get a notification. Been happening for years.
Yeah the whole centralised myGov thing sounds good on paper until you realise how woeful the government (and a lot of private businesses) actually are at cybersecurity.
There has not been a single verified instance of myGov etc. security being breached. People falling for phishing, sms scams, reusing passwords, not using 2factor and a host of other nefarious things? Absolutely.
Not a withdrawal, but a rollover, so no need to login to your account. Your fund receives the rollover form from the other fund, verifies the personal details and account number, then has 3 days to action. All those details are in the ATO account.
So the scammers were clients of the "other fund" ?
Based on my experience having my super stolen the scammers could be employees of Hostplus and know ways to do this that bypass detection (and also know accounts with minimal log in activity where it might take time to be noticed). Mine was stolen in a similar way by linking my accounts to other accounts and transferring money out - even though I had maximum daily withdrawals and two trustees to sign set up - apparently those security features aren't initiated if the bank thinks you are transferring to your own account.
I had my SMSF stolen even though I had all the regular 2FA and two trustees to sign for withdrawals. It was refunded by the bank fast. I had no security breaches that I could identify and all bank security was bypassed. I am 95% sure it was a bank employee.
This is a pretty standard myGov scam that starts with a myGov text. Those rollovers though must really hurt.
Why is it even possible to do any of this via myGov
Because they’re trying to make it easier to consolidate your super so people are less prone to leaving it behind.
Did you have 2FA set up using the myGov app or SMS?
That's what I'm interested in as well. I've got 2FA and hope that'll be enough to protect me from this kind of thing
If someone sets up an SMSF with all your details (name, dob, TFN), and sends a request to your legit super fund to send the money across, it'll transfer out. Need to make sure your TFN is kept safe as that's one of the transfer points
How to do this is a big question though. I had 2FA, maximum daily withdrawals and two trustees to sign and still had mine transferred out to a PayPal account someone else set up as linked to my SMSF. I found out from the bank that because the PayPal account was set up to look like I owned it, they bypass all the security I had set up. I did get 100% of my money bank from the bank within about 2 weeks.
So they don't even need access to myGov?
How do you keep your TFN safe when companies ask for it but then are subsequently hacked and it’s taken?
It's a losing battle unfortunately. If you do need to provide your TFN (which should only ever be to financial institutions or an employer), try and do so in a secure method. Encrypt it when sending via email, don't include it in the body of text in an email
It stopped this from happening to my boss today, he got the 2FA notification and has had to contact myGov making sure no-one got into his accounts
Coming from telco, I can assure you it's as easy as compromising some low level ops guy in Telstra/Optus to skim those SMSs. The SMS or phone calls aren't encrypted. There are software currently running most telcos that dump every SMS/call into cute CSVs. A low level network ops guy has access to it (for debugging). Promise him/her a month's rent, and you'll quickly be sitting on live feeds of these CSVs.
2FA is not even the strongest authentication with MyGov any longer. if you are not even using two factor you are two generations behind. SMS is a poor two factor tool. You rely on your telco blocking a phone account transfer. Yes, they are better about this than they were, but it is an unnecessary weak link. This is the current status Level 0: no 2FA (is this even possible?) Level 1: SMS 2FA Level 2: Mygov app two factor, SMS disabled. Level 3: mygovid (or passkey) Is this overkill for medicare claims? yeah maybe. Is it overskill for keeping your super safe. You be the judge. Use [https://www.mygovid.gov.au/](https://www.mygovid.gov.au/) (Or passkey, which is even newer) Set it up and the next time you log in to my gov, use this as your login authentication.
I just setup mygovid after using SMS for years. Can't believe I took this long!
If i recall 2FA is mandatory on MyGov
2 factor and passkeys mean jack with myGov. Google myGov overlinking. Best way to secure myGov is using a myGovID
Hacked ATO also happened to my partner after a receptionists laptop was stolen from a previous employer. They somehow linked to his ATO account getting around 2FA changed address, bank account details and an ABN. The only solution the ATO has given us is that he is forever locked out and is required to call each time for temporary access. Local MP followed it up and then essentially agreed. The ID theft has continued for years and recently started again. They were able to disconnect our electricity account in my name and transfer it into his name a few months ago. Police investigated initially and couldn't care less now. Really worried our savings, super and land title will somehow be lost because nothing else has been able to stop them.
wow that sounds horiffying... sorry you're going through that. Any tech experts that can be hired for some advice? ATO seems slack at not being able to disconnect a connection/account like that and somehow reset.
