This article was co-authored with Joy Zhang.

Scammers are increasingly using advanced tools to target superannuation assets, endangering members' retirement savings.1 The cyber attack in early April this year on several major Australian superannuation funds highlights the urgent need for industry leaders to integrate scam resilience strategies into their operations. This incident shows that trustees cannot wait for the commencement of specific regimes (such as the Scams Prevention Framework (SPF)), but must take a proactive and holistic approach to managing this ongoing threat. Since the attack, there has reportedly been a rise in email scams claiming to be from the affected superannuation funds, targeting both members and non-members.2

ASIC’s open letter dated 29 January 2025 (Open Letter) and the potential application of the SPF to the superannuation industry highlight the need for trustees to adopt a proactive and integrated approach to managing scams. This article explores how superannuation trustees can enhance their scams prevention strategies by leveraging existing efforts to comply with the interconnected regulatory regimes which govern them, to help identify scam risks across their entire operations and to implement effective controls.3

Key takeaways for the Superannuation Industry

AU_65026_legal update_Scams in superannuation_2

ASIC’s call to action

In its Open Letter, ASIC requested superannuation trustees to take the following actions:

  • Conduct a preliminary assessment of anti-scam and anti-fraud measures, including for services provided by external administrators.
  • Address the baseline measures set out by ASIC in REP 761 and REP 790 on scams in the banking context, as well as areas of risk and weakness identified in the Open Letter (e.g. identifying flags where a member may have been tricked into certain transactions such as transferring funds out of their superannuation account).
  • Consider whether it is appropriate to allocate the scam (and fraud) management key function to an accountable person under the Financial Accountability Regime (FAR).
  • Leverage industry bodies and bilateral relationships for information sharing and uplift industry standards on scams.

More broadly, one of ASIC’s strategic priorities is advancing digital and data resilience and safety, including by focusing on business, cyber and operational resilience.4 Consistent with this focus, ASIC has demonstrated a willingness to take enforcement action against financial institutions when it has concerns about their ability to protect customers from scams.

Interconnectedness of various regimes

Although the SPF has not yet extended to the superannuation industry, trustees can leverage policies and processes developed for compliance with current regimes to identify and manage scam risks. Trustees should revisit their existing compliance frameworks to gain insights into scam risks throughout their service offerings (including risks from third-party contractors), and should determine how to best manage such risks.

For instance, we discuss below how trustees can make use of their frameworks and/or data obtained from processes developed to comply with ASIC’s Regulatory Guide 271, the Financial Accountability Regime (FAR), and APRA’s Prudential Standard CPS 230 to shape their approaches to uplifting protections against scams.

Complaints handling procedures

To identify any patterns, emerging trends and vulnerabilities within their operations to combat scams, superannuation trustees should revisit whether staff are adequately trained to identify and record complaints, and should conduct systematic analysis of the data obtained from their internal complaints systems under ASIC’s Regulatory Guide 271.

Ongoing analysis and reporting of aggregate complaints data to senior management will support both a proactive and holistic assessment of a fund’s exposure to scams which can, in turn, inform strategic decisions on risk management and how internal controls are to be improved. For instance:

  • Complaints can provide useful details on how scammers are targeting members (e.g. phishing, identity theft, impersonation of staff).
  • Demographic data attached to complaints may identify if certain member segments (e.g. age, cultural background, location, account type) are particularly exposed to scams.
  • System or process vulnerabilities may be revealed where complaints suggest inadequacies in, for instance, processes of the superannuation trustee or any outsourced service providers, communication channels, or online portals (e.g. the lack of multi-factor authentication5.).
  • Time sensitive analysis may reveal any seasonal fluctuations of scam activities and whether increases are potentially linked to broader events (e.g. financial year cycles, regulatory or economic changes, cyber incidents).

This analysis can assist in drafting member communications to raise awareness, in upgrading detection or monitoring systems and internal controls in response to identified vulnerabilities in processes or systems, and in shaping strategic decisions around fraud and operational risks (including the extent to which contracted third parties are increasing the exposure to the risks of scams and what additional measures are required to guard against those risks).

Accountability and governance

The FAR commenced for superannuation trustees from 15 March 2025. The FAR imposes a strengthened responsibility and accountability framework for entities in the banking, insurance and superannuation industries and for their directors and senior executives. Designed to uplift the risk and governance cultures of Australia’s financial institutions, the FAR highlights the continued regulatory focus on scam management, which is identified as a “RSE licensee key function”. The FAR reinforces the need to ensure that scam management is approached from a governance and conduct perspective, with board-level focus and responsibility embedded into key risk frameworks, especially where cyber incidents and outsourcing to third party service providers have become commonplace. The Open Letter has specifically requested superannuation trustees to “consider whether it is appropriate to allocate the scam (and fraud) management key function to one of your accountable persons”.

Where a FAR accountable person has been designated to oversee scam management, it is important that supporting frameworks are embedded to maximise impact – for instance:

  • Mapping clear reporting lines and establishing escalation channels to ensure appropriate escalation of scam activities and trends gathered by various business units (e.g. through internal complaints data, monitoring tools, regular audits). This informs strategic decisions to invest in improving policies, processes and technology.
  • Establishing protocols to ensure the accountable person can coordinate efforts across teams to effectively respond to scam incidents and manage stakeholder communications, given these incidents often involve multiple teams (e.g. customer service, fraud, legal/compliance).
  • Investing in ongoing education to drive a culture of vigilance throughout the business and member population to help swiftly identify and guard against scams.

