Obviously, information at the moment is very light so this understanding may change, but this is the current position.
Most plausible explanation seems to be phishing and scams rather than a technical hack.
https://www.abc.net.au/news/2025-04-04/drt-how-superfunds-we...
The money's gone, and the people that the retirees entrusted with the money, lost it.
When we onboard a new customer, I send a packet with payment information including how to direct deposit. It has this information:
- Our routing/account number. We sweep the funds out of this account nearly instantly once the deposits are made. The bank account’s purpose is to accept direct deposits and nothing else. The account number we transmit over the phone so at least it’s less likely to end up sitting in a (compromised) e-mail box.
- Our mailing address, which is a PO Box.
- Some information on invoice scams, including an offer to review any suspicious requests free of charge. A customer takes us up on this every few months… so far we have yet to see one legitimate one.
- A warning to never, ever accept changes for our payment information or mailing address unless told to do so in person by an officer of the company, with a list of the current officers.
- If in doubt, mail a check to the PO Box instead of direct deposit.
- A warning not to trust information sent via email, fax, phone calls (voice changers are a real thing), or from an employee/officer other than the one they usually interact with, and such a change must be confirmed with a phone call to a different officer.
- A recommendation to also contact our local credit union (where we deposit payments from our customers) if they feel something is suspicious.
- We have an internal rule that any change to bank accounts requires a meeting of 3 officers, in person or over the Google Meet we normally use for video calls (no phone calls) with meeting minutes conducted for the change. The change must be unanimous and the change can’t be put in for 30 days unless an emergency. Emergencies must be coordinated with a responsible person at the bank, in person. (Sorry, but this means no fintech etc. type of banks.) We recommend our customers to do the same.
The biggest liability is that it would be hard for us to change bank accounts.
We get an attempt on an invoice scam or otherwise every few weeks. So far we haven’t lost a penny of company funds due to fraud.
Or, at the very least, consumers/clients should have the ability to opt in to this kind of paranoia, without meaningless sacrifices of convenience. Those of us in the US can't.
On the one hand I didn’t vote for Trump, don’t want any of what he’s doing to happen. At all.
But on the other hand I’d be happy to light the match that sets alight the house of cards thats been built. Everything about life in the US seems like its built on a foundation of lies.
In my frustration, I may have digressed a bit :)
In times of Deepfakes, people really underestimate the level of fakes they can receive. I've seen companies getting scammed with spoofed phone calls where they didn't have a policy to call back to prevent numbers being spoofed etc. Most of the private data is available online, so you always have to assume that e.g. a workflow via email or phone can be malicious by default.
In an alternate reality M$ Outlook would be a product for the receivers of email, and not a business product for spammers.
Options (sms or email)
I wonder how this could have happened...
https://en.wikisource.org/wiki/Manifesto_of_the_Communist_Pa...
taberiand•6d ago
johnisgood•6d ago
rmm•6d ago
johnisgood•6d ago
bluGill•6d ago
johnisgood•6d ago
anonym29•6d ago
* Australia is part of the "West" here - ironic from a strictly geographic perspective
syrgian•6d ago
bluGill•6d ago
nilamo•6d ago
johnisgood•6d ago
I am going off-topic here, because Australia is in question here, so perhaps replace my use of "US" with Australia and "American" with "Australian".
bluGill•6d ago
firefax•6d ago
You can file an MLAT request
https://en.wikipedia.org/wiki/Mutual_legal_assistance_treaty
But it's a complex, time consuming process usually only done in cases of terrorism or espionage, not run of the mill fraud.
blitzar•6d ago
worthless-trash•6d ago
blitzar•6d ago
Pre self service on the internet call centers / mail in processors would have noticed if a large % of customers changed their payment details over a few days.
Cyphase•6d ago
From the article:
> AustralianSuper, the country's largest fund managing A$365 billion for 3.5 million members, said that up to 600 member passwords had been stolen to access accounts and attempt fraud.
> Four AustralianSuper members had a combined A$500,000 drained from their balances and transferred to other accounts that did not belong to them, according to the source, who was not authorised to speak publicly about the matter.
It's not completely clear if 600 passwords were "stolen" but only four accounts had any money transferred, or if there are more accounts at that fund that had money transferred.
And that's just one fund.
> Rest Super, the default industry pension fund for retail workers, with A$93 billion of assets under management, said it suffered an attack that impacted around 20,000 accounts, or around 1% of its 2 million members.
taberiand•6d ago