The $500 million ATO fraud highlights flaws in the myGov ID system. Here’s how to keep your data safe

The Australian Tax Office (ATO) paid out more than half a billion dollars to cyber criminals between July 2021 and February 2023, according to an ABC report.

Most of the payments were for small amounts (less than A$5,000) and were not flagged by the ATO’s own monitoring systems.

The fraudsters exploited a weakness in the identification system used by the myGov online portal to redirect other people’s tax refunds to their own bank accounts.

The good news is there’s plenty the federal government can do to crack down on this kind of fraud – and that you can do to keep your own payments secure.



How these scams work​

Setting up a myGov account or a myGov ID requires proof of identity in the form of “100 points of ID”. It usually means either a passport and a driver’s licence or a driver’s licence, a Medicare card, and a bank statement.

Once a myGov account is created, linking it to your tax records requires two of the following: an ATO assessment, bank account details, a payslip, a Centrelink payment, or a super account.

These documents were precisely the ones targeted in three large data breaches in the past year: at Optus, at Medibank, and at Latitude Financial.

In this scam, the cyber criminal creates a fake myGov account using the stolen documents. If they can also get enough information to link to the ATO or your Tax File Number, they can then change bank account details to have your tax rebate paid to their account.

It is a sadly simple scam.

How government can improve​

One of the issues here is quite astounding. The ATO knows where salaries are paid, via the “single touch” payroll system. This ensures salaries, tax and superannuation contributions are all paid at once.

Most people who have received a tax refund will have provided bank account details where that payment can be made. Indeed, many people use precisely those bank account details to identify themselves to myGov.


file-20230727-24380-pe7kf6.jpeg

Medicare information is commonly used for identification purposes. Dave Hunt / AAP



At present, those bank details can be changed within myGov without any further ado. If the ATO simply checked with the individual via another channel when bank account details are changed, this fraud could be prevented. It might be sensible to check with the individual’s employer as well.

Part of the problem is the ATO has not been very transparent about the risks. If these risks were clearly set out, then calls for changes to ATO procedures would have been loud and clear from the cyber security community.

The ATO is usually good at identifying when a cyber security incident may lead to fraud. For example, when the recruitment software company PageUp was hacked in 2018, the ATO required people who may have been affected to reconfirm their identities. This was done without public commentary and represents sound practice.

Sadly, the millions of records stolen in the Optus, Medibank and Latitude Financial breaches have not led to a similar level of vigilance.

Another action the ATO could take would be to check when a single set of bank account details is associated with more than one myGov account.

A national digital identity would also help. However, this system has been in development for years, is not universally popular, and may well be delayed until after the federal election due in 2024.



Protecting yourself​

The most important thing to do is make sure the ATO does not use a bank account number other than yours. As long as the ATO only has your bank account number to transfer your tax rebate, this scam does not work.

It also helps to protect your Tax File Number. There are only four groups that ever need this number.

The first is the ATO itself. The second is your employer. However, remember you do not need to give your TFN to a prospective employer, and your employer only needs your TFN after you have started work.

Your super fund and your bank may ask for your TFN. However, providing your TFN to your super fund or bank is optional – it just makes things easier, as otherwise they will withhold tax which you will need to claim back later.

Of course, all the usual data safety issues still apply. Don’t share your driver’s licence details without good reason. Take similar care with your passport. Your Medicare card is for health services and does not need to be shared widely.

Don’t open emails from people you do not know. Never click links in messages unless you are sure they are safe. Most importantly, know your bank will not send you emails containing links, nor will the ATO.

This article was first published on The Conversation, and was written by Rob Nicholls, Associate professor of regulation and governance, UNSW Sydney

 
Last edited:
Sponsored
The Australian Tax Office (ATO) paid out more than half a billion dollars to cyber criminals between July 2021 and February 2023, according to an ABC report.

Most of the payments were for small amounts (less than A$5,000) and were not flagged by the ATO’s own monitoring systems.

The fraudsters exploited a weakness in the identification system used by the myGov online portal to redirect other people’s tax refunds to their own bank accounts.

The good news is there’s plenty the federal government can do to crack down on this kind of fraud – and that you can do to keep your own payments secure.



How these scams work​

Setting up a myGov account or a myGov ID requires proof of identity in the form of “100 points of ID”. It usually means either a passport and a driver’s licence or a driver’s licence, a Medicare card, and a bank statement.

Once a myGov account is created, linking it to your tax records requires two of the following: an ATO assessment, bank account details, a payslip, a Centrelink payment, or a super account.

These documents were precisely the ones targeted in three large data breaches in the past year: at Optus, at Medibank, and at Latitude Financial.

