Fraudsters are taking advantage of a major ATO security loophole: Over half a billion stolen so far
- Replies 6
July—a month that sends a shiver down the spine of many Australians. Besides the chill of the winter winds, it's tax season—a time when Aussies flock to their myGov accounts to lodge their annual tax returns. True, it's not our favourite time of year, but what could be better than knowing your data is securely protected by the government? Well, about that…
It has now emerged that the Australian Tax Office (ATO) has not been as ironclad as we believed. In a shocking revelation, over half a billion dollars—$557 million—has been claimed by calculating fraudsters exploiting a security loophole in the ATO's identity checking system over a two-year period.
myGov, the central hub to access most Commonwealth services, including ATO, Medicare, and Services Australia, is where this security mishap lies. Fake myGov accounts were being established and linked to the tax documents of legitimate taxpayers.
Information used to construct these false accounts often comes from successful criminal hacks in big-name corporations, such as Medibank and Optus. Fleece the security checks of the ATO with these stolen credentials, and you've got unlawful entry to the tax data of innocent Aussies. You might be thinking, 'Surely the ATO could detect such deviousness?' Well, it turns out they didn't.
In a Freedom of Information request, the tax office divulged that a whopping $557 million was illegitimately claimed in less than two years. In the financial year 2021-22 alone, fraudsters claimed over $237 million via fake Business Activity Statements (BAS) and tax refund claims. This money was stolen from the tax files of a mind-boggling 7,500 taxpayers.
But that's not the end of it. Last financial year, the figure skyrocketed to a stomach-churning $320 million, this time infiltrating 8,100 taxpayer accounts. The scammers didn't stop there, either. Some successfully syphoned off this money into bank accounts immediately sucked dry and then closed, rendering the banks powerless to freeze the funds.
'It's just wrong, and if we can make someone stand up and recognise it to make a change for the better, I'm all for that,' says Lindsay, one of the victims of these exploits. 'There will be so many people out there that this is happening to, and they will have no idea.'
ATO Second Commissioner Jeremy Hirschhorn told the ABC ‘there is a difficulty in identifying this particular type of fraud, as overlinking and prior adjustments are both frequently legitimate’.
The identity requirements set by the ATO for myGov linking are significantly lower than other government and banking agencies.
The tax office has since ramped up its effort to avoid further cases of this type of fraud.
‘We are managing an acceptable level of risk,’ said Mr Hirschhorn.
Unfortunately, even these additional measures aren’t enough to totally protect from identity fraud, as victims of the scam have discovered. The ATO sends out notifications to alert taxpayers if any changes are made to their accounts. But these ‘alerts’ are sent out after the changes have been made, and even then, they aren’t working 100 per cent. In one case, the fraudster changed the mobile number of a woman from Melbourne, and so she didn’t receive any notifications. In another case, the victim received a notice within 14-31 hours of the crime.
Dr Teague, an adjunct Professor of Cryptography at Australian National University, said,
‘I'm astounded. It goes to show that poor security really costs us.’
‘Why didn't they just turn it off? They need to close the holes allowing it to happen.’
'You can't expect them to be on the lookout for fraud if they don't know what to look for,' she continued. It's a fair warning and one that we here at SDC strongly back.
Members, we urge you to remain vigilant concerning your personal data. Regularly check your ATO file, ensure your current mobile number is listed, and watch out for any suspicious activity.
Stay informed, and let's hold accountable the ones who are meant to be safeguarding our money and not unknowingly handing it to criminals.
It has now emerged that the Australian Tax Office (ATO) has not been as ironclad as we believed. In a shocking revelation, over half a billion dollars—$557 million—has been claimed by calculating fraudsters exploiting a security loophole in the ATO's identity checking system over a two-year period.
myGov, the central hub to access most Commonwealth services, including ATO, Medicare, and Services Australia, is where this security mishap lies. Fake myGov accounts were being established and linked to the tax documents of legitimate taxpayers.
Information used to construct these false accounts often comes from successful criminal hacks in big-name corporations, such as Medibank and Optus. Fleece the security checks of the ATO with these stolen credentials, and you've got unlawful entry to the tax data of innocent Aussies. You might be thinking, 'Surely the ATO could detect such deviousness?' Well, it turns out they didn't.
In a Freedom of Information request, the tax office divulged that a whopping $557 million was illegitimately claimed in less than two years. In the financial year 2021-22 alone, fraudsters claimed over $237 million via fake Business Activity Statements (BAS) and tax refund claims. This money was stolen from the tax files of a mind-boggling 7,500 taxpayers.
But that's not the end of it. Last financial year, the figure skyrocketed to a stomach-churning $320 million, this time infiltrating 8,100 taxpayer accounts. The scammers didn't stop there, either. Some successfully syphoned off this money into bank accounts immediately sucked dry and then closed, rendering the banks powerless to freeze the funds.
'It's just wrong, and if we can make someone stand up and recognise it to make a change for the better, I'm all for that,' says Lindsay, one of the victims of these exploits. 'There will be so many people out there that this is happening to, and they will have no idea.'
ATO Second Commissioner Jeremy Hirschhorn told the ABC ‘there is a difficulty in identifying this particular type of fraud, as overlinking and prior adjustments are both frequently legitimate’.
The identity requirements set by the ATO for myGov linking are significantly lower than other government and banking agencies.
The tax office has since ramped up its effort to avoid further cases of this type of fraud.
‘We are managing an acceptable level of risk,’ said Mr Hirschhorn.
Unfortunately, even these additional measures aren’t enough to totally protect from identity fraud, as victims of the scam have discovered. The ATO sends out notifications to alert taxpayers if any changes are made to their accounts. But these ‘alerts’ are sent out after the changes have been made, and even then, they aren’t working 100 per cent. In one case, the fraudster changed the mobile number of a woman from Melbourne, and so she didn’t receive any notifications. In another case, the victim received a notice within 14-31 hours of the crime.
Key Takeaways
- The Australian Tax Office (ATO) has admitted that a security loophole in their myGov system has resulted in over $557 million fraudulently claimed over the last two years.
- This fraudulent activity involved criminals creating false myGov accounts and linking them to the tax files of genuine taxpayers.
- The ATO has implemented measures to combat this type of fraud, focusing on 'overlinking' and implementing algorithmic analysis to detect suspicious behaviour.
- Despite the measures taken, victims of this fraud argue that the ATO isn't doing enough to protect taxpayers, with many unaware that such fraud has occurred on their accounts.
‘I'm astounded. It goes to show that poor security really costs us.’
‘Why didn't they just turn it off? They need to close the holes allowing it to happen.’
'You can't expect them to be on the lookout for fraud if they don't know what to look for,' she continued. It's a fair warning and one that we here at SDC strongly back.
Members, we urge you to remain vigilant concerning your personal data. Regularly check your ATO file, ensure your current mobile number is listed, and watch out for any suspicious activity.
Stay informed, and let's hold accountable the ones who are meant to be safeguarding our money and not unknowingly handing it to criminals.