Nearly every one of my clients have been invoice scammed. The amounts are typically five figures.
When we onboard a new customer, I send a packet with payment information including how to direct deposit. It has this information:
- Our routing/account number. We sweep the funds out of this account nearly instantly once the deposits are made. The bank account’s purpose is to accept direct deposits and nothing else. The account number we transmit over the phone so at least it’s less likely to end up sitting in a (compromised) e-mail box.
- Our mailing address, which is a PO Box.
- Some information on invoice scams, including an offer to review any suspicious requests free of charge. A customer takes us up on this every few months… so far we have yet to see one legitimate one.
- A warning to never, ever accept changes for our payment information or mailing address unless told to do so in person by an officer of the company, with a list of the current officers.
- If in doubt, mail a check to the PO Box instead of direct deposit.
- A warning not to trust information sent via email, fax, phone calls (voice changers are a real thing), or from an employee/officer other than the one they usually interact with, and such a change must be confirmed with a phone call to a different officer.
- A recommendation to also contact our local credit union (where we deposit payments from our customers) if they feel something is suspicious.
- We have an internal rule that any change to bank accounts requires a meeting of 3 officers, in person or over the Google Meet we normally use for video calls (no phone calls) with meeting minutes conducted for the change. The change must be unanimous and the change can’t be put in for 30 days unless an emergency. Emergencies must be coordinated with a responsible person at the bank, in person. (Sorry, but this means no fintech etc. type of banks.) We recommend our customers to do the same.
The biggest liability is that it would be hard for us to change bank accounts.
We get an attempt on an invoice scam or otherwise every few weeks. So far we haven’t lost a penny of company funds due to fraud.
Unironically best opsec I've read about in a while.
In times of Deepfakes, people really underestimate the level of fakes they can receive. I've seen companies getting scammed with spoofed phone calls where they didn't have a policy to call back to prevent numbers being spoofed etc. Most of the private data is available online, so you always have to assume that e.g. a workflow via email or phone can be malicious by default.
In an alternate reality M$ Outlook would be a product for the receivers of email, and not a business product for spammers.
This level of rigor should be the standard for every financial institution, and those that handle things that consumers consider valuable (such as their personal data).
Or, at the very least, consumers/clients should have the ability to opt in to this kind of paranoia, without meaningless sacrifices of convenience. Those of us in the US can't.
Instead we get banks that refuse to even police their own systems. We get bank fraud relabeled as “identity theft”.
On the one hand I didn’t vote for Trump, don’t want any of what he’s doing to happen. At all.
But on the other hand I’d be happy to light the match that sets alight the house of cards thats been built. Everything about life in the US seems like its built on a foundation of lies.
The right wing is burning down stuff that was working fine. Maybe because they can't build things, like a functioning healthcare system. Better land zoning might be one of their only broken clock moments
It irritates me to read that people have lost their pension. Surely this should read, the pension fund has lost their pension due to "it safely breach"?
If a bank gets robbed they don't steal my money but the banks right?
Information on the attack is scarce, but it sounds like attackers obtained credentials from prior breaches and used them against super funds. It is shameful that many of these funds have not yet implemented MFA in this day and age, but it's not like the actual fund got compromised.
Obviously, information at the moment is very light so this understanding may change, but this is the current position.
The way it's commonly implemented - through SMS - isn't secure anyway. It's relatively easy to persuade an overworked employee at the phone company to issue a new SIM card.
Having to call/visit and social engineer an employee is an order of magnitude more work than just logging in with stolen credentials, which can be entirely automated. SMS 2FA is valuable when it can prevent credential stuffing attacks. It's a vulnerability when it can be used to reset passwords and recover accounts.
I suppose it depends if it's worse than reported currently, but it seems to me that with only 600 accounts losing an average of ~$800 each (and I'm going to go out on a limb and assume the users had poor password security), the fast detection and the immediate action to lock it down, there was a good and effective response by the companies attacked
> it seems to me that with only 600 accounts losing an average of ~$800 each
From the article:
> AustralianSuper, the country's largest fund managing A$365 billion for 3.5 million members, said that up to 600 member passwords had been stolen to access accounts and attempt fraud.