In this scam, the cyber criminal creates a fake myGov account using the stolen documents. If they can also get enough information to link to the ATO or your Tax File Number, they can then change bank account details to have your tax rebate paid to their account.

It is a sadly simple scam.

How government can improve​

One of the issues here is quite astounding. The ATO knows where salaries are paid, via the “single touch” payroll system. This ensures salaries, tax and superannuation contributions are all paid at once.

Most people who have received a tax refund will have provided bank account details where that payment can be made. Indeed, many people use precisely those bank account details to identify themselves to myGov.


file-20230727-24380-pe7kf6.jpeg

Medicare information is commonly used for identification purposes. Dave Hunt / AAP



At present, those bank details can be changed within myGov without any further ado. If the ATO simply checked with the individual via another channel when bank account details are changed, this fraud could be prevented. It might be sensible to check with the individual’s employer as well.

Part of the problem is the ATO has not been very transparent about the risks. If these risks were clearly set out, then calls for changes to ATO procedures would have been loud and clear from the cyber security community.

The ATO is usually good at identifying when a cyber security incident may lead to fraud. For example, when the recruitment software company PageUp was hacked in 2018, the ATO required people who may have been affected to reconfirm their identities. This was done without public commentary and represents sound practice.

Sadly, the millions of records stolen in the Optus, Medibank and Latitude Financial breaches have not led to a similar level of vigilance.

Another action the ATO could take would be to check when a single set of bank account details is associated with more than one myGov account.

A national digital identity would also help. However, this system has been in development for years, is not universally popular, and may well be delayed until after the federal election due in 2024.



Protecting yourself​

The most important thing to do is make sure the ATO does not use a bank account number other than yours. As long as the ATO only has your bank account number to transfer your tax rebate, this scam does not work.

It also helps to protect your Tax File Number. There are only four groups that ever need this number.

The first is the ATO itself. The second is your employer. However, remember you do not need to give your TFN to a prospective employer, and your employer only needs your TFN after you have started work.

Your super fund and your bank may ask for your TFN. However, providing your TFN to your super fund or bank is optional – it just makes things easier, as otherwise they will withhold tax which you will need to claim back later.

Of course, all the usual data safety issues still apply. Don’t share your driver’s licence details without good reason. Take similar care with your passport. Your Medicare card is for health services and does not need to be shared widely.

Don’t open emails from people you do not know. Never click links in messages unless you are sure they are safe. Most importantly, know your bank will not send you emails containing links, nor will the ATO.

This article was first published on The Conversation, and was written by Rob Nicholls, Associate professor of regulation and governance, UNSW Sydney

Technology an't it grand NOT if a government department can't keep it safe what hope have we got 🤬🤬🤬🤬🤬🤬the paper system was safer
 
The Australian Tax Office (ATO) paid out more than half a billion dollars to cyber criminals between July 2021 and February 2023, according to an ABC report.

Most of the payments were for small amounts (less than A$5,000) and were not flagged by the ATO’s own monitoring systems.

The fraudsters exploited a weakness in the identification system used by the myGov online portal to redirect other people’s tax refunds to their own bank accounts.

The good news is there’s plenty the federal government can do to crack down on this kind of fraud – and that you can do to keep your own payments secure.



How these scams work​

Setting up a myGov account or a myGov ID requires proof of identity in the form of “100 points of ID”. It usually means either a passport and a driver’s licence or a driver’s licence, a Medicare card, and a bank statement.

Once a myGov account is created, linking it to your tax records requires two of the following: an ATO assessment, bank account details, a payslip, a Centrelink payment, or a super account.

These documents were precisely the ones targeted in three large data breaches in the past year: at Optus, at Medibank, and at Latitude Financial.

In this scam, the cyber criminal creates a fake myGov account using the stolen documents. If they can also get enough information to link to the ATO or your Tax File Number, they can then change bank account details to have your tax rebate paid to their account.

It is a sadly simple scam.

How government can improve​

One of the issues here is quite astounding. The ATO knows where salaries are paid, via the “single touch” payroll system. This ensures salaries, tax and superannuation contributions are all paid at once.

Most people who have received a tax refund will have provided bank account details where that payment can be made. Indeed, many people use precisely those bank account details to identify themselves to myGov.


file-20230727-24380-pe7kf6.jpeg

Medicare information is commonly used for identification purposes. Dave Hunt / AAP



At present, those bank details can be changed within myGov without any further ado. If the ATO simply checked with the individual via another channel when bank account details are changed, this fraud could be prevented. It might be sensible to check with the individual’s employer as well.

Part of the problem is the ATO has not been very transparent about the risks. If these risks were clearly set out, then calls for changes to ATO procedures would have been loud and clear from the cyber security community.

