Is my SMSF at risk from cyber attacks?

SMSFs are targeted because they hold concentrated retirement savings and are typically administered through consumer-grade email and portal access with limited security controls. ATO credential theft, myGov account takeover and phishing attacks targeting SMSF administrators are all documented attack types. The value held per fund is high and the security posture of most individual trustees is lower than professional financial institutions. That gap is what attackers use.

What is the most important cyber security step for an SMSF trustee?

Enabling multi-factor authentication on myGov and the ATO online portal is the single most impactful step. It prevents an attacker who has obtained your password from accessing your ATO portal and fund details. The second step is ensuring the email account used for all SMSF correspondence also has MFA enabled, because email account compromise is often used to reset portal passwords.

How should a professional trustee firm secure multiple SMSF relationships?

The exposure for a professional trustee firm is different from an individual trustee. A single compromise can affect multiple funds if access is not properly isolated. The baseline controls are Microsoft 365 with Conditional Access, individual account-level access to administration platforms rather than shared credentials, MFA across all platforms, and continuous monitoring that can detect unusual access patterns across the fund portfolio.

What should I do if I receive a suspicious email claiming to be from the ATO?

Do not click any links or call any number provided in the email. Go directly to ato.gov.au by typing it in your browser. Log in and check whether there is a corresponding message or notice in your myGov inbox. If there is no corresponding message, the email is a scam. Report it to the ATO's scam reporting service. The ATO does not ask for personal or financial information, passwords or payment via email.

Does the Privacy Act apply to SMSF trustees?

Individual trustees managing their own fund are generally not collecting personal information in a business context and are unlikely to be covered entities under the Privacy Act. Professional trustees and SMSF administration firms managing multiple funds are a different matter. They collect, hold and use member personal information including TFNs, contribution records and member details, and will typically be covered by the Privacy Act. A significant breach would trigger NDB notification obligations.

Industries · Financial Services · SMSF Trustees

Cyber security for SMSF trustees.

SMSF trustees manage retirement savings across ATO portals, administration platforms and investment accounts. IronSights helps protect member data, secure online access and meet cyber obligations.

ISO 27001 certified, Microsoft certified security engineers, Sydney-based. Practical controls for individual trustees and professional trustee firms managing multiple funds.

Book a cyber security review→Call 1300 004 766

The risk picture

Why SMSF trustees are targeted.

SMSFs hold concentrated retirement savings. The average SMSF balance is well above $1 million, making credential theft against ATO myGov and SMSF portals high-value. For attackers, the appeal is straightforward: a single compromised trustee account can provide access to retirement savings accumulated over decades. The security posture protecting those savings is often a consumer email account and a basic portal password.

ATO portal impersonation and myGov account takeover are documented attack patterns used against Australian taxpayers and their agents. Attackers create convincing ATO-branded phishing pages, send SMS messages appearing to come from myGov, and target SMSF administrators through email. The ATO consistently reports that SMSF trustees are among the most targeted groups because of the value concentrated in the accounts they manage.

SMSF administration platforms, including Class Super and BGL SimpleFund, hold member contribution records, investment histories, actuarial data and tax documents. Many of these platforms authenticate via email, which means a compromised email account is often also a compromised administration platform account. The chain of access from email to fund records is shorter than most trustees realise.

Professional trustee arrangements and SMSF advisers managing multiple funds face a different exposure profile. A single compromise affecting the professional trustee's email or administration platform can have consequences across many separate fund relationships. The risk does not scale linearly with the number of funds managed. It can scale much faster if access is not properly isolated between funds.

Common risks

What we find when we work with SMSF trustees.

ATO portal credential compromise

myGov and the ATO online portal are regular targets for credential theft and phishing. Attackers who gain access to a trustee's ATO credentials can view contribution histories, payment summaries and refund entitlements, and in some scenarios initiate changes to fund details. Multi-factor authentication on myGov is available and strongly recommended. It is not universally used.

SMSF administration platform access

SMSF administration software (Class Super, BGL SimpleFund and similar) holds member contribution records, investment transaction histories, tax documents and actuarial data. These platforms often use email-based login with password reset flows. A compromised email account can become a compromised administration platform account without requiring a separate attack.

Email-based investment instructions

SMSF trustees frequently communicate investment instructions, contribution authorities and fund administration requests by email. An attacker who has compromised the trustee's email account or successfully spoofed it can send fraudulent instructions to SMSF administrators, auditors or fund managers. The typical SMSF correspondence pattern, familiar parties and regular instructions, makes these attacks harder to detect.

Auditor and adviser access to fund documents

SMSF auditors, accountants and financial advisers regularly receive fund statements, member documents and tax records via email or file sharing. Outbound sharing controls are often minimal. Documents containing member tax file numbers, contribution details and investment holdings are sent with no restrictions on how they are stored or forwarded by the recipient.

Small operational footprint

Many SMSFs are managed by individual trustees or small professional trustee firms with minimal IT infrastructure. The same personal devices used for personal banking and email are used for fund administration. Personal device management, software patching and email security are often well below what is appropriate for accounts managing retirement savings.

How we help

Services built for SMSF trustee environments.

