The Great ATO Heist: $500M Stolen from Taxpayers via myGov

The Great ATO Heist: $500M Stolen from Taxpayers via myGov

Highlights

  • A weakness in the myGov identification system has allowed fraudsters to claim over $500 million from genuine taxpayers’ ATO accounts.
  • The data exposed in the recent cyber breaches are being used to create fake myGov accounts, which are then linked to real ATO accounts, facilitating fraudulent claims.
  • Individuals can increase their security by verifying their bank and ATO details, protecting their Tax File Numbers, and regularly checking for unusual account activity.

The Situation

ATO has revealed that more than half a billion dollars have been claimed by fraudsters between July 2021 and February 2023.

The fraudsters exploited a weakness in the identification system used by the myGov online portal to hack into genuine taxpayers’ ATO accounts, redirecting tax refunds and other claims to their own bank accounts.

Most of the payments were for amounts less than $5,000 and were not flagged by the ATO’s monitoring systems.

Over $500M Stolen from Taxpayers via MyGov

The data exposed in the recent cyber breaches are being used in fraudulent claims.

The Scammer’s Method of Operation

Establishing a myGov account or a myGov ID requires proof of identity in the form of “100 points of ID”. This usually consists of a combination of your passport, driver’s licence, Medicare card, and/or bank statements.

Once the myGov account is created, linking it to your tax records requires two of the following: an ATO assessment, bank account details, a payslip, a Centrelink payment, or a super account.

Coincidentally, these are the same documents targeted in the recent cyber breaches (think Optus and Medibank). ABC has uncovered that these breaches are just a fraction of the confidential Australian records recently stolen by cyber criminals and sold on the cyber black market.

In this scam, the cybercriminals create a fake myGov account using stolen documents and link it to your ATO, altering your details and disconnecting your ATO account from your authentic myGov account, before lodging the fraudulent claims. This prevents the legitimate account holder from viewing any refund assessment notices.

Did you know?

The World Economic Forum (WEF) reports that cybercrime is the third-largest economy in the world, following the US and China.

Preventative Measures

If you have been affected by a previous cyber breach, you might be at an increased risk of falling prey to this recent scam. Not sure? Use this website to verify whether your personal data has been compromised.

What can we do

Take these steps to safeguard your accounts.

1. Confirm Your Details on ATO*

  • Verify that your details are correct (especially bank account details and phone number) before you submit your tax returns or claims.

* For Tailored Tax clients, our team will also carry out these checks when submitting your annual tax return for this financial year.

2. Review Your Account Activities 

  • Check if there’s been any unusual activity or submissions on your ATO.
  • For MyGov, under settings, you can review your account history. Scan to ensure no suspicious activity has occurred since your last login.

3. Monitor Your Notifications 

  • Ensure that myGov notifications are sent via a method you frequently check (currently, the options are SMS, email, or app notifications).

4. Safeguard Your Tax File Number

  • Treat your Tax File Number like a state secret.
  • Only five entities should ever have it: ATO, your employer, your tax agent, your superfund, and your bank.
  • Always ensure you send your tax file number through secured methods.

Governmental Measures

While there are actions we can individually take, the government holds the greatest responsibility in preventing further instances of fraud.

What the Government Should Do

The government holds the greatest responsibility in preventing further instances of fraud.

1. Improved Transparency

While the ATO argues that disclosing this information might teach malicious actors to exploit the system further, Dr. Teague, an adjunct professor of cryptography at ANU and founder of Thinking Cybersecurity, counters that “the criminals already know the loopholes”.

She adds, “The only people left in the dark are ordinary taxpayers. You can’t expect them to be vigilant against fraud if they don’t know what to look out for.”

2. Prevent “Overlinking”

“Overlinking” is the ATO’s term for new myGov accounts linked to pre-existing tax accounts.

The ATO’s identity requirements for myGov linking are significantly lower than other government agencies such as Medicare.

3. Implement Bank Verifications

The ATO could prevent this fraud if they verified bank account detail changes with the individual through alternative channels

One option could be setting up a bank detail scanning system that will detect if the bank account associated with the refund has information that matches the clients’.

4. Upgrade the Notification System

The current notification systems for both myGov and ATO are significantly lacking, which is worrisome considering that the ATO primarily relies on myGov for personal tax-related notifications.

Some avenues for improvement include:

  • Double notifications i.e., if a phone number is altered, also notify via email and vice versa.
  • More notifications i.e. if the ATO account associated with one myGov account is linked to another myGov account, the original myGov account should be notified.

5. Increase Vigilance

When recruitment software company PageUp suffered a cyberattack in 2018, the ATO required possibly affected individuals to re-verify their identities. Why did the Optus and Medibank breaches not lead to a similar level of vigilance?

In Case of Emergency

If your ATO account is compromised, it’s not the end of the world.

1. Immediately notify your tax agent.

2. Contact ATO and freeze the account to halt further activity.

3. Regain control of your account and verify if any of your other accounts have been compromised.

 

This breach is the latest in a long line of wake-up calls reminding us to remain vigilant in this increasingly digital world.

Update

From viral dances to a $4.6 Billion tax scandal, TikTok has unwittingly taken centre stage in Australia’s largest case of tax fraud to date.

See how these cases are evolving here.

Source: Tailored Accounts

Read More

The technology investment boost and skills and training boost for small businesses are now law.

Small businesses can now deduct an additional 20% of the expenditure incurred for the purposes of business digital operations or digitising its operations on business expenses and depreciating assets as well as 20% of expenditure that is incurred for the provision of eligible external training courses to their employees by registered providers in Australia.

Please be aware that Early Stage Innovation Companies (ESIC) are required to complete an Early Stage Innovation Company report if they issue new shares to one or more investors during a financial year that could lead to an investor being entitled to access the early-stage investor tax incentives. This information must be reported to the ATO 31 days into the following financial year (which is generally 31 July).

It can be easy to fall into old habits at tax time, but just doing what you’ve always done will not help you maximise your tax deductions. 

Be smarter and sharper every year so you can be sure that you’re claiming absolutely everything you’re entitled to and minimise your tax this EOFY.

Be the first to access articles like these and more by subscribing to our newsletter.