Setting a strong password or passphrase that is easy for you to remember but hard for others to guess is one of the best things you can do to keep your personal information secure. You should only need to reset your password if you think it’s been compromised, or it is no longer confidential. Whether you’re setting a password for InvestorOnline or another website, here are some tips:

1. Choose a strong password - For example, your password could contain combinations of uppercase letters, lowercase letters, numbers and symbols. For example, your InvestorOnline password must be 8 characters long and contain at least one uppercase letter, one lowercase letter, and a number.
2. Make your password hard to guess - Avoid using obvious personal information such as the name of your partner, children or pets. Your favourite sports team and date of birth is just as easy for someone to guess. Avoiding sequential or repeated characters such as 123 or 555.
3. Make passwords unique and use a different password for each online account - It can be tempting to make only small changes to an old password, so that it’s easy for you to remember. If you need to reset a password, create something unique and very different to what you had before. Using a different password for each online account you have means that your other accounts are protected if one account is compromised.
4. Never share your passwords - Think of your password like the pin number to your online banking. When you share your password – even if it’s with a loved one – you lose control of where it is stored and how it is used. This applies even if an organisation you have an account with asks for your password. A reputable company will never ask you to share your password.
5. Use a passphrase instead of a password - A passphrase can also be used instead of a password, it can consist of four or more random words making it longer and harder for fraudsters to crack. The longer your passphrase, the better. As adversaries can crack a short password with very little effort or time, you can increase the time and effort it takes by using a passphrase instead.

If a person or website has asked you to share some personal information, think about whether it is really necessary. Don’t be afraid to ask why they need the information, and if in doubt – don’t provide it. If you receive an email, call or SMS that seems unusual or different, assume it’s a scam until you have checked it out. One way to do this, is to contact the organisation through their official channels, such as their website or by phone and ask them whether they have contacted you.

What to expect from Challenger phone calls and emails

At Challenger, when we speak to you on the phone we may ask you for some details to make sure you are who you say you are, but we’ll never ask you for your InvestorOnline password or your secure code.

Challenger will never ask you to update, verify or correct your InvestorOnline login or account details directly into an email reply. We will never ask you to share any personal information - including your InvestorOnline password - by email or SMS. If you need to update any information on InvestorOnline, the safest thing to do is log in to your account via our website or by going directly to the log in page.

If you are being asked for personal information related to your Challenger policy and you are concerned about the legitimacy of the call or email, please call our Investor Services team on 13 35 66, to verify the call or confirm the email came from us.

Often websites will offer an additional level of security that requires you to use more than one piece of information to verify your identity before you can access your account. This is known as 'multi-factor authentication' (commonly referred to as MFA), it is a security process that requires you to provide two or more forms of identification to access your account. We use this approach at Challenger to make sure your personal information is kept safe and secure on InvestorOnline. You can read more about how to log in to InvestorOnline.

When you sign into InvestorOnline, we use the multi factor authentication approach to verify you are accessing your account. After you have provided correct user ID and password information, you’ll be asked to click on a button to send a secure code via SMS to the mobile phone number linked to your account. The message you receive will contain a unique, one-time secure code that you can enter to complete the log in process. 

If your account password is ever compromised, your account would still be kept safe because a criminal would not be able to access the secure code we sent to your mobile phone. Challenger will never ask you for your secure code over the phone. If you are ever asked for your secure code, this should be considered a warning sign, as it could mean a scammer is attempting to log on to your Challenger account or access your bank accounts (via your internet banking portal).  

Fraudulent emails are designed to look very convincing. Staying vigilant to the emails you receive and making sure you verify the sender before you take any action is important. If in doubt, always check the authenticity of the communication using contact details obtained independently from the email itself.

Even if the message you have received contains information about your account, never provide any payment information in response to a communication you have received. If in doubt, call the company directly via their official channels, or separately log in to your account to verify the request.

If you suspect that you have been targeted by scammers or received a fraudulent email, do not respond to the email, or click on any links or attachments. If you think you’ve clicked on a fraudulent attachment or link, it’s important to run a scan using the security software installed on your computer to ensure you haven’t downloaded a virus. Ask someone you trust to help, if needed.

We recommend that you avoid logging into InvestorOnline until you have installed and run up-to-date security software on your computer.  