Operational risk management

Superannuation trustees have traditionally relied on external providers to deliver various services, such as IT support, administration and investment management. While outsourcing can present a range of benefits for superannuation trustees, the decision to outsource and the choice of service provider can directly affect member outcomes. The imminent commencement of APRA’s Prudential Standard CPS 230 from 1 July 2025 means it is imperative that superannuation trustees focus on strengthening their operational risk management, particularly in relation to third/fourth party oversight.

Vulnerabilities in outsourced providers’ processes or systems are prone to be exploited by scammers. As part of their CPS 230 compliance efforts, superannuation trustees should focus on specific scam protection measures such as:

  • Conducting adequate due diligence on outsourced service providers in key areas including scams prevention, fraud detection and monitoring, cyber security and data protection (e.g. real-time alerts to notify members of account activities such as withdrawal requests), and incident management and escalation.
  • Ensuring there are robust contractual mechanisms in place to conduct ongoing monitoring and regular audits, performance management, information sharing and notification requirements to inform the superannuation trustee of any scam-related incidents which may affect members.
  • Verifying how the service provider manages its own subcontractors and ensuring that their security practices are sound.

Lessons learnt from other jurisdictions

While jurisdictions tend to manage the rising threat of scams in different ways depending on local considerations, the Australian superannuation industry can draw on learnings from overseas jurisdictions to tailor their approach to effectively manage the risk of scams.

For instance, in the United Kingdom, The Pensions Regulator’s General Code of Practice issued in January 2024 provides guidance on the obligation for governing bodies of certain schemes to establish and operate an effective system of governance which is proportionate to the size, nature, scale, and complexity of the activities of the scheme. The General Code of Practice provides specifically that internal controls include taking appropriate steps to mitigate the risk of scams, and relevant entities should take various measures such as:

  • Ensuring they are aware of warning signs of a scam
  • Checking whether there are such signs when a member requests to transfer or withdraw their benefits
  • Carrying out due diligence on the recipient scheme to which a member wishes to transfer their benefits
  • Ensuring members are educated of the risks of pensions scams, such as through providing clear information on how to identify a scam in member communications, and including website warnings to alert members of the risk of scams

Conclusion

Scammers, who often operate on a global scale across multiple jurisdictions, are constantly adopting new ways to get their hands on members’ assets or steal their identity. Superannuation trustees that adopt a forward-looking approach to effectively integrate an interconnected scams prevention regime into their operations will not only be supporting their members’ best interests by reducing losses due to fraud, but will be better placed to maintain their members’ trust and have a stronger and more resilient fund.

Footnotes

1   Although the percentage of complaints received by the Australian Financial Complaints Authority (AFCA) in FY2023/2024 in relation to scams from superannuation fund members was small (less than 20 out of nearly 11,000), the average loss claimed for scam-related complaints in super was significant ($88,736) and ranged up to $344,000-plus. This highlights the urgency for superannuation funds to uplift their scams prevention strategies. See, e.g. Article: Protect your super from scammers | Australian Financial Complaints Authority (AFCA).

4   See ASIC Corporate Plan 2024-2025, Strategic Priority 4.

5   On 26 May 2023 the Australian Prudential Regulation Authority (APRA) wrote to all APRA-regulated entities on the importance of using multi-factor authentication (MFA) as one of the most effective tools to prevent unauthorised access to sensitive information. The letter outlined APRA’s observations on gaps in the implementation of MFA across its regulated industries, and noted APRA’s expectation that entities review the coverage of MFA in their operating and technology environments.



Contacts

Helen Taylor
Helen Taylor
Partner
Email
helen.taylor@nortonrosefulbright.com
T: +61 2 9330 8218
Lucinda McCann
Lucinda McCann
Partner
Email
lucinda.mccann@nortonrosefulbright.com
T: +61 2 9330 8267
Annie Haggar
Annie Haggar
Partner | Head of Cybersecurity, Australia
Email
annie.haggar@nortonrosefulbright.com
T: +61 2 6110 3046
Candy Lau
Candy Lau
Special Counsel
Email
candy.lau@nortonrosefulbright.com
T: +61 2 9330 8114

Practice areas:

Recent publications

Energy-electricity-wires-power-plant-AdobeStock_317539258

Publication

REMA: what lies ahead

As we stand on the cusp of transformative change within the energy sector, anticipation builds around the UK government’s impending decision on the Review of Electricity Market Arrangements (REMA). This briefing provides a recap of the proposals made to date and looks at the potential future impact of the REMA proposals on market players.

Global | May 19, 2025

Energy, infrastructure and resources

Publication

Global antitrust and competition trends: 2025 hot topics

Antitrust authorities are increasingly aggressive in pursuing new theories of harm, pushing the boundaries of what amounts to an antitrust violation, and expanding the use of current legislation and regulation to fit a new era of issues.

Global | May 16, 2025

Antitrust and competition

Publication

Remote Work and Employee Privacy: Italian Data Protection Authority Fines Public Entity for Unlawful Geolocation

On 8 May 2025, the Italian Data Protection Authority (“IDPA”) published a significant ruling issued on 13 March concerning the unlawful geolocation of employees during remote working days by a regional public agency.

Italy | May 14, 2025

Cybersecurity and data privacy
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now