ATO fraud highlights myGov flaws. Here’s how to keep your data safe

Rob Nicholls, UNSW Sydney

The Australian Tax Office (ATO) paid out more than half a billion dollars to cyber criminals between July 2021 and February 2023, according to an ABC report.

Most of the payments were for small amounts (less than $5000) and were not flagged by the ATO’s own monitoring systems.

The fraudsters exploited a weakness in the identification system used by the myGov online portal to redirect other people’s tax refunds to their own bank accounts.

The good news is there’s plenty the federal government can do to crack down on this kind of fraud – and that you can do to keep your own payments secure.

How these scams work

Setting up a myGov account or a myGov ID requires proof of identity in the form of “100 points of ID”. It usually means either a passport and a driver’s licence or a driver’s licence, a Medicare card, and a bank statement.

(Correction: The Conversation article states 100 points of ID are needed to register for myGov. This is incorrect – only an email address is needed to create a new myGov account.* Please see below for more information from Services Australia.)

Once a myGov account is created, linking it to your tax records requires two of the following: an ATO assessment, bank account details, a payslip, a Centrelink payment, or a super account.

These documents were precisely the ones targeted in three large data breaches in the past year: at Optus, at Medibank, and at Latitude Financial.

In this scam, the cyber criminal creates a fake myGov account using the stolen documents. If they can also get enough information to link to the ATO or your Tax File Number, they can then change bank account details to have your tax rebate paid to their account.

It is a sadly simple scam.

How government can improve

One of the issues here is quite astounding. The ATO knows where salaries are paid, via the single touch payroll system. This ensures salaries, tax and superannuation contributions are all paid at once.

Most people who have received a tax refund will have provided bank account details where that payment can be made. Indeed, many people use precisely those bank account details to identify themselves to myGov.

At present, those bank details can be changed within myGov without any further ado. If the ATO simply checked with the individual via another channel when bank account details are changed, this fraud could be prevented. It might be sensible to check with the individual’s employer as well.

Part of the problem is the ATO has not been very transparent about the risks. If these risks were clearly set out, then calls for changes to ATO procedures would have been loud and clear from the cyber security community.

The ATO is usually good at identifying when a cyber security incident may lead to fraud. For example, when the recruitment software company PageUp was hacked in 2018, the ATO required people who may have been affected to reconfirm their identities. This was done without public commentary and represents sound practice.

Sadly, the millions of records stolen in the Optus, Medibank and Latitude Financial breaches have not led to a similar level of vigilance.

Another action the ATO could take would be to check when a single set of bank account details is associated with more than one myGov account.

A national digital identity would also help. However, this system has been in development for years, is not universally popular, and may well be delayed until after the Federal Election due in 2024.

Protecting yourself

The most important thing to do is make sure the ATO does not use a bank account number other than yours. As long as the ATO only has your bank account number to transfer your tax rebate, this scam does not work.

It also helps to protect your Tax File Number. There are only four groups that ever need this number.

The first is the ATO itself. The second is your employer. However, remember you do not need to give your TFN to a prospective employer, and your employer only needs your TFN after you have started work.

Your super fund and your bank may ask for your TFN. However, providing your TFN to your super fund or bank is optional – it just makes things easier, as otherwise they will withhold tax which you will need to claim back later.

Of course, all the usual data safety issues still apply. Don’t share your driver’s licence details without good reason. Take similar care with your passport. Your Medicare card is for health services and does not need to be shared widely.

Don’t open emails from people you do not know. Never click links in messages unless you are sure they are safe. Most importantly, know your bank will not send you emails containing links, nor will the ATO.

Rob Nicholls, Associate Professor of regulation and governance, UNSW Sydney

This article is republished from The Conversation under a Creative Commons license. Read the original article.

*Correction to the original article quoted from Services Australia:

“Each member service (like the ATO) has their own ID requirements,” a Services Australia spokesperson told YourLifeChoices.

“Each member service is responsible for setting the identity requirements people must meet in order to link that member service account to myGov.

“There’s also different options to create a myGovID, which may include providing identity documents. There’s more information about that here: https://www.mygovid.gov.au/set-up  

“Setting up a myGov account alone is not sufficient to access member service accounts. For a person to link their myGov account to any member service, they must provide proof of record ownership to that service.”

Do you think the government is doing enough to protect against scams? Do you know anyone who has been scammed? Why not share your experience in the comments section below?

Also read: Scammers target supermarket loyalty points

The Conversation
The Conversationhttps://theconversation.com/au/who-we-are
The Conversation Australia and New Zealand is a unique collaboration between academics and journalists that is the world’s leading publisher of research-based news and analysis.

1 COMMENT

  1. Whenever I change bank details I get a notification from the bank that details have changed etc. This also applies to other sites when changing details.
    The easiest way is to include a separate security protocol like an OTP to your phone or device that you need to okay any changes to profile details.
    Government departments seem to be the slackest of all. Private corporations now face very hefty fines for being hacked. Maybe the GM’s and CEO’s including Ministers are heavily fined for any data breaches that they must pay out of their own pockets.

- Our Partners -

DON'T MISS

- Advertisment -
- Advertisment -