How to spot a fraudulent email

While some fraudulent emails are obvious (they might contain poor grammar or spelling mistakes), others can look convincingly real and seem very professional. Here are some things to watch out for:

• You receive an email, attachment or request you weren’t expecting
• It contains phone number that is different to the number on the organisation’s website
• A request for sensitive financial information to confirm the security of your account
• The sender’s email address doesn’t look legitimate
• Any emails you receive from overseas – especially if asking for money
• An urgent call-to-action that asks you to verify your account detail or urgently pay an infringement notice or informing you that you have won a prize

• Links embedded in the email requesting you to click and take action – Always check the address of the link before you click

   

Be cautious of links received in email or text message

Accessing your account by clicking a link embedded in an email or text message (SMS) opens up the risk of being scammed (scammers can make slight changes to URL addresses to trick users to think it’s the official site).

It is good practice to always login into an account through the ‘log in’ functionality on the organisation’s website. You can log into your InvestorOnline account by clicking the ‘Sign in’ button in the top right-hand corner of our Challenger website. We will never ask customers to log in without multi factor authentication. 

And when you’re ready to log out, always click the ‘log out’ button instead of simply closing your browser window. Read more about how to log in to InvestorOnline here.

Make sure your computer security has up to date anti-virus software on it. If you suspect your computer’s security has been compromised, use your security software to run a virus check or contact your anti-virus provider. It’s also a good idea to turn on automatic software updates for your software, operating system and any phone apps you have. This will make sure you benefit from improvements in security features.

If you download a document from the internet, make sure you can trust the source. The Australian Government’s Be Connected website has some useful video resources on this topic. If you need some help, ask a trusted family member or friend, or contact a reputable computer specialist.

Whenever you pay for any goods or services, make sure you’re paying for them safely. Paying by credit or debit card, BPAY or PayPal are the most common methods of payment. If an organisation asks you to purchase with gift cards, vouchers, preloaded debit cards, iTunes cards or virtual currency like Bitcoin rather than sending money, this is likely to be a scam. For more information about paying safely online, you can visit the Be Connected website.

Investment Scams

Investment opportunities that seem too good to be true, probably are. If you’re approached via unsolicited emails or calls from an investment company or financial adviser, it’s crucial that you complete some checks before you hand over any personal details. Check if the financial organisation is registered with ASIC on the MoneySmart website. You can also check whether the organisation is on the list of companies you should not deal with. 

Many of these scams begin with ads on social media that appear to be endorsed by celebrities or well-known and trusted public figures. The person contacting you may pose as a stockbroker, portfolio manager or financial adviser. There will typically be a sense of urgency, and the need to ‘act fast’. Common investment scams include investment cold calls, share promotions and tips, real estate and property projects and early access to your super. Before investing, look up the company or platform independently. Check for reviews, complaints, or warnings from official sources.

If you’re unsure whether you’ve been targeted with a scam, the best thing to do is to act fast. You can find out more about the latest scams or report a scam via the Report a scam | Scamwatch website.

How to spot an Investment scam

There are a few telling signs of an investment scam, including:

• You are contacted out of the blue by an organisation or person you have never heard of and they will try and keep you on the phone as long as possible.
• You receive an email offering you financial or investment advice.
• The organisation operates from overseas and therefore does not have an Australian Financial Services Licence (AFSL).
• You are invited to a free investment property seminar, but the next one has a high fee to attend.
• You are offered an opportunity that has a high return, for little or no risk.
• You are approached by someone posing as a financial adviser who offers to help you access your super early, often through a self-managed super fund or for a fee.
• You are contacted via social media about an opportunity that appears to be endorsed by a public figure or well-known TV show.

• You are offered investment bonds, which they claim offer high returns and are protected by the government.

   

Protecting yourself from investment scams

As with all scams, staying vigilant and cautious is the best way to protect yourself:

• Always be suspicious of anything that looks like a ‘get rich quick’ scheme.
• Never provide your details or respond to anyone offering unsolicited investment or financial advice.
• Never allow yourself to be pressured into any money-making financial decisions, especially when faced with a sense of urgency or fear of missing an opportunity. Take the time to research your investment options and whether it aligns with your goals.
• Check that the organisation contacting you holds an Australian Financial Services Licence. You can check this on the ASIC Connect Professional Registers. And be sure to also check whether the person who contacted you is an employee of the organisation offering a legitimate investment opportunity, by calling the organisation using the phone number listed on their official website.
• Check the credentials of anyone posing as a financial adviser by searching for them on ASIC’s Financial Adviser Register. This will tell you whether they are licensed to provide you with financial advice, their qualifications and experience and whether they are a member of a professional body or whether they have had any disciplinary action against them.
• Speak to family or friends and get their thoughts on the investment opportunity that has been offered to you. They may be able to point out some red flags you may have missed, or help you do some thorough research. 

