Protecting your money: Cyber Security and scam awareness

Helping you keep your super and
investments secure online

Your super and investment savings represent years of hard work for a secure future. Unfortunately, they can be a prime target for scammers, causing significant financial loss and emotional distress.

Financial scams are on the rise and becoming more sophisticated, making them harder to detect. This page will help you recognise common types of super and investment scams, how to identify them, and how to protect yourself and your loved ones.

Think you might be facing a scam?

Click here to learn the best steps to take immediately.

Super scams

These scams usually involve individuals or companies pretending to be from a super fund or regulatory body seeking your personal information. They may claim they need it to update your super account or verify your identity. Or they could offer to help you access your super before you’re eligible to under law. They may claim that doing this can, for example, help you pay off debts or purchase a house. But accessing your super early can result in significant penalties. In addition, these scams may involve high fees or charges which can eat into your super savings.

We recommend that:

You never give out your personal information unless you’re sure it’s safe.

You’re aware of the conditions of release to withdraw your super.

If you’re ever in doubt, contact us.

Investment scams

Investment scams can come in various forms, all aimed at tricking you out of your money. Here are some common ones to watch out for:

Fake investment websites
which vanish once you've put your money in.

Phony brokers
who lock you out of your account after receiving your funds.

The promise of huge returns
in high-risk, unregulated industries, often overseas.

Romance or friendship scams
that then lead to bogus investment opportunities. (See Romance section for more.)
If you suspect you’re being targeted:

Be cautious of unsolicited messages promising big returns with low risk.

Seek professional advice before committing to any investment.

Watch out for investments claiming to avoid taxes; they may not be legitimate.

Research the company or platform online for reviews or scam warnings.

Check the credentials by looking up ASIC Connect for Australian businesses.

Beware of deepfake ads featuring fake endorsements from celebrities.

Avoid unregulated investments like overseas whisky schemes with unrealistic returns.

Impersonation scams

Impersonation scams impersonate authorities like police, government, banks, and well-known businesses to gain your trust.

For example, we have seen scammers pretending to be from Insignia Financial (Plum’s parent company) use cold calls to offer high-return investment accounts, or term deposits with “special one-time rates”. They may direct victims to legitimate websites to appear credible. These scams often feature genuine Insignia Financial logos/images to deceive victims, but upon closer inspection reveals discrepancies.

For instance:

Addresses used are not actual Insignia Financial locations.

Website/domain name have variations such as additional symbols like “-“or additional letters. Examples include:

insigniafinancial-wm.com

insigniafinancial-clientportal.com

insigniafinancial.com--about-us.com

Scammer may email details about these investments. Please note that Plum (and Insignia Financial) employees do not make unsolicited (cold) calls to promote products or business offerings.

Impersonation scams constantly evolve and exploit trusted brands to deceive victims. Visit Scamwatch for more information on impersonation scams.

Crypt scams

The cryptocurrency craze has always felt like the wild west. Now, with its growing popularity, scammers are eager to exploit it. They might pose as investment managers or brokers, promising sky-high returns, but ultimately leave you with nothing.

Here are common crypto scams to watch out for:

Fake recommendations
from compromised social media accounts or unsolicited messages with links to fake crypto sites or apps.

Fake crypto platforms
that appear legitimate but actually divert your funds to scammers.

Initial coin offerings (ICOs)
offering discounted coins to investors which are left worthless once scammers cash out.

Fake job offers
involving setting up bank and crypto accounts to assist in money laundering, putting you at risk of prosecution.

Scammers posing as recovery services
promising to recover lost funds for a fee but failing to deliver results.
If you suspect a crypto scam:

• Seek professional financial advice especially if you're new to crypto.
• Research on platforms, tokens, or coins online and look for scam warnings.
• Be wary of unsolicited messages promoting crypto investments.
• Check websites for legitimacy watch for spelling mistakes and avoid any that promise instant rewards.
• Beware of high returns with low-risk guarantees.
• Check AUSTRAC for registered digital currency exchanges. .
• Visit moneysmart.gov.au for more on crypto scams and what to do if you've been scammed.

Identity theft scams

These scams involve criminals stealing your personal information (name, date of birth, and Tax File Number). With this data, they can open bank accounts, credit cards, and other financial accounts in your name, leaving you with the debt and a damaged credit score.

We recommend that you:

Keep your personal information secure and beware of unsolicited messages asking for it.

Regularly check your bank accounts for suspicious activity.

If you suspect that your identity has been stolen, contact your bank or financial institution immediately and report the fraud to the Australian Cyber Security Centre.

Self Managed Super Fund (SMSF) scams

While Self-Managed Super Funds (SMSFs) are a legitimate way to manage your super, there's an increasing risk of scams.

Scammers may pretend to be financial advisers or SMSF businesses, urging you to:

Open an SMSF

Expect high returns with low risk

Let them handle everything for you

Invest in unconventional investments like cryptocurrencies

Appearing trustworthy and patient, they gradually convince you to transfer your super into their control.

They may also offer to help you access your super early, asking for personal details to withdraw funds or set up an SMSF for a fee. However, accessing super before you're allowed can result in significant fines and taxes.

We recommend that you:

Never give out your personal information unless you’re sure it’s safe

Be aware of the conditions of release to withdraw your super

Seek professional advice if you’re ever in doubt.
If you suspect an SMSF scam:

Research the company thoroughly and seek independent trustworthy financial advice.

Check if the business is licensed by visiting the ASIC Connect website and APRA disqualification register.

