From MFA to the Sock Drawer: Security in SMSFs

Shelley Banton
Shelley Banton
April 08, 2025
security in smsfs requires mfa not a sock drawer

Security in SMSFs comes in all shapes and sizes. Tech-savvy SMSF trustees will have multi-factor authentication (“MFA”) enabled for all their investments, while others will happily rely on a sock drawer to store passwords.

In the wake of recent cyber attacks on APRA-regulated funds, it would be naïve to assume that cybercriminals would ignore SMSFs with $1 trillion in total assets.

Key statistics from the National Anti-Scam Centre show over $134 million in losses between 1 January and 30 June 2024. Most importantly, people aged 55 and over accounted for 47.6% of those losses.

With 38% of all SMSF members in retirement as of June 2024, SMSFs remain vulnerable to hackers who would readily take advantage of the technologically challenged in this cohort.

As a result, SMSFs remain high on the ATOs and ASICs watchlist to ensure they stay protected.

SIS Regulations

While SIS is silent on security technology, the operating standards under s52 SIS charge trustees to perform their “duties and exercise powers in the best financial interests of the beneficiaries”.

The rules also say trustees should use a level of care, skill and diligence that a careful and responsible trustee would use for fund investments.

Where trustees are not employing security measures to their fullest extent, are they acting in the best interests of the members?

Could this open the door to potential litigation in line with s55 SIS if the fund incurred a financial loss and there was a dispute, divorce or disagreement?

SMSF Security

The Australian Cyber Security Centre (ACSC) recommends using multi-factor authentication (“MFA”) because it defends against the majority of password-related cyberattacks.

MFA requires a combination of two or more factors to access an account, such as a PIN, facial recognition, or an authenticator app.

Using more factors distinguishes legitimate users from hackers, making it harder for attackers to impersonate good actors or employ brute force methods.

Are SMSFs Cyber Resilient?

There are two components to SMSFs being cyber resilient: direct and indirect risk management.

Trustees have direct control over investment accounts they have access to, such as bank and brokerage accounts. Enabling MFA will ensure maximum security and be the first line of defence against hackers.

In a B2B context, partnering with SMSF professionals who use best-practice control technologies when storing member information is the second.

By way of example, ASF Audits employs critical measures such as firewalls, malware filters, and MFA to log in. Other protocols include penetration testing, automated security monitoring and alerts as standard practices, with all client data and files securely stored on Amazon AWS infrastructure and encrypted with AES-256 protocol.

SMSF Investments

As some high-risk investments are more prone to fraud than others, trustees must set in place sophisticated security measures to ensure the recoverability and safety of their members’ retirement savings.

A sock drawer no longer cuts it.

Cryptocurrency and digital assets attract criminal activity because they are not classified as financial products. SMSFs can be exploited through illegal operations resulting in phishing scams, theft and collapsed crypto trading platforms.

The best practice is for an SMSF to use a crypto exchange with an AFSL licence, which complies with AUSTRAC-regulated AML/CTF legislation and has a sound reputation.

Security of other investments, such as overseas assets, unlisted entities and property, also comes with its share of problems.

An unsolicited offer of an investment with high returns, encouraging early withdrawals and requesting high-level personal details are red flags.

While SMSF financial losses are bad enough, identity theft is often a worse outcome, with members experiencing personal financial ruin, credit issues and emotional distress.

ASIC Activity

ASIC has wound up 95 companies that may have been involved in facilitating scam activities and warns all consumers to remain vigilant.

The companies were associated with websites and apps to trick consumers into investing in phony foreign exchanges, digital assets or commodities trading.

Unfortunately, ASIC has said that these scams are like hydras; when one is shut down, two more take its place.

SMSF Security Tips

The following security measures are crucial to protect SMSFs:

  1. Avoid clicking on account sign-in hyperlinks received from SMS or emails
  2. Do not share MFA codes or approve unknown sign-in attempts
  3. Use MFA whenever possible
  4. Select strong passwords
  5. Regularly update computer software
  6. Research websites before making any online payments
  7. Review email addresses, bank statements and recipients of money beforehand

Conclusion:

Cyber resilience is most effective as a shared responsibility between all parties.

SMSF professionals should educate their trustee clients on adopting robust security measures to safeguard fund investments and personal data. Partnering with SMSF experts who use best-practice control technologies is the other step.

There is no doubt that consistent vigilance is essential to protect SMSFs from cyberattacks and to maintain the integrity of the SMSF industry through strict security measures such as MFA, not sock drawers.

Independent SMSF audits by Australia’s most trusted team. Contact us to find out more
See our other Articles on Contributions. Return to SMSF News

Get our newsletter