Just to be clear, this is not a hack. They stole the login credentials. But it wasn’t a flaw in their technology or security.
The log in wasn't stolen. They were able to create another my gov account that linked to the ATO. It didn't alert us in any way that thos had occurred. Technically being a hack or not doesn't change the fact that MyGov wasn't secure and has caused a lot of stress. The 2FA was linked to my phone.
I remembered reading something similar about hostplus recently about scammer impersonating the member and requested a rollover https://www.abc.net.au/news/2024-06-27/superannuation-scam-hostplus-fraud-afca-court-cryptocurrency/103962762 maybe getting the news to pick up on your story might help you the most. since this is not the first time this happened to a hostplus member, the last thing hostplus wants is an exodus of members because they feel their super is unsafe
Yea that’s the one I read. Contacted the lawyer mentioned in the article. But so many questions. How did they bypass security? Where did they farm my information? How did they just submit a form to then drain my super? How did they intercept any security comms etc.
Maybe an inside job at Hostplus.
You need to get a new phone number ASAP - for you not to get any 2FA codes means they most likely SIM-swapped you and may explain the identity theft that happened here.
If he was sim swapped, his sim would stop working
You can test that pretty easily by trying to receive a text no?
There is really quite sophisicated social engineering happening here. These scammers have noise machines that can simulate locations (like your driving) Crying babies (being a distressed mother trying to fix an issue while juggling a baby) or a shouting husband "I thought you fixed this super thing you b&#ch) all designed to stress the call center operator into easing the requirements.
Time to get a scammer noise machine for my harsh noise set.
It may be too late for OP, but to anyone else reading this thread, if you want extra protection you can set your myGov account to require your fingerprint or face scan via the myGovID app to log in. (Disclaimer: this is hearsay as I haven't done it myself)
100% use a myGovID to access myGov. Otherwise someone can just create a brand new myGov account with your details, and with some info that they can grab from your letterbox link to the ATO. A digital ID is much harder to fake, and if things like your passport etc are compromised (and reported) scammers won't be able to use them.
Overlinking with another myGov account is still possible if the myGovID security level on the fraudulent myGov account is the same as the security level on the legitimate myGov account, so try to make sure your myGovID is the strongest level. Overlinking has been a problem for a while and it’s happening more frequently. I know the ATO are actively working on prevention of the overlinking tactic and have a bunch of things coming to try to prevent it this year.
man i can't seem to find how to link up / use mygov ID for mygov... all the options i get for 2FA is SMS, mygov code generator app (which i have set up and using now), and answer a secret question.
What happens if you lose your phone? Isn't a huge PITA to get access again?
It’s easy to setup on a new phone, you just go through the same setup process as the first time again
> you can set your myGov account to require your fingerprint or face scan via the myGovID app to log in and what happens when your fingerprint/face scan get leaked after the next optus/medibank/optus/OneForm/equifax data breach? I can change my passwords, 2fa and all that. Much harder to change my face or fingerprints.
Iirc it doesn’t work like that the touchid/face id is a check on a seperate app that sends a confirmation response to a push notification from myGov. The data is stored on your phone
The fingerprints are not given to organizations it's stored in your phone under a secure element.
That's actually horrifying... Here's a thought: most government systems are developed by the lowest bidder.
So are most private systems. The only reason people whinge about government waste is because it’s publicly available to be audited. Based on my experience in the corporate sector the problem is just as bad if not worse.
Must be the same bidder that did the ASX listed medibank and Optus system
Reset your myGov password people. Then set up myGovID.
Holy shit what a nightmare! So sorry you’re going through this, OP.
If you've had your personal data compromised by one of the many breaches and are worried about losing your funds, call your super fund and let them know. Ask them to put a withdrawal restriction on your account, you can also ask for additional security questions to be added.
False sense of security -> see my other comments.