> Four AustralianSuper members had a combined A$500,000 drained from their balances and transferred to other accounts that did not belong to them, according to the source, who was not authorised to speak publicly about the matter.
It's not completely clear if 600 passwords were "stolen" but only four accounts had any money transferred, or if there are more accounts at that fund that had money transferred.
And that's just one fund.
> Rest Super, the default industry pension fund for retail workers, with A$93 billion of assets under management, said it suffered an attack that impacted around 20,000 accounts, or around 1% of its 2 million members.
How could they really use the money anyways even if they transfer it to another account? I don't know how one could get away with it. Follow the money!
Our company was scammed (invoice scam) and talking to police it’s actually easy. They transfer it to another local bank account (normally stolen), then immediately transfer it overseas. At that point it’s more or less gone.
Depends on what country it goes to. Transfer to major first world countries and the money is still easy to trace. Transfer to Russia and you can't trace it
Geopolitics are still in play. Why would a country that has been hammered with "Western" sanctions, and is effectively engaged in a proxy war against the "West" cooperate with the "West" when it comes to law enforcement?
* Australia is part of the "West" here - ironic from a strictly geographic perspective
That is true. I wonder though, if Russian citizens do this in the US, then there is not going to be anything done about it? What if it is an American citizen? I do not expect them to be able to spend it in the US (but I may be wrong). Would they just go to Russia or somewhere else and then use the money from those bank accounts overseas and start a new life, or what? I am just trying to imagine the scenario. I have watched The Wolf of Wall Street which was quite good. I wonder how it would usually go today, and how people get away with it, because one would think today it is not easy to get away with it. I imagine if I were to scam someone, I would get in legal troubles here, in Hungary, even if I were to send it to a bank account somewhere else in another country, is this an incorrect assumption?
I am going off-topic here, because Australia is in question here, so perhaps replace my use of "US" with Australia and "American" with "Australian".
It is called money laundering. Happens all the time. when it is an American (or Australian, German...) they just have multiple accounts in Russia and transfer the money around in Russia a bit before bring it back. You often lose a significant amount of money in this process.
There is only so much you can do - you kick them out for everything and thus further cutoff the country and that in turn means you have less influence in the future.
For most people (pre retirement age) the funds are locked in a trust they can barely access themselves. I presume (big if) that those that lost money were retired and payment details for their monthly income was changed to pay to the bad guys accounts.
It is still really bad - (again if it was the case) monitoring very simple things like "# of changed payment" instructions could detect this sort of fraud quickly, or at worst speedbumping the time to change payment instructions.
Pre self service on the internet call centers / mail in processors would have noticed if a large % of customers changed their payment details over a few days.
This breach reinforces the importance of robust security measures, particularly for sensitive financial data. Pension funds must prioritize investing in state-of-the-art cybersecurity defenses and incident response plans. Transparent communication with affected individuals is crucial to maintain trust and mitigate potential harm. Swift action is needed to prevent future attacks.
Nearly every one of my clients have been invoice scammed. The amounts are typically five figures.
When we onboard a new customer, I send a packet with payment information including how to direct deposit. It has this information:
- Our routing/account number. We sweep the funds out of this account nearly instantly once the deposits are made. The bank account’s purpose is to accept direct deposits and nothing else. The account number we transmit over the phone so at least it’s less likely to end up sitting in a (compromised) e-mail box.
- Our mailing address, which is a PO Box.
- Some information on invoice scams, including an offer to review any suspicious requests free of charge. A customer takes us up on this every few months… so far we have yet to see one legitimate one.
- A warning to never, ever accept changes for our payment information or mailing address unless told to do so in person by an officer of the company, with a list of the current officers.
- If in doubt, mail a check to the PO Box instead of direct deposit.
- A warning not to trust information sent via email, fax, phone calls (voice changers are a real thing), or from an employee/officer other than the one they usually interact with, and such a change must be confirmed with a phone call to a different officer.
- A recommendation to also contact our local credit union (where we deposit payments from our customers) if they feel something is suspicious.