From MFA enforcement to 24x7 monitoring and incident response. Controls that address the specific risks SMSF trustees face, whether managing a single fund or a professional trustee portfolio.

Microsoft 365 security

enforcement, DMARC and DKIM configuration, and for fund documents and member records. For professional trustee firms managing multiple funds, and identity controls secure the environment that fund administration depends on.

Fortify — managed security

24x7 monitoring and threat containment for professional trustee environments. Ongoing uplift, monthly reporting and a security posture that improves over time. For firms managing multiple SMSF relationships, Fortify provides the coverage that individual fund trustees managing personally cannot reasonably sustain.

Security reviews

A structured assessment of the devices, platforms and email environment used for fund administration. Most SMSF trustee reviews identify the same gaps: no on the email account used for fund correspondence, ATO portal credentials not secured separately from personal accounts, and fund documents stored without access controls.

Incident response

If a trustee account or administration platform is compromised, rapid containment limits the damage. We support ATO notification processes, assist with preserving evidence for insurance claims, and help restore secure access to fund administration platforms. Available 24 hours a day.

Compliance

Regulatory obligations for SMSF trustees.

The obligations that apply depend on whether you are an individual trustee managing your own fund or a professional trustee firm managing multiple SMSF relationships.

ATO

ATO cyber guidance for SMSFs

The ATO has published guidance on protecting SMSF accounts from fraud, including recommendations to use MFA on myGov and ATO online services, to use unique passwords for fund administration platforms, and to treat any unexpected contact claiming to be from the ATO with caution. ATO impersonation scams are among the most commonly reported fraud types in Australia. SMSF trustees are a priority target because the value held is high and most trustees manage administration personally, without dedicated security controls.

Privacy Act

Member data obligations

SMSF trustees who collect, hold and use personal information about members, including tax file numbers, contribution records and member contact details, are bound by the Privacy Act where they meet the applicable thresholds. Professional trustees and SMSF administration firms managing multiple funds will typically be covered entities. A breach involving member TFNs and contribution records will almost always trigger NDB notification obligations.

Common questions

Questions from SMSF trustees.

Not in this list? Call us on 1300 004 766 or book a confidential consultation. No obligation.

Is my SMSF at risk from cyber attacks?
SMSFs are targeted because they hold concentrated retirement savings and are typically administered through consumer-grade email and portal access with limited security controls. ATO credential theft, myGov account takeover and phishing attacks targeting SMSF administrators are all documented attack types. The value held per fund is high and the security posture of most individual trustees is lower than professional financial institutions. That gap is what attackers use.
What is the most important cyber security step for an SMSF trustee?
Enabling multi-factor authentication on myGov and the ATO online portal is the single most impactful step. It prevents an attacker who has obtained your password from accessing your ATO portal and fund details. The second step is ensuring the email account used for all SMSF correspondence also has MFA enabled, because email account compromise is often used to reset portal passwords.
How should a professional trustee firm secure multiple SMSF relationships?
The exposure for a professional trustee firm is different from an individual trustee. A single compromise can affect multiple funds if access is not properly isolated. The baseline controls are Microsoft 365 with Conditional Access, individual account-level access to administration platforms rather than shared credentials, MFA across all platforms, and continuous monitoring that can detect unusual access patterns across the fund portfolio.
What should I do if I receive a suspicious email claiming to be from the ATO?
Do not click any links or call any number provided in the email. Go directly to ato.gov.au by typing it in your browser. Log in and check whether there is a corresponding message or notice in your myGov inbox. If there is no corresponding message, the email is a scam. Report it to the ATO's scam reporting service. The ATO does not ask for personal or financial information, passwords or payment via email.
Does the Privacy Act apply to SMSF trustees?
Individual trustees managing their own fund are generally not collecting personal information in a business context and are unlikely to be covered entities under the Privacy Act. Professional trustees and SMSF administration firms managing multiple funds are a different matter. They collect, hold and use member personal information including TFNs, contribution records and member details, and will typically be covered by the Privacy Act. A significant breach would trigger NDB notification obligations.

Related insights.

Technical

The Essential Eight for Australian financial services

A practical security baseline for any organisation managing financial data. What each control means and where to start.

Business email compromise in Australian financial services

SMSF email accounts are targeted for investment instruction fraud and ATO portal credential theft. How BEC works and what stops it.

ASIC cyber security obligations for AFSL holders

Relevant where an SMSF trustee or adviser holds an AFSL. What s912A requires and how ASIC has enforced it.

Also in financial services

IronSights works across the financial services sector.

Mortgage Brokers →Aggregator portal credential management, M365 hardening, BEC prevention.Mortgage Aggregators →Broker network security, platform access controls, compliance posture.Financial Advisers →AFSL cyber obligations, client data protection, ASIC-aligned controls.Family Offices →Bespoke security for high-net-worth client environments and sensitive portfolios.Wealth Management →Enterprise-grade security for wealth platforms and managed account services.

Start with a review

Security controls that protect the retirement savings in your care.

We assess your environment against the specific risks that SMSF trustees face: ATO portal access, email security, administration platform controls and member data handling. The output is a practical, prioritised report you can act on.

ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.

Book a cyber security review →Call 1300 004 766