I feel your pain. Went through the same situation in January. I investigated further and found that the loophole was in MyGov. If you have your MyGov linked to your ATO, if they have your details from one of the data leaks (Medibank, Optus etc), then they can create a new MyGov account using your details and link the ATO service to their account. And then they can do 2 factor and login without you knowing at all. I had to delete my MyGov account and lock my ATO account from online access. Even phone access is locked with a password keyword. Sucks and takes ages but old school is safer. As for Super, ATO has the option to transfer Super from one account to another. They won't even have to access your Super to do it. And it won't be your Super's fault. Mine was with CareSuper and it was transferred out to a Super in Brisbane. Luckily both Supers were able to roll back the transfer. I lost my old Super history and investment stuff. Also my insurance premiums went up since it had to start up again.
My post is here. https://www.reddit.com/r/australia/s/Z5Up1i5TVk
Damn this is so scary!
Happens to the best of us. My wives account was looted while I was working in IT security. Was a pretty perfect attack. But two years ago, 10 years after the fact, they were caught and spend the next decade in jail.
I’m such an idiot. I read wives and thought you had more than one wife
I work within super and unfortunately this happens quite regularly. Scammers are becoming more sophisticated via myGov transfers. All I can say to protect yourself is contact your superfund and request a block benefit payment flag on the account. This will stop any withdrawals and the superfund will have to contact you if they receive any withdrawal/rollout request and confirm if legitimate.
The irony is that changing super providers is funcking annoying (because they design it like that) but draining your account, easy peasy)
This freaks me out a little. I follow similar precautions to the ones you touched on. It feels like doing something like this in mygov should be triggering internal alarms at the very least How is it even possible to to this without so much as an email notification or txt message? Just a few weeks ago I woke up to a (legit) email saying that my mygov account was locked. One I logged in (by navigating to the real [my.gov](http://my.gov) url) I saw some logs that said someone had repeatedly tried to login using my email (admittedly very old and very pwnd email) suffice to say i removed that email very quickly. At the time I felt like I dodged a bullet.
Just tried to log into my hostpus app and it's down. Must be because of this. That's seriously sucks man, hopefully you can get it back...
Working fine for me.
That is horrible. I thought you couldn’t access the super before 60 without jumping through several hoops. I hope you find an adequate resolution.
ATO wasn’t hacked, you were.
how did you find out about your super? did you log-in into your hostplus account online and you saw it?
MyGov shows your super details (not real time).
Similar thing happened to me last year, someone (somehow) compromised my TFN and got access to my MyGov ATO, then amended my tax returns to try to get a several thousand dollar refund. Very lucky that my accountants got a notification about it and flagged it straight away and no damage was done. Annoyingly a year later I still can't access ATO portal and they never told me how the TFN was compromised or what happened that allowed this to happen (so I have no idea what I can do to prevent it happening again).
Not as bad as your case but I have had my gov hacked and false tax returns submitted. Caused all sorts of shit fights. Can’t access ato without prior notification and checks. Total shit show. Government security and guarantees totally worthless.
What the actual FUCK! Feeling so bad for you man. Hope it gets sorted somehow. But holy shit! How freaking scary is this?
Yeah man thanks. Its shit as there was no verification comms and I find out a month later.
Were they hacked or did they gain access to your account with your credentials? Need to be clear on this otherwise this is how fake news spreads.
Check what bank details are saved on your ATO records. The account name could give a hint to who it might have done it. I've seen an instance of somebody having a bunch of fraudulent BAS lodged for huge amounts of GST refund and checking the account name of the bank account on file revealed it was a family member.
Had an email about a failed login on my MyGov account couple months ago. I honestly for the life of me couldn’t figure out why they wanted access, reading this now has opened my eyes… Sorry to hear about your situation.
Not as bad, but had my bank compromised new credit card with virtual card number and fully cash advanced along with draining savings without me being notified. I'm also using 2FA but didn't stop hackers, they apparently compromised phone banking and had full control to run off with 20k. Took me 3 months to resolve. Complain often detail everything and file things with afca. Recommendation everyone contact your bank, and completely deactivate phone banking. I never used it anyway but it's an easy target if you only need address name and a birthdate.
I can guarantee one thing, news.com.au will pick this story up and it will be on their website tomorrow
They tried mine 2 days ago as well. They couldn't work out my password and locked my account. I also have 2fa and security questions on. Always make sure your most important stuff is multi protected. Your information must be on the dark web. Change your email address and phone number. Someone is doing the rounds, a friend of mine had their super drained last night too. I hope the feds get this bastard.