- We have an internal rule that any change to bank accounts requires a meeting of 3 officers, in person or over the Google Meet we normally use for video calls (no phone calls) with meeting minutes conducted for the change. The change must be unanimous and the change can’t be put in for 30 days unless an emergency. Emergencies must be coordinated with a responsible person at the bank, in person. (Sorry, but this means no fintech etc. type of banks.) We recommend our customers to do the same.
The biggest liability is that it would be hard for us to change bank accounts.
We get an attempt on an invoice scam or otherwise every few weeks. So far we haven’t lost a penny of company funds due to fraud.
Unironically best opsec I've read about in a while.
In times of Deepfakes, people really underestimate the level of fakes they can receive. I've seen companies getting scammed with spoofed phone calls where they didn't have a policy to call back to prevent numbers being spoofed etc. Most of the private data is available online, so you always have to assume that e.g. a workflow via email or phone can be malicious by default.
In an alternate reality M$ Outlook would be a product for the receivers of email, and not a business product for spammers.
This level of rigor should be the standard for every financial institution, and those that handle things that consumers consider valuable (such as their personal data).
Or, at the very least, consumers/clients should have the ability to opt in to this kind of paranoia, without meaningless sacrifices of convenience. Those of us in the US can't.
Instead we get banks that refuse to even police their own systems. We get bank fraud relabeled as “identity theft”.
On the one hand I didn’t vote for Trump, don’t want any of what he’s doing to happen. At all.
But on the other hand I’d be happy to light the match that sets alight the house of cards thats been built. Everything about life in the US seems like its built on a foundation of lies.
In my frustration, I may have digressed a bit :)
The right wing is burning down stuff that was working fine. Maybe because they can't build things, like a functioning healthcare system. Better land zoning might be one of their only broken clock moments
Any jackass can kick a barn down but it takes a carpenter to build one. -LBJ (I’ve seen a few variations on the wording.)
Different Texan--Sam Rayburn.
Interesting, thanks. I see it attributed to both, but the numbers favor Rayburn. Possibly LBJ quoted him on it at some point.
It irritates me to read that people have lost their pension. Surely this should read, the pension fund has lost their pension due to "it safely breach"? If a bank gets robbed they don't steal my money but the banks right?
Information on the attack is scarce, but it sounds like attackers obtained credentials from prior breaches and used them against super funds. It is shameful that many of these funds have not yet implemented MFA in this day and age, but it's not like the actual fund got compromised.
Obviously, information at the moment is very light so this understanding may change, but this is the current position.
Convincing and training old retirees to use 2FA is not something I will wish on my worst enemy.
The way it's commonly implemented - through SMS - isn't secure anyway. It's relatively easy to persuade an overworked employee at the phone company to issue a new SIM card.
Having to call/visit and social engineer an employee is an order of magnitude more work than just logging in with stolen credentials, which can be entirely automated. SMS 2FA is valuable when it can prevent credential stuffing attacks. It's a vulnerability when it can be used to reset passwords and recover accounts.
The article didn’t seem to explain how the money was taken. I’m a member of one of the listed affected super funds and all my money is still there.
Most plausible explanation seems to be phishing and scams rather than a technical hack.
An ABC (Australian Broadcasting Corporation) article says credential stuffing.
https://www.abc.net.au/news/2025-04-04/drt-how-superfunds-we...
They've effectively lost their pension, have they not?
The money's gone, and the people that the retirees entrusted with the money, lost it.
Obligitary Mitchell and Webb sketch
https://www.youtube.com/watch?v=CS9ptA3Ya9E
I suppose it depends if it's worse than reported currently, but it seems to me that with only 600 accounts losing an average of ~$800 each (and I'm going to go out on a limb and assume the users had poor password security), the fast detection and the immediate action to lock it down, there was a good and effective response by the companies attacked
> it seems to me that with only 600 accounts losing an average of ~$800 each
From the article:
> AustralianSuper, the country's largest fund managing A$365 billion for 3.5 million members, said that up to 600 member passwords had been stolen to access accounts and attempt fraud.
