Tips for staying safe online

Staying vigilant online is one of the best ways you can keep your personal information protected from scammers. Follow these ten simple tips to help you stay safe and secure online.
  1. Always set secure passwords – and update them regularly
    Setting a strong password that is easy for you to remember but hard for others to crack is one of the best things you can do to keep your personal information secure. Updating your passwords every few months can also help. Don’t use the same password that you use for other sites. Never share your password with anyone or put it somewhere obvious. Learn how to set secure passwords here.

  2. Stop and think twice before you share your personal information
    If a person or website has asked you to share some personal information, think about whether it’s really necessary. Don’t be afraid to ask why they need the information, and if in doubt – don’t provide it. At Challenger, when we speak to you on the phone we may ask you for some details to make sure you are who you say you are, but we’ll never ask you for your InvestorOnline password over the phone.

  3. Verify emails, calls and messages you receive
    If you receive an email, call or SMS that seems unusual or different, assume it’s a scam until you have checked it out. One way to do this, is to contact the organisation through their official channels and ask them whether they have contacted you. Challenger will never ask you to update, verify or correct your InvestorOnline login or account details directly into an email reply. If you have been contacted by Challenger and you want to double check it is us, you can call our Investor Services team on 13 35 66.

  4. Activate two layers of security
    Often websites will offer an additional level of security that requires you to use more than one piece of information to verify your identity before you can access your account. This is known as 'multi-factor authentication'. We use this approach at Challenger to make sure your personal information is kept safe and secure on InvestorOnline. You can read more about how to log in to InvestorOnline here

  5. Stay vigilant when asked to verify your payment details 
    Always be wary when you are asked to verify your payment details. Even if the email or message you have received contains information about your account, never provide any payment information in response to a communication you have received. Call the company directly via their official channels or separately log in to your account to verify the request. 

    You can read more about fraudulent emails here.

  6. Keep your computer safe and secure
    Make sure your computer security has up to date anti-virus software on it. If you suspect your computer’s security has been compromised, use your security software to run a virus check or contact your anti-virus provider. It’s also a good idea to turn on automatic software updates for your software, operating system and any apps you have. This will make sure you benefit from improvements in security features.

    If you download a document from the internet, make sure you can trust the source. The Australian Government’s Be Connected website has some useful video resources on this topic. If you need some help, ask a trusted family member or friend, or contact a reputable computer specialist. 

  7. Never give anyone remote access to your computer 
    You should never be asked to install software that allows anyone to access your computer or any other device remotely. If you are asked to provide remote access to your computer, see this as a big warning sign. Read about the many other ways that scammers might try to gain remote access here.

  8. Find secure ways to pay for goods and services
    Whenever you pay for any goods or services, make sure you’re paying for them safely. Paying by credit or debit card, BPAY or PayPal are the most common methods of payment. If an organisation asks you to purchase with gift cards or vouchers rather than sending money, this is likely to be a scam. For more information about paying safely online, you can visit the Be Connected website.

  9. Watch out for investment scams
    Investment opportunities that seem too good to be true probably are. If you’re approached via unsolicited emails or calls from an investment company or financial adviser, it’s crucial that you make some checks before you hand over any personal details. Check if the financial organisation is registered with ASIC on the MoneySmart website. You can also check whether the organisation is on the list of companies you should not deal with. Read more about investment scams, click here.

  10. Avoid logging in and out of an account via a link that is sent to you
    A good habit to get into, is to always login into an account you have through the ‘log in’ functionality on the organisation’s website. Accessing your account by clicking a link embedded in an email opens you up to the risk of being scammed (scammers can make slight changes to URL addresses to trick users to think its the official site. Always check). And when you’re ready to log out, always click the ‘log out’ button instead of simply closing your browser window. Read more about how to log in to InvestorOnline here.

Stay up to date on the latest scams

If you’re unsure whether you’ve been targeted with a scam, the best thing to do is to act fast. You can find out more about the latest scams or report a scam via the Australian Government’s Scamwatch website.

Our privacy policy  

At Challenger, we take your privacy and personal information seriously. To read more about how we collect and use your personal information, visit our privacy policy. You can also learn more about the guidelines we have in place for all visitors to our website, our social media pages and InvestorOnline by reading through our Conditions of use.

Secure passwords

Your online security is only as good as your password strength. Choosing a strong password and changing it regularly is an important part of keeping your personal information safe. Whether you’re setting a password for InvestorOnline or another website, here are some tips:

  1. Choose a strong password - for example, your InvestorOnline password must be 8 characters long and contain at least one uppercase letter, one lowercase letter, and a number.

  2. Make your password hard to guess - avoid using obvious personal information such as the name of your partner, children or pets. Your favourite sports team and date of birth is just as easy for someone to guess. Avoiding sequential or repeated characters such as 123 or 555 is also a good idea.

