Australia's financial regulator has delivered a strong warning to the country's super firms to stop sending emails that look like phishing scams to members.
APRA today released a letter to the industry, warning super firms that using certain electronic direct marketing processes risked the safety of sensitive member data.
Super firms have been engaging third parties to help communicate the Australian Tax Office's new SuperMatch 2 portal - which allows for superannuation account search and consolidation - to customers, via emails and text messages.
But the security of sensitive customer data is being compromised by the sending out of emails and texts that contain links asking the user to enter their personal and financial information, APRA said.
"Some [firms'] marketing campaigns observed by APRA to date appear indistinguishable from campaigns by criminal organisations where unsolicited emails and/or fake websites are used in order to deceive individuals into disclosing confidential personal information," the regulator told the industry today [pdf].
It claimed super firms were undermining work done to educate the public on safe online behaviour by encouraging users to click on links - which in some instances go to a site not owned or operated by the firm - and enter their sensitive information.
Additionally, handing over bulk extracts of member data like individual tax file numbers to third parties for the purpose of such marketing puts members in greater danger of having their information compromised, the regulator said.
"APRA considers that bulk extraction of sensitive member data from core administration systems, particularly to environments where security controls are weaker or unproven, gives rise to heightened risk."
APRA warned super firms that it would continue to keep an eye on the industry's outsourcing practices to ensure it was 'appropriately understanding and managing' the risks.
The Australian Tax Office had warned super firms earlier in October that the sending of unsolicited emails and SMS in bulk, requesting personal or financial information, was not a safe practice.
It said any use of third party technologies to connect to SuperMatch2 must involve a minimum of two-factor authentication, and the portal must be hosted and accessed through the super firm's own website.