Stay alert: Why the Two-pot system could be a playground for cybercriminals

There have been no reports of cybercriminals exploiting the Two-pot system since its implementation in September 2024. However, this does not mean trustees can be complacent. The system’s structure makes it vulnerable to fraud, and proactive measures are essential.

Previously, most retirement fund members accessed their savings only when changing jobs or facing retrenchment. Now, millions can apply for a withdrawal each tax year, significantly increasing digital transactions with fund administrators and the South African Revenue Service (SARS). Every digital interaction is a potential entry point for cybercriminals to steal identities or even retirement savings.

Why the Two-pot system is a target

• Increased access: Millions of members withdrawing funds attract fraudsters.
• Rushed implementation: The rapid 2024 rollout may have left cybersecurity gaps.
• High transaction volume: A surge in withdrawal requests, especially near tax deadlines, can lead to rushed security checks, creating loopholes for criminals.

The rise of AI-powered fraud

The Two-pot system coincides with the rise of hacking tools like FraudGPT. This AI-powered software scans large data sets to find victims and create personalized scams. Cybercriminals can send emails that appear to come from legitimate retirement funds, tricking members into revealing sensitive information or updating banking details.

How cybercriminals exploit AI

• Creating fake emails that resemble official fund communications to trick members into sharing sensitive banking or retirement fund information.
• Automating large-scale phishing attacks on trustees and members.
• Using deepfake voice or video messages to impersonate fund administrators.
• Pretending to be fund members to manipulate call center staff into changing the banking details of a member.

What trustees should know

Trustees play a crucial role in safeguarding members’ funds. Here are key steps to reduce cyber risks:

• Strengthen security measures. Ensure extra verification for large withdrawals. Keep sensitive fund data (like fund members’ personal details) separate from internet-connected systems to limit exposure.
• Customer service teams must be trained to recognise and prevent fraud. They should prioritise thorough verification over speed to reduce the risk of unauthorised transactions.
• Provide clear instructions on how members can verify communication from the fund and educate members to recognise scams.
• Encourage members not to wait until the end of the tax year to withdraw. High transaction volumes at peak times create opportunities for fraudsters to exploit rushed approvals.
• Monitor and update security systems. Cybersecurity systems should detect and analyse unusual activity, such as access attempts from unfamiliar locations.
• Share information about potential threats with other retirement funds and administrators and fight cybercrime together.

The Two-pot system offers financial flexibility but also new risks. Trustees must remain vigilant, educate members, and strengthen cybersecurity measures to prevent fraud. By working together, retirement funds can stay one step ahead of cybercriminals.