> Four AustralianSuper members had a combined A$500,000 drained from their balances and transferred to other accounts that did not belong to them, according to the source, who was not authorised to speak publicly about the matter.
It's not completely clear if 600 passwords were "stolen" but only four accounts had any money transferred, or if there are more accounts at that fund that had money transferred.
And that's just one fund.
> Rest Super, the default industry pension fund for retail workers, with A$93 billion of assets under management, said it suffered an attack that impacted around 20,000 accounts, or around 1% of its 2 million members.
Oh you're right, I misread. That's much worse for those 4 people but still not too bad (so far)
How could they really use the money anyways even if they transfer it to another account? I don't know how one could get away with it. Follow the money!
Our company was scammed (invoice scam) and talking to police it’s actually easy. They transfer it to another local bank account (normally stolen), then immediately transfer it overseas. At that point it’s more or less gone.
Damn, and there is nothing to be done after the transfer to overseas? They would be able to figure out who the perpetrator is, right?
>Damn, and there is nothing to be done after the transfer to overseas?
You can file an MLAT request
https://en.wikipedia.org/wiki/Mutual_legal_assistance_treaty
But it's a complex, time consuming process usually only done in cases of terrorism or espionage, not run of the mill fraud.
Depends on what country it goes to. Transfer to major first world countries and the money is still easy to trace. Transfer to Russia and you can't trace it
Interesting, thank you. I thought authorities or Governments would work together, but perhaps not.
Geopolitics are still in play. Why would a country that has been hammered with "Western" sanctions, and is effectively engaged in a proxy war against the "West" cooperate with the "West" when it comes to law enforcement?
* Australia is part of the "West" here - ironic from a strictly geographic perspective
That is true. I wonder though, if Russian citizens do this in the US, then there is not going to be anything done about it? What if it is an American citizen? I do not expect them to be able to spend it in the US (but I may be wrong). Would they just go to Russia or somewhere else and then use the money from those bank accounts overseas and start a new life, or what? I am just trying to imagine the scenario. I have watched The Wolf of Wall Street which was quite good. I wonder how it would usually go today, and how people get away with it, because one would think today it is not easy to get away with it. I imagine if I were to scam someone, I would get in legal troubles here, in Hungary, even if I were to send it to a bank account somewhere else in another country, is this an incorrect assumption?
I am going off-topic here, because Australia is in question here, so perhaps replace my use of "US" with Australia and "American" with "Australian".
It is called money laundering. Happens all the time. when it is an American (or Australian, German...) they just have multiple accounts in Russia and transfer the money around in Russia a bit before bring it back. You often lose a significant amount of money in this process.
Can't the Western government strongarm the receiving bank by threatening to kick them out of SEPA/ACH/Fediwire?
There is only so much you can do - you kick them out for everything and thus further cutoff the country and that in turn means you have less influence in the future.
Something so major (global finances), over an issue so minor (fraud on an individual basis)? Serious organizations don't play games like that.
For most people (pre retirement age) the funds are locked in a trust they can barely access themselves. I presume (big if) that those that lost money were retired and payment details for their monthly income was changed to pay to the bad guys accounts.
This was exactly my thoughts, how exactly can the 'bad guys' access it, when people who may need it cant ?
It is still really bad - (again if it was the case) monitoring very simple things like "# of changed payment" instructions could detect this sort of fraud quickly, or at worst speedbumping the time to change payment instructions.
Pre self service on the internet call centers / mail in processors would have noticed if a large % of customers changed their payment details over a few days.
Tries to turn on mfa for my super-fund
Options (sms or email)
I wonder how this could have happened...
This breach reinforces the importance of robust security measures, particularly for sensitive financial data. Pension funds must prioritize investing in state-of-the-art cybersecurity defenses and incident response plans. Transparent communication with affected individuals is crucial to maintain trust and mitigate potential harm. Swift action is needed to prevent future attacks.
https://archive.ph/6uANR
the amount lost is insignificant compared to that lost to wage theft, inflation, rent, interest -- forms of capital expansion
https://en.wikisource.org/wiki/Manifesto_of_the_Communist_Pa...