  3. Make new passwords unique - it can be tempting to make only small changes to an old password, so that it’s easy for you to remember. If you need to reset a password, create something unique and very different to what you had before. It’s also a good idea to get into the habit of resetting each password you have every few months as it reduces the chances of someone else figuring it out.

  4. Never share your passwords - think of your password like the pin number to your online banking. When you share your password – even if it’s with a loved one – you lose control of where it is stored and how it is used. This applies even if an organisation you have an account with asks for your password. A reputable company will never ask you to share your password.

  5. Use a different password for each online account - keeping your passwords the same across all your online accounts is like having all your money and valuables in one wallet. If someone gets access to one online account, they may be able to access them all. Using a different password for each online account you have means that your other accounts are protected if one account is compromised.

Multi Factor Authentication

Multi Factor Authentication (commonly referred to as MFA) adds an additional layer of security when you sign into an online account. Rather than just rely on your password or PIN, some organisations will use more than one ‘factor’ or piece of evidence to check your identity, making it harder for criminals to access your account. 

How it works

After you have provided correct user ID and password information, you’ll be asked to click on a button to send a code via SMS to the mobile phone number linked to your account. The message you receive will contain a unique, one-time code that you can enter to complete the log in process.

When you sign into InvestorOnline, we use this approach to verify it’s you accessing your account. If your account password is ever compromised, your account would still be kept safe because a criminal would not be unable to access the unique code we sent to your mobile phone.

Multi Factor vs Two Factor Authentication

You may have also heard of Two Factor Authentication (also known as TFA). Two Factor Authentication is just a type of MFA that requires two sets of evidence to verify your details. 

Logging into InvestorOnline

Click here for a step-by-step guide to logging into your InvestorOnline account.

Fraudulent emails

Fraudulent emails are designed to look very convincing. Staying vigilant to the emails you receive and making sure you verify the sender before you take any action is important. If in doubt, always check.

Spotting a fraudulent email

While some hoax emails are obvious (they might contain poor grammar or spelling mistakes), others can look convincingly real. Here are some things to watch out for:

  • A request for you to log in to your account via a link embedded in the email
  • An attachment or request you weren’t expecting
  • A phone number that is different to the number on the organisation’s website
  • A request for sensitive financial information to confirm the security of your account
  • A sender’s email address that doesn’t look legitimate 
  • Any emails you receive from overseas – especially if asking for money or informing you that you have won a prize
  • An urgent call-to-action that asks you to verify your account detail or urgently pay an infringement notice

What to expect from Challenger emails

Challenger will never ask you to update, verify or correct your InvestorOnline login or account details directly into an email reply. We will never ask you to share any personal information, including your InvestorOnline password, by email, or SMS. When we speak to you on the phone we may ask you for some details to make sure you are who you say you are, but we’ll never ask you for your InvestorOnline password over the phone. If you need to update any information on InvestorOnline, the safest thing to do is log in to your account via our website or by going directly to the log in page.

If you receive an email from Challenger that you’re unsure about, it’s always better to be safe than sorry. Please call our Investor Services team on 13 35 66 to confirm that the email came from us.

What should I do if I receive a fraudulent email?

If you suspect that you have been targeted by scammers, do not respond to the email, or click on any links or attachments. If you do click on an attachment, it’s important to run a scan with your security software run or installed on your computer to check that the attachment has not put a virus on it. Get someone to help you if needed.

We recommend that you do not log into InvestorOnline until you have up-to-date security software run or installed on your computer.


Phishing is a form of fraud where criminals will try to trick you into providing your personal information, online ID and security passwords. This form of scam can take place over the internet, phone or via SMS.

Phishing over the internet

A fake website is the most common way that criminals will phish for your information over the internet. Fake websites can look legitimate, and often the website will mimic a recognisable financial institution such as a bank or insurance company.

Criminals may send you an email or SMS asking you to click through the website and provide your personal details. Their hope is that you will unknowingly enter your user security details, and therefore provide them with your information. The safest way to access a website, is to go to it directly from your browser and log in from there. 

For tips on how to recognise a fraudulent email, click here.

Phishing over the phone

A legitimate organisation will never ask you to disclose any of your security codes or passwords over the phone. If you receive a phone call you didn’t expect – from Challenger or any other organisation – be very wary if they ask you to disclose sensitive information. 

If you have reason to suspect the call is not legitimate, ask for their name and call them back via the organisation’s official phone number. A Challenger staff member will always ask you to call back on 13 35 66.

Be particularly vigilant if you’re asked to disclose any of your investment details or the SMS access code sent to your mobile when you log in to InvestorOnline. Your SMS access code should be protected in the same way you would protect a password or a PIN.

As well as phone calls, you may from time to time receive fraudulent voice recorded messages that dial back a number automatically, asking you to provide account information or call a number you don’t recognise. Delete the message immediately and never respond.

