A recent ABC report revealed that the Australian Tax Office (ATO) has suffered significant losses, paying over half a billion dollars to cyber criminals between July 2021 and February 2023. Surprisingly, most of these payments were for relatively small amounts, each below A$5,000, which managed to go undetected by the ATO’s internal monitoring systems.
The cyber criminals exploited a vulnerability in the identification system used by the myGov online portal, redirecting innocent taxpayers’ refunds to their own bank accounts. The scamsters strategically targeted specific documents required to set up a myGov account, known as “100 points of ID,” such as passports, driver’s licenses, Medicare cards, bank statements, payslips, and Centrelink payments. Disturbingly, three major data breaches at Optus, Medibank, and Latitude Financial exposed these essential documents in the past year, facilitating the cyber criminals’ fraudulent activities.
The modus operandi of this scam is relatively simple; using stolen documents, the criminals create fake myGov accounts. With access to sufficient information to link to the ATO or the taxpayer’s Tax File Number (TFN), they proceed to change the bank account details on record, redirecting tax rebates to their own accounts.
Addressing this issue effectively requires improvements from the government and individual taxpayers. The ATO can take several steps to prevent such fraudulent activities. For instance, implementing a simple cross-check mechanism with individuals via a different channel when changing bank account details within myGov could prevent many of these scams.
Additionally, considering verification through the individual’s employer might add an extra layer of security.
One challenge has been the lack of transparency from the ATO regarding the associated risks. If the risks were better communicated, the cyber security community would likely call for changes in ATO procedures more vociferously.
The ATO has previously shown diligence in identifying potential fraud after cyber security incidents, such as the PageUp hack in 2018, where individuals were required to reconfirm their identities privately, a commendable practice.
To further safeguard taxpayers, the ATO could also detect instances where a single set of bank account details is associated with multiple myGov accounts, helping identify suspicious activity.
On an individual level, taxpayers can take essential precautions to protect themselves from potential cyber threats. One of the most critical steps is ensuring that the ATO uses only their designated bank account number for tax rebates. It is also essential to safeguard the TFN, sharing it only with the ATO, employers, super funds, and banks when necessary.
Lastly, traditional data safety practices still apply, such as refraining from sharing sensitive information without a valid reason, being cautious with emails from unknown sources, and never clicking on suspicious links.
Remember that banks and the ATO will never send emails containing links.
By implementing these preventive measures at both the governmental and individual levels, it is possible to mitigate the risk of falling victim to such cyber scams and ensure greater security for taxpayers.
