When was the last time you checked the status of your superannuation fund? Often, perhaps, if you are nearing retirement.
But if you aren’t, you are not likely to pay your quarterly or annual statement much more scrutiny than a passing glance.
This raises some very scary questions when one considers the ease with which criminals have accessed the superannuation records and – occasionally – the superannuation accounts of unsuspecting victims in recent years.
Superannuation fraud is potentially more dangerous than online banking or credit fraud, because victims may be unaware their super has been cashed out for years. Worse still, the crime is so new that there appears little recourse for victims.
Criminals exploit a range of techniques to first steal the identity of victims before transferring their superannuation into self-managed accounts, according to NSW fraud squad commander detective superintendent, Col Dyson.
“Superannuation fraud is emerging – and the difference is that it works well because no-one checks their super,” Dyson said.
“This fraud is quick. It’s easy to move super from large companies to a self-managed fund and then remove to cash.”
State and federal law and intelligence agencies including the Australian Tax Office, the Australian Securities and Investment Commission (ASIC) and various police services have witnessed a small uptick in the incidence of superannuation fraud since it was exposed by SC Magazine in June this year.
But Dyson said the problem could be worse.
“We don’t know [the full extent] exactly because we don’t know how many people are aware that their super funds have been pilfered,” he said.
Victims rarely notice account changes, making it easy for criminals to change mailing addresses.
SC Magazine has spoken to several people who each admit that superannuation statements were likely sent to old residential addresses, increasing the risk of identity theft.
But while Australian banks voluntarily reimburse customers that fall victim to financial scams, there is no such obligation on superannuation funds.
“Superannuation funds are under no obligation to reimburse victims,” says Pauline Vamos, chief executive officer of the Association of Superannuation Funds (ASFA).
Next: Are super funds doing anything about it?
Vamos said criminals will siphon superannuation into self-managed funds or apply for hardship payments.
“Criminals steal identities and falsify hardship documents to get early payments.”
Identity rules around self-managed funds and hardship payments are relatively weak. Bank accounts receiving the stolen funds are not checked against existing records and can be in multiple names.
In October 2011, security researcher Patrick Webster highlighted just how immature security standards in the super industry were – disclosing the ability to access electronic superannuation notices of any First State Superannuation customer by changing numerical values in URLs used to issue statements to clients.
First State initially threatened legal action against Webster, but withdrew its claim after public pressure generated from news coverage of the incident.
Thankfully, changes are in the works.
The Federal Government has mandated that superannuation funds toughen identity requirements by year’s end, and the Australian Tax Office has already refused to pay into accounts owned by more than one holder, Vamos said.
Security boffins employed by superannuation funds have formed an informal and secretive community to exchange confidential information about the latest “tricks” used by criminals.
For its part, ASFA had issued warnings to superannuation funds about the security implications of issuing statements.
Dyson pointed out that the scam is uncommon, but is emerging and the public should be aware of the threat.
“Check your super details and look for changes,” he advised.