SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
MFA
#
Cybersecurity
#
Cybercrime

Strengthening cyber resilience in superannuation

Fri, 30th May 2025
By Kon Poptodorov, Director of Fraud and Identity, Australia and New Zealand, LexisNexis Risk Solutions

In early April, cybercriminals infiltrated multiple superannuation providers using stolen credentials to drain half a million dollars, while four Australians saw their retirement savings vanish overnight. Investigators are racing to piece together the scale of the breach, emphasizing the growing cybersecurity risks threatening Australia's AU$4.2 trillion retirement savings pool.

With 12.6 million superannuation members exposed in recent attacks, the question is no longer if fraudsters will strike, but how the industry can stay ahead in this battle. Even though the Australian Prudential Regulation Authority (APRA) praised multifactor authentication (MFA) as "one of the most effective controls an organisation can implement" in 2023, the rapid evolution of cybercrime demands more sophisticated defences.

Limits of MFA in a changing threat landscape

MFA remains one of the critical security measures, requiring users to verify their identity with two or more credentials, which adds an extra layer of friction to deter attacks in the login process. However, cybercriminals are also adapting, using modern tactics such as phishing, social engineering and AI-powered techniques to bypass these defences.

Recent superannuation breaches highlight another vulnerability in the digital landscape: inadequate password practices. Many individuals still reuse passwords across platforms, unintentionally simplifying the task for cybercriminals who exploit stolen credentials. Attackers often conduct these crimes unnoticed, causing considerable financial damage before they are detected.

Trade-off between cybersecurity and user experience

According to the True Cost of Fraud Study by LexisNexis Risk Solutions, Australian organisations saw a 66% year-on-year increase in fraud, with every dollar lost costing firms AUD$3.68. This trend highlights the urgency for a more adaptive and layered approach to fraud prevention.

At the same time, customers today expect both security and convenience. Applying MFA to every interaction could be a more robust approach but excessive friction can lead to abandonment, indirectly discouraging users from monitoring their accounts due to higher friction, making them less likely to notice when they have become victims of an attack.

A more nuanced, risk-based approach that applies the right level of security based on the context and risks of each interaction allows organisations to detect and disrupt complex fraud in real time without adding unnecessary friction. By aligning protection with risk, businesses can strengthen security without compromising customer experiences. 

A comprehensive defence strategy involves multiple layers, and each layer strengthens defence against fraudsters. This ensures that if one security measure fails, others remain in place to detect and mitigate fraudulent activity. 

Key measures should include identity verification, device intelligence, behavioural intelligence and real-time risk scoring: 

  1. Risk assessments analyse contextual risk signals, such as device reputation, IP geolocation, network patterns and login behaviours. This allows institutions to assess the risk level of each interaction. AI models analyse these signals in real time to assign a risk score, deciding whether extra authentication is necessary. 
  2. AI-powered identity verification ensures that the individual behind the digital interaction is genuine. Comparing identity details with public records and data from multiple providers further validates the authenticity of the identity.
  3. Fraud assessments assess risk associated with an individual's identity by analysing a combination of digital, physical and behavioural signals. With holistic behavioural intelligence, such as keystroke dynamics, device interactions and mouse movements, this approach builds a dynamic profile of each user over time, and deviations from this may signal potentially bot or fraudulent activities.
  4. Adaptive authentication: Apply stronger verification for high-risk scenarios dynamically, while maintaining a smooth experience for legitimate users.

Recent cyberattacks targeting superannuation funds highlight the need for a more robust digital defence strategy. APRA's multi-factor authentication guidelines offer a solid foundation, but static approaches alone are not enough to manage dynamic threats. Industry players must take a unified, layered approach to safeguard Australia's financial system. 

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Safari users at heightened risk from new fullscreen BitM attack
Hacking Games & Immersive partner to train cyber talent
SentinelOne named a Customers' Choice in 2025 Gartner XDR report
Genetec enhances Cloudrunner with advanced ALPR mapping tools
AI agents spark new enterprise security fears, report shows
Top stories
Is it time to re-think the business browser?
SEON expands APAC team as demand for fraud tech solutions rises
Bitdefender unveils upgrades to partner & MSP programmes
Experts warn of surge in Google, Apple, Microsoft breaches
Most high-traffic email domains still vulnerable to phishing