Ensure you meet the conditions for accessing super

Visit moneysmart.gov.au for more on super scams and what to do if you've been scammed.

Report it to the police promptly if you think you’ve been scammed.

Romance scams

Romance scammers often reach out through social media, gaming, or dating apps, trying to build a connection by pretending to share your interests. They may then coerce you into financial transactions, such as opening bank accounts, unknowingly getting involved in money laundering or investing in risky schemes like cryptocurrency.

Their tactics typically include:

Rushing the relationship to make you feel special quickly and lower your guard.

Moving the conversation off the dating app to a chat app to maintain secrecy. For example, to WhatsApp.

Avoiding in person meetings and discouraging you from telling friends or family.

Requesting personal information, coercing you to comply and threats if you resist.
If you suspect a romance scam:

Never send money to someone you haven't met.

Avoid sharing sensitive documents online.

Avoid transferring funds for others to prevent involvement in illegal activities.

Verify the person's identity and take things slow.

Search for their name with "scam" to check for warnings.

Be careful when sharing personal details and intimate content.

Don't keep the relationship a secret; talk to trusted friends or family.

Learn more about staying safe online and on social media platforms.

Visit https://www.scamwatch.gov.au/types-of-scams/online-dating-and-romance-scams for additional resources.

Credential stuffing

What is Credential stuffing and how can you protect yourself against it?

Cyber-attacks are evolving and becoming more sophisticated every day. One of the latest attacks allows hackers to access members’ accounts using their stolen passwords, via a method known as Credential stuffing.

Credential stuffing is a type of cyber-attack whereby cyber criminals collect stolen usernames and passwords available on the dark web from previous data breaches, and then attempt to use those credentials on other websites or services. If an affected user uses the same password across multiple accounts, a successful credential stuffing attack could compromise all of their accounts.

To protect against this type of attack, it is important to follow the cyber security advice as given by the Australian Government with 3 easy steps:

Set up multi-factor authentication to add an extra layer of security to your online accounts.

Create strong and unique passphrases of 14 or more characters long. These passphrases should be different for each account you hold.

Install software updates regularly to keep your devices secure.

Please refer to the Australian Government’s best cyber practices and protect yourself online at cyber.gov.au
How Plum is protecting your future

At Plum, your security is our priority. We use Multi Factor Authentication across our websites and mobile apps and continuously monitor for suspicious online activity.

From time to time, you may be asked to verify your identify when logging in. This additional step helps ensure that only you can access your account.

This verification involves sending you a one-time passcode to your mobile or email. We will never ask you to provide this passcode to us.

Stop, Reflect, Protect

Given the variety of scams out there, following these three steps can help prevent you falling victim.

Stop

If you receive a suspicious call, email, or text, pause and assess. Genuine organisations like Plum never pressure you to act immediately or ask for your password via email.

Malware can target you through:
- Emails or messages with links or attachments.
- Malicious websites attempting to install malware.
- Exploiting vulnerabilities in outdated software.
To spot malware, watch out for:
- unusual account activity
- Sluggish performance or rapid battery drain.
- Unexpected or inaccessible files and frequent errors.
- Automatic redirects to web pages you didn't intend to visit.

Reflect

Be careful about sharing personal information online. Scammers piece together details from various sources to exploit or create accounts in your name. Always reflect.

Email safety tips:

Be wary of unknown senders.
- Always stop and think before opening attachments, clicking links, or replying to suspicious emails.
Never send personal information via email
- Use secure document-sharing software like DocuSign instead.
Avoid using public Wi-Fi
- It’s vulnerable to cyber attacks.

Protect

Whether it’s personal or work, staying vigilant is crucial. When in doubt, reject contact, delete suspicious messages and avoid opening unknown links.

Key scam prevention tips:

Avoid sharing your superannuation information

Never share information about your superannuation with someone who contacts you, even if they seem to be from a trusted organisation. Always verify their identity by calling the organisation directly.

Be cautious with hyperlinks

Avoid clicking hyperlinks in messages or emails. Plum will never ask for your password or provide a link to a login page for your account.

Thoroughly research investment opportunities

Be wary of high-return, low-risk investment opportunities - if it sounds too good to be true, it probably is.

Check against the ASIC website

If you're speaking with a financial adviser, verify their registration on the ASIC website. Anyone offering advice about financial products must hold an Australian Financial Services license from ASIC.

Take your time

Don’t rush into investments without independent legal or financial advice.
Protecting yourself from scams:

Outright reject suspicious contacts

Use strong and unique passwords

Avoid using public Wi-Fi

Lock and shield your screen in public

Enable multi-factor authentication (MFA) for additional security

Stay informed about current scams targeting financial services, including super.

Remember, Plum will never ask for:

Your Online Banking Security login details

Your *product name* details

Help to catch cyber criminals or assist with internal investigations

Your money to be moved to a "safe" account, or to any account with another bank.

More information and resources

Additional support

Here’s some useful information about how we protect your online security, along with some practical tips to help you stay safe online.

> Visit Insignia Financial Group Security webpage

MoneySmart website

Spot the warning signs of financial scams with MoneySmart’s in-depth coverage of scam typologies.

> Visit MoneySmart

Government websites

The Federal Government also has several useful resources with information on how to protect yourself.

> ASIC consumer page

> Scamwatch website

> Little black book of scams

> Australian Cyber Security Centre (ACSC)

Call us on 1300 55 7586 opens in new window|tel: 1300557586 (overseas +61 3 9966 5813 opens in new window|tel: +61 3 9966 581), Mon-Fri 8am-7pm AEST (8pm AEDT).