Why Fraud Risk in Super Is Rising Fast
John Duggan
Exec. Vice President, APAC
John Duggan and his team are responsible for all of Daon’s business across the Asia-Pacific region. They create, deliver and support innovative biometric and identity solutions in both the commercial and public sectors including, but not limited to, digital identity services for bank and telco consumers, citizen identity services and border security.
John manages the functions of sales, business development, solution delivery, customer service and administration. He has over 20 years of experience with identity technologies, significant commercial experience and a strong track record of negotiating new business agreements for Daon. John is a graduate of University of Dublin, Trinity College, with an Honors Bachelor Degree in Mathematics.
John patrols as a volunteer lifesaver with his local surf club and enjoys family time, travel, and the outdoors.
February 25, 2026
Identity fraud is escalating across Australia’s $4.5 trillion superannuation industry as criminals shift focus from heavily-defended banks to super funds with weaker digital protections and self-service capabilities. Continuous identity verification with biometric enrolment and risk-based authentication prevents up to 98% of fraud while maintaining member experience.
Identity fraud is rapidly becoming one of the most material risks facing Australia’s superannuation industry. What was once considered a low-frequency, edge-case threat is moving into the mainstream, driven by growing balances, greater digital engagement, and increasingly sophisticated criminal activity. Recent events make one thing clear: the risk is no longer theoretical.
Super Funds Are Becoming a Soft Target
With funds under management exceeding $4.5 trillion and forecast to reach $6 trillion by 2030, superannuation will soon rival that of deposits held by Australian banks, making it more attractive for bad actors to invest time and effort into.
At the same time, retail banks have significantly lifted their defences through years of investment in identity verification, fraud detection, and authentication technologies. Combined with large, well-trained fraud operations teams and sustained customer education, these measures have made banking increasingly difficult for attackers. As a result, superannuation funds increasingly look like a softer target.
The shift to digital channels is also amplifying the risk. To attract new members, funds have been gradually rolling out more self-service capabilities into their online and mobile experiences—allowing members to check balances, adjust investment options and in some cases initiate withdrawals without having to call a contact centre or submit a paper-based form, the industry norm for many years.
These improvements deliver real value to members, but they also bring risk. Without modern and continuous identity assurance, reduced friction can quickly become reduced protection.
The Warning Signs
In April 2025, multiple funds were hit by a large-scale credential stuffing attack, where stolen usernames and passwords purchased from the dark web were used to attempt thousands of fraudulent logins. Several funds were impacted with losses of $500,000 across several members’ accounts. Notably, the attacks were highly calculated, focusing on members more likely to be retired and therefore able to request lump-sum drawdowns.
This incident is part of a disturbing pattern. In another recent case, 16 people lost a total of $4.8m through a fake SMSF scam that convinced victims to willingly surrender their identity documents. These are not isolated cases—many more Australians have lost six- and even seven-figure sums to similar schemes. Based on the fraud & scam trajectory seen in the banking sector, losses like this have the potential to rapidly multiply within the super industry.
ASIC’s actions suggest they’re seeing the same trend. In February 2026, they studied fraud and scam education across various fund websites. The review found that super funds provide far less anti-scam guidance than the big four banks, leaving members less equipped to recognize threats and more vulnerable to social engineering.
Retirees are most at risk, but Gen Z is not safe
Older Australians are disproportionately targeted by scammers due to lower levels of digital savviness and their more immediate access to super savings compared to those still in employment. A compromised account in this cohort can lead to irreversible losses, often at a stage of life where financial recovery is not realistic. This elevates super fraud from an operational issue to a direct harm to members with serious social consequences.
However, those new to the workforce are also being targeted. Super-related scams on social media are rife, promising ‘too good to be true’ returns if you roll over your funds to an account controlled by a bad actor.
Four Ways Fraudsters Attack Super Accounts
Identity fraud in superannuation is no longer limited to simple account takeovers. Today, the types of fraud include:
- Members exploiting early withdrawal rules to fraudulently access their super early by using fake or forged documents
- Creation of super fund mule accounts using stolen, rented or synthetic IDs to receive illicit funds
- Fake or rogue financial advisers persuading members to authorise rollovers into accounts controlled by criminals often with the promise of higher returns
- Identity and account takeover using customer data that is harvested, stolen, or socially engineered from the customer themselves
How Continuous Identity Helps
It’s no longer enough to verify the identity of your members using static data points on a one-time basis at the point of member onboarding.
Instead, you need to have a more complete baseline that accurately reflects who the user is, otherwise every subsequent trust decision is compromised.
Strong enrolment requires three critical elements:
- Proof of Possession: Confirm the user controls the device or token being registered.
- Proof of Ownership: Validate that the individual truly owns the claimed identity.
- Data Verification: Cross-check submitted information against trusted sources.
By binding biometric markers, such as a user’s face, to the account during enrolment, funds can create a secure, immutable link between the user, their device, and their digital identity—making it much harder for an account to be forcefully taken over by a bad actor.
However, strong enrolment is just the beginning. Returning members who are coming back to view or make a change to their fund must be appropriately authenticated to make sure it’s the same person who opened the account.
Whilst there are a variety of modern authentication methods, the chosen solution and associated customer experience should be proportional to what the customer is trying to do and how risky it is. For example: passkeys and/or device biometrics are generally considered acceptable when a member is logging into their account, but at the other end of the spectrum if a member is trying to rollover funds to a new provider, a higher level of assurance is needed. This can be achieved by asking the member to retake a selfie that is then matched to the one captured during enrolment.
This is an example of a reactive ‘step-up’ authentication, triggered by the member attempting to do something. However, step-up authentication should also be used as a proactive defence. If a member logs into their account using a new device, new IP address, or an unusual location, these are all signals that something may not be quite right. To disprove this, the member can be asked to snap a new selfie. If no new selfie is forthcoming, more investigation is required and potentially the account should be locked.
The Business Impact
Reduced Fraud Losses: Continuous identity solutions have been shown to prevent up to 98% of fraudulent attacks before any financial loss occurs, reducing false positives by 30–40% and saving organisations billions annually.
Improved Customer Experience: Risk-based authentication reduces friction and boosts satisfaction scores
Enhanced Brand Trust: Frictionless yet secure experiences strengthen customer confidence and loyalty.
Why Super Needs Continuous Identity
Taken together, the warning signs are unmistakable. The industry is sitting on rapidly growing pools of capital, accelerating digital access, a vulnerable retiree demographic, and controls that lag behind those of adjacent financial sectors. Criminals have noticed and they are already acting.
For superannuation trustees and executives, it is no longer if identity fraud will escalate, but how quickly and how prepared the industry will be. Closing the gap will require investment in modern identity verification, authentication, and behavioural fraud detection capabilities. Just as importantly, funds must rethink their fraud operations support and member education, accepting that some friction—applied intelligently and proportionately—is a feature, not a flaw, when protecting retirement savings.
Identity fraud is no longer a future risk on the horizon for superannuation. It is a present-day reality. How the industry responds will define member trust, regulatory confidence, and resilience for the decade ahead.