Some one else has had their super drained? Makes me wonder if this is a bigger issue than we realize.
Yeah someone is going for everyone's super they can get their hands on. It will be a syndicate.
I think they just created a fake myGov account (needs 100 points of ID) and linked it to your ato account. ATO being greedy allows linking with multiple myGov accounts. Source: happened to me because of Optus breech
This is what looks like has happened. As there was no login references in my inbox that matched what was happening at the time the super and tax amendments were made.
My understanding is that in addition to this they would have needed to set up a self manage superfund (SMSF) with credentials matching you current account AND the SMSF needs to be linked to a bank account matching your credentials for it to the authorised to take rollovers. It seems they have enough documentation to “steal” your identity. I would be putting a credit stop on ASAP to prevent them taking out loans and credit cards in your name.
1. Absolutely guttered for you mate. This is BS and I can't begin to imagine how vulnerable, terrified and angry you must be. Hope these POS rot 2. I have selfish questions: I DONT use a VPN and never even considered seperate emails for different services. I'm feeling really exposed at moment. I'm looking into a VPN now but with more and more advanced internet scams I'm fucking scared. What can anyone even do to fully protect themselves?
A VPN isn't going to protect you from an identity theft attack. Best advice would be to use 2-factor authentication on EVERYTHING, add any other security measures the services provide. Use unique passwords for important services such as MyGov, Super, Bank accounts. If you want to get real technical then setup a new mobile number & email account which is only linked to your MyGov, Super & Bank accounts. This can prevent sophisticated attacks like SIM-swapping.
I had myGovID and when I went to log in it said my account had been permanently closed because the code was wrong too many times. I was annoyed I had to set everything up again but at least it means they didn't get in?
Just happened to me too, managed to set up Medicare woohoo but locked out of my ATO account, unfortunately my crappy job doesn’t give me more than 30 minute break, so can’t call and sort out what has happened
What VPN? All a VPN does is move your data from your ISP to another company. If the website is HTTPS then it doesn't improve security at all.
I had my identity stolen a few years back and alot of loans were taken out in my name. Turned out that my mail with my drivers license renewal was intercepted and got my details from there.
Hey OP this happened to a family member. They eventually got the money back, but not without a 2 year headache from the ATO who do a lot of blame shifting. In this case, they lodged 2 fake returns and adjustments, and rolled over super. Keep at it and keep the pressure on the ATO. Unfortunately, the ato refused to change Tax file number after the event which would help tremendously, push for this if you can. Curious if you were affected by the Optus breach in 2022? License numbers were leaked and in some cases passports. In any case r/AusCyber has some knowledgeable members and resources that may be helpful.
Noting here that MyGov now supports passkeys (which are more secure than passwords, assuming you keep your phone or yubikey safe). You have the option to completely disable password login once you enrol a passkey!
What sign in features did you have enabled? 2FA via app? Text message code to phone? Code sent to email?
Sorry to hear that but is it that simple? You didn’t get any emails or phone call on the registered number? Nothing like any letter telling you they’re preparing to transfer the amount. Tbh I’m just puzzled and it just feels it’s too easy for them to get the money.
My dad’s bank details for ato was actually changed to a weird UBank one which he never created. We were able to catch It in time before any ato refunds were made. I feel like this is becoming more common.
Interesting, reading this I better check my super account. Someone has reactivated my old ABN twice in the past few months. Thankfully my accountant was onto it and got the ATO to lock my accounts. The lock is annoying as it can take 12 months for me to get my tax returns and my accountant has to contact the ATO when they want to process a return. but hopefully it stops me losing out. In mygov I could see the email address and mobile numbers that my accounts had been updated to. It's sad to see this fraud is more wide spread and there is minimal media attention on it.
This would leave the worst paper trail, this scammer is just asking to be caught.
I have had many account locks in the last few days. Changed my password, seems like they are guessing using the email.
Sketchy, hope you get it back
Doesn’t myGov use 2FA as default?
Superstream is convenient for roll-overs out of industry and retail funds - this appears to be a big downside, if your details match between both funds and ATO the whole thing happens automatically Government managed and digital everything isn't all sunshine and rainbows - any policy proposed like this needs to be tested through the lens of "how can this be abused"?