Phishing via SMS

Scammers may also try to ‘phish’ for your details by sending you an SMS to your mobile. If you receive an SMS that you didn’t expect, don’t click on any of the links. Delete the message and call the organisation via their official phone number to check it was them who sent the SMS. If the SMS is looks like it’s from Challenger, contact our Investor Services team on 13 35 66 to confirm we sent it to you.

To learn more about protecting yourself from phishing scams and other tricks criminals might try, visit the Be Connected website.

Identity theft

Identity theft can include everything from fraudulently using your credit card to someone stealing your entire identity to perform activities such as opening up new accounts or apply for loans. The good news is, there are some simple ways you can protect your personal information and identity.


  • Safely dispose of personal and financial information – shredding your account statements, bills and receipts before you throw away or recycle them will keep your personal information safe. If you don’t have a shredder, be sure to tear up paperwork well. 

  • Keep your letterbox secure – an open letterbox is an open invitation for criminals. Make sure it stays locked and regularly check it for signs of tampering. If you’re planning a long trip away, re-direct your mail to your local post office or arrange for someone you trust to regularly empty your letterbox.

  • Switch your account statements to electronic format – not only does this help the environment, it eliminates the risk of your hardcopy statement landing in the wrong hands. If you choose to receive your annual Challenger statements electronically, you’ll be able to view and download them when you log into InvestorOnline.

  • Keep your account details up to date – if you are moving to a new house, make it a priority to update your address with Challenger and all your other financial providers. And always make sure we have your current mobile number so that we can quickly reach you if we suspect any fraudulent activity on your account.

Remember, always take the time to check whether any request for information or action you receive is genuine. Scammers can be very convincing, so it’s better to veer on the cautious side.

To update your details with Challenger or check whether something you have received is from us, call our Investor Services team on 13 35 66.

Remote access scams

A scammer posing as an employee of a large organisation such as a bank, telecommunications company or government agency may contact you with an incredibly convincing story as to why they need to remotely access your computer or device. 

How to spot a remote access scam

Most remote access scams start with a phone call. The scammer, posing as an employee of a large organisation such as a bank, telecommunications company or internet provider, may phone you and tell you that either:

  • Your computer has been sending error messages or has a virus

  • There are problems with your internet connection or phone line

  • Your internet connection has been hacked

Once they have scared you, they will request remote access to your computer, so they can investigate what the ‘problem’ is. If you don’t agree to follow their instructions, the scammer can become insistent or abusive. Be especially vigilant if you are asked to reset your password, update your account or device with new security software, purchase a new modem or provide any personal or bank details.

How to protect yourself 

Follow these simple tips to protect yourself from remote access scams:

  • If any organisation requests that you provide them with remote access to your computer or device, hang up immediately

  • Do not share your credit card, personal or log in details with anyone

  • Never give your personal details, credit information or online account details in response to an unsolicited phone call, SMS or email

  • Make sure you have up-to-date anti-virus software on your computer, so that you can check for a virus at any time.

Investment scams

Investment scams can take place via an unsolicited phone call, email or social media invitation offering you the opportunity to invest in an unmissable financial opportunity. Often these scammers will offer you a ‘low-risk’ investment and potential for fast, high returns.

The person contacting you may pose as a stockbroker, portfolio manager or financial adviser. There will typically be a sense of urgency, and the need to ‘act fast’. Common investment scams include investment cold calls, share promotions and tips, real estate and property projects and early access to your super.

Spotting an investment scam

There are a few telling signs of an investment scam, including:

  • You are contacted out of the blue by an organisation or person you have never heard of and they will try and keep you on the phone as long as possible.

  • You receive an email offering you financial or investment advice

  • The organisation operates from overseas and therefore does not have an Australian Financial Services Licence (AFSL)

  • You are invited to a free investment property seminar, but the next one has a high fee to attend

  • You are offered an opportunity that has a high return, for little or no risk

  • You are approached by someone posing as a financial adviser who offers to help you access your super early

  • You are contacted via social media about an opportunity that appears to be endorsed by a public figure or well-known TV show.

Protecting yourself from investment scams

As with all scams, staying vigilant and cautious is the best way to protect yourself:

  • Always be suspicious of anything that looks like a ‘get rich quick’ scheme

  • Never provide your details or respond to anyone offering unsolicited investment or financial advice

  • Never allow yourself to be pressured into any money-making financial decisions. Hang up the phone or delete the message

  • Check that the organisation contacting you holds an Australian Financial Services Licence. You can check this on the ASIC Connect Professional Registers. And be sure to also check whether the person who contacted you is an employee of the organisation offering a legitimate investment opportunity. One way to do this might be by calling the organisation using the phone number listed on their official website.

  • Check the credentials of anyone posing as a financial adviser by searching for them on ASIC’s Financial Adviser Register. This will tell you whether they are licensed to provide you with financial advice, their qualifications and experience and whether they are a member of a professional body or whether they have had any disciplinary action against them.

  • Speak to family or friends and get their thoughts on the investment opportunity that has been offered to you. They may be able to point out some red flags you may have missed, or help you do some thorough research.