Remote access scams

You should never be asked to install software that allows anyone to access your computer or any other device remotely. If you are asked to provide remote access to your computer, see this as a big warning sign, it could be a scam.

A scammer posing as an employee of a large organisation such as a bank, telecommunications company or government agency may contact you with an incredibly convincing story as to why they need to remotely access your computer or device.

Most remote access scams start with a phone call and may tell you that either:

• Your computer has been sending error messages or has a virus
• There are problems with your internet connection or phone line

• Your internet connection has been hacked

   

Once they have scared you, they will request remote access to your computer, so they can investigate what the ‘problem’ is. If you don’t agree to follow their instructions, the scammer can become insistent or abusive. Be especially vigilant if you are asked to reset your password, provide your secure code, update your account or device with new security software, purchase a new modem or provide any personal or bank details.

Protecting yourself from remote access scams

Follow these simple tips to protect yourself from remote access scams:

• If any organisation requests that you provide them with remote access to your computer or device, hang up immediately
• Do not share your credit card, personal or log in details with anyone
• Never give your personal details, credit information or online account details in response to an unsolicited phone call, SMS or email

Phishing

Phishing is a form of scam where criminals will try to trick you into providing your personal information, such as online ID and security passwords. This form of scam can take place over the internet, phone or via SMS.

• Phishing over the internet - You may be contacted by email or social media which may lead you to a fake website, this is the most common way that criminals will phish for your information over the internet.
• Fake websites can look legitimate but will have a slightly different address, and often the website will mimic a recognisable financial institution such as a bank or insurance company. Their aim is that you will unknowingly enter your user security details, and therefore provide them with your information. The safest way to access a website, is to go to it directly from your browser and log in from there.
• Phishing over the phone - If you receive a phone call you didn’t expect be very wary if they ask you to disclose sensitive information. A legitimate organisation will never ask you to disclose any of your secure codes or passwords over the phone.
• If you have reason to suspect the call is not legitimate, ask for their name and call them back via the organisation’s official phone number. A Challenger staff member will always ask you to call back on 13 35 66.
• As well as phone calls, you may receive fraudulent voice recorded messages that dial back a number automatically, asking you to provide account information or call a number you don’t recognise. If this occurs, be mindful this might be a scammer tactic, aimed at you to provide information. 

• Phishing via SMS - Scammers may also try to ‘phish’ for your details by sending an SMS to your mobile (also known as smishing). If you receive an SMS that you didn’t expect, don’t click on any of the links, call the organisation via their official phone number to check whether they sent the SMS. If the SMS looks like it’s from Challenger, contact our Investor Services team on 13 35 66 to confirm we sent it to you. We will never send an SMS with a link, asking you to log onto your InvestorOnline account.

   

To learn more about protecting yourself from phishing scams and other tricks criminals might try, visit the Be Connected website.

Identity theft

Identity theft can include everything from someone fraudulently using your credit card or stealing your entire identity to perform activities, such as open a new account, apply for a loan and credit or open an investment policy. The good news is, there are some simple ways you can protect your personal information and identity.

• Safely dispose of personal and financial information – shredding your account statements, bills and receipts before you throw them away, will keep your personal information safe. If you don’t have a shredder, be sure to tear up paperwork well.
• Keep your letterbox secure – an open letterbox is an open invitation for criminals. Make sure it stays locked and regularly check it for signs of tampering. If you’re planning a long trip away, re-direct your mail to your local post office or arrange for someone you trust to regularly empty your letterbox.
• Switch your account statements to electronic format – not only does this help the environment, it eliminates the risk of your hardcopy statement landing in the wrong hands. 

• Keep your account details up to date – if you are moving to a new house, make it a priority to update your address with Challenger and all your other financial providers. And always make sure we have your current mobile number and email address so that we can quickly reach you if we suspect any fraudulent activity on your account. To update your details with Challenger log into your InvestorOnline account or call our Investor Services team on 13 35 66.

• Change of personal information - If you get an SMS or email notification that information on your Challenger account has been updated or changed (such as mobile or email address), and you did not action this yourself - call us immediately on 13 35 66.