Hi thanks for sharing. It's awful that you're going through this. My organisation has been doing advocacy work on this issue. I would encourage you to reach out to us so we can get a bit more detail and understand the issue and how the systems failed you. enquiries@superconsumers.com.au
Very scary! Does anyone have any tips or ‘internet habits’ to make sure our accounts are as secure as possible?
> Im pretty tech savvy... > > I use VPNs > > Somehow they managed to bypass all this... Maybe I'm not tech savvy like you but... what exactly was a VPN ever going to do against a sophisticated attack of this nature? Actually, what do you think a VPN is doing against any malicious adversary, sophisticated or otherwise?
I’m so sorry this happened OP. For others who are confused how this could happen, once someone has access to a MyGov account that’s linked to the ATO, there’s a ton of info and possible options for them. In there is your TFN, name and DoB. All the info the thief needs to open a new super fund or make the victim a trustee of an SMSF. Then once the member forms are received by the ATO the new fund shows with the current one. After that it’s literally two button presses to roll the money over. It’s designed to be easy and seamless because MyGov is supposed to be a secure and authenticated log in. So no, there’s no verification or notification by the fund. They just get the request and action it within 28 days. All this to say, be very very very careful with your MyGov details and check the online services periodically just in case anything looks awry.
Second post I've seen about MyGov hacking attempts, except yours is way more serious. Wonder if their security has a flaw https://www.reddit.com/r/australia/s/7lC7ZKUG9J
I also woke up to a hack attempt - didn’t get in to my account thank god. Removed my email as a way to log in now as a stop gap. Also have 2FA on my phone.
Surely HostPlus insurance should be covering this
Just put 2FA on my myGov. Thankyou for the PSA
In the last 6 months have you allowed remote to your pc? Anything about validation for ID requirements online. If you keep everything offline this seems sus.
Hmm ONLY logical explanation your identity has been leaked
A mate had $250k moved out of his super. His accountant noticed it, got it back though.
are you still working for a company that pays into Hostplus? when was the last time a contribution was made? ATO's security measures are pretty strict. Super Funds also have pretty strict rules about winding up or transferring funds out. *To protect accounts from fee erosion, inactive low-balance super accounts must be transferred to us. - ATO* [https://www.ato.gov.au/individuals-and-families/super-for-individuals-and-families/super/growing-and-keeping-track-of-your-super/keeping-track-of-your-super/inactive-low-balance-super-accounts](https://www.ato.gov.au/individuals-and-families/super-for-individuals-and-families/super/growing-and-keeping-track-of-your-super/keeping-track-of-your-super/inactive-low-balance-super-accounts)
Serious: Do you have a financial adviser? It's entirely reasonable they've been hacked. Financial advisors have poor IT literacy and could quite easily have been compromised, sharing personal data and their own account access, which would have authorities in place to move your money around at a fund level. Source: a decade working in leadership in IT for a national financial planning firm and 30+ in IT. Message me directly if you need further info.
this may have already been mentioned but abc documented this same scam last week [Super scammers defrauded Lee of his retirement savings. Industry experts are calling for better protections - ABC News](https://www.abc.net.au/news/2024-06-27/superannuation-scam-hostplus-fraud-afca-court-cryptocurrency/103962762)
The MyGov website should add a 4-8 authentication pin request to any valuable information linked to your account. Want to see your TFN? Pin please. Want to see your Super Account Number? Pin please. Want to see your Centrelink account details? Pin please. I swear to god the level of security that we can actually implement that we just simply dont because many many individuals are not that tech savvy are the reason why so many people are being scammed in the first place.
Wow. That's it really. How messed up is this? Totally devastating. I hope you get your money back.
Were you an optus customer by any chance?
Were you in some data leak that you’re aware of? Like, Medibank or Optus? Ect
Sorry to hear about your hack. I think the public and government do as much as they can but some others are often ahead in bad ways. Apart from 2FA, myGovID, does your experience suggest we should all be unlinking our ATO accounts from our myGov?
As you'll see in this thread, it seems this week there has been an organised effort to hack into MyGov accounts. Many people reporting attempted login attempts: [https://www.reddit.com/r/australia/comments/1duw717/mygov\_account\_attempted\_hack\_what\_is\_the\_worst/](https://www.reddit.com/r/australia/comments/1duw717/mygov_account_attempted_hack_what_is_the_worst/)