ATO has revealed that more than half a billion dollars have been claimed by fraudsters between July 2021 and February 2023.
The fraudsters exploited a weakness in the identification system used by the myGov online portal to hack into genuine taxpayers’ ATO accounts, redirecting tax refunds and other claims to their own bank accounts.
Most of the payments were for amounts less than $5,000 and were not flagged by the ATO’s monitoring systems.
The data exposed in the recent cyber breaches are being used in fraudulent claims.
Establishing a myGov account or a myGov ID requires proof of identity in the form of “100 points of ID”. This usually consists of a combination of your passport, driver’s licence, Medicare card, and/or bank statements.
Once the myGov account is created, linking it to your tax records requires two of the following: an ATO assessment, bank account details, a payslip, a Centrelink payment, or a super account.
Coincidentally, these are the same documents targeted in the recent cyber breaches (think Optus and Medibank). ABC has uncovered that these breaches are just a fraction of the confidential Australian records recently stolen by cyber criminals and sold on the cyber black market.
In this scam, the cybercriminals create a fake myGov account using stolen documents and link it to your ATO, altering your details and disconnecting your ATO account from your authentic myGov account, before lodging the fraudulent claims. This prevents the legitimate account holder from viewing any refund assessment notices.
If you have been affected by a previous cyber breach, you might be at an increased risk of falling prey to this recent scam. Not sure? Use this website to verify whether your personal data has been compromised.
Take these steps to safeguard your accounts.
* For Tailored Tax clients, our team will also carry out these checks when submitting your annual tax return for this financial year.
While there are actions we can individually take, the government holds the greatest responsibility in preventing further instances of fraud.
The government holds the greatest responsibility in preventing further instances of fraud.
While the ATO argues that disclosing this information might teach malicious actors to exploit the system further, Dr. Teague, an adjunct professor of cryptography at ANU and founder of Thinking Cybersecurity, counters that “the criminals already know the loopholes”.
She adds, “The only people left in the dark are ordinary taxpayers. You can’t expect them to be vigilant against fraud if they don’t know what to look out for.”
“Overlinking” is the ATO’s term for new myGov accounts linked to pre-existing tax accounts.
The ATO’s identity requirements for myGov linking are significantly lower than other government agencies such as Medicare.
The ATO could prevent this fraud if they verified bank account detail changes with the individual through alternative channels.
One option could be setting up a bank detail scanning system that will detect if the bank account associated with the refund has information that matches the clients’.
The current notification systems for both myGov and ATO are significantly lacking, which is worrisome considering that the ATO primarily relies on myGov for personal tax-related notifications.
Some avenues for improvement include:
When recruitment software company PageUp suffered a cyberattack in 2018, the ATO required possibly affected individuals to re-verify their identities. Why did the Optus and Medibank breaches not lead to a similar level of vigilance?
If your ATO account is compromised, it’s not the end of the world.
1. Immediately notify your tax agent.
2. Contact ATO and freeze the account to halt further activity.
3. Regain control of your account and verify if any of your other accounts have been compromised.
This breach is the latest in a long line of wake-up calls reminding us to remain vigilant in this increasingly digital world.
From viral dances to a $4.6 Billion tax scandal, TikTok has unwittingly taken centre stage in Australia’s largest case of tax fraud to date.
See how these cases are evolving here.
Source: Tailored Accounts
The technology investment boost and skills and training boost for small businesses are now law.
Small businesses can now deduct an additional 20% of the expenditure incurred for the purposes of business digital operations or digitising its operations on business expenses and depreciating assets as well as 20% of expenditure that is incurred for the provision of eligible external training courses to their employees by registered providers in Australia.
Please be aware that Early Stage Innovation Companies (ESIC) are required to complete an Early Stage Innovation Company report if they issue new shares to one or more investors during a financial year that could lead to an investor being entitled to access the early-stage investor tax incentives. This information must be reported to the ATO 31 days into the following financial year (which is generally 31 July).
It can be easy to fall into old habits at tax time, but just doing what you’ve always done will not help you maximise your tax deductions.
Be smarter and sharper every year so you can be sure that you’re claiming absolutely everything you’re entitled to and minimise your tax this EOFY.
Tailored Accounts © All rights reserved.