The ATO is usually good at identifying when a cyber security incident may lead to fraud. For example, when the recruitment software company PageUp was hacked in 2018, the ATO required people who may have been affected to reconfirm their identities. This was done without public commentary and represents sound practice.

Sadly, the millions of records stolen in the Optus, Medibank and Latitude Financial breaches have not led to a similar level of vigilance.

Another action the ATO could take would be to check when a single set of bank account details is associated with more than one myGov account.

A national digital identity would also help. However, this system has been in development for years, is not universally popular, and may well be delayed until after the federal election due in 2024.



Protecting yourself​

The most important thing to do is make sure the ATO does not use a bank account number other than yours. As long as the ATO only has your bank account number to transfer your tax rebate, this scam does not work.

It also helps to protect your Tax File Number. There are only four groups that ever need this number.

The first is the ATO itself. The second is your employer. However, remember you do not need to give your TFN to a prospective employer, and your employer only needs your TFN after you have started work.

Your super fund and your bank may ask for your TFN. However, providing your TFN to your super fund or bank is optional – it just makes things easier, as otherwise they will withhold tax which you will need to claim back later.

Of course, all the usual data safety issues still apply. Don’t share your driver’s licence details without good reason. Take similar care with your passport. Your Medicare card is for health services and does not need to be shared widely.

Don’t open emails from people you do not know. Never click links in messages unless you are sure they are safe. Most importantly, know your bank will not send you emails containing links, nor will the ATO.

This article was first published on The Conversation, and was written by Rob Nicholls, Associate professor of regulation and governance, UNSW Sydney

 
One thing our chartered accountant told me years ago if ATO contacts you for any reason, contact us first for an explanation and we will look into it. If its real or not sure do not respond to anything that looks strange or not sure. ATO will never contact you directly. Look closely at the email you received. Usually it will never be what you would think. Do not respond at all. Instead call your accountant. These emails are sent out on spec to guage interest to scare you. Check with your accountant first before responding.
 
The Australian Tax Office (ATO) paid out more than half a billion dollars to cyber criminals between July 2021 and February 2023, according to an ABC report.

Most of the payments were for small amounts (less than A$5,000) and were not flagged by the ATO’s own monitoring systems.

The fraudsters exploited a weakness in the identification system used by the myGov online portal to redirect other people’s tax refunds to their own bank accounts.

The good news is there’s plenty the federal government can do to crack down on this kind of fraud – and that you can do to keep your own payments secure.



How these scams work​

Setting up a myGov account or a myGov ID requires proof of identity in the form of “100 points of ID”. It usually means either a passport and a driver’s licence or a driver’s licence, a Medicare card, and a bank statement.

Once a myGov account is created, linking it to your tax records requires two of the following: an ATO assessment, bank account details, a payslip, a Centrelink payment, or a super account.

These documents were precisely the ones targeted in three large data breaches in the past year: at Optus, at Medibank, and at Latitude Financial.

In this scam, the cyber criminal creates a fake myGov account using the stolen documents. If they can also get enough information to link to the ATO or your Tax File Number, they can then change bank account details to have your tax rebate paid to their account.

It is a sadly simple scam.

How government can improve​

One of the issues here is quite astounding. The ATO knows where salaries are paid, via the “single touch” payroll system. This ensures salaries, tax and superannuation contributions are all paid at once.

Most people who have received a tax refund will have provided bank account details where that payment can be made. Indeed, many people use precisely those bank account details to identify themselves to myGov.


file-20230727-24380-pe7kf6.jpeg

Medicare information is commonly used for identification purposes. Dave Hunt / AAP



At present, those bank details can be changed within myGov without any further ado. If the ATO simply checked with the individual via another channel when bank account details are changed, this fraud could be prevented. It might be sensible to check with the individual’s employer as well.

Part of the problem is the ATO has not been very transparent about the risks. If these risks were clearly set out, then calls for changes to ATO procedures would have been loud and clear from the cyber security community.

The ATO is usually good at identifying when a cyber security incident may lead to fraud. For example, when the recruitment software company PageUp was hacked in 2018, the ATO required people who may have been affected to reconfirm their identities. This was done without public commentary and represents sound practice.

Sadly, the millions of records stolen in the Optus, Medibank and Latitude Financial breaches have not led to a similar level of vigilance.

Another action the ATO could take would be to check when a single set of bank account details is associated with more than one myGov account.

A national digital identity would also help. However, this system has been in development for years, is not universally popular, and may well be delayed until after the federal election due in 2024.



Protecting yourself​

The most important thing to do is make sure the ATO does not use a bank account number other than yours. As long as the ATO only has your bank account number to transfer your tax rebate, this scam does not work.

It also helps to protect your Tax File Number. There are only four groups that ever need this number.

The first is the ATO itself. The second is your employer. However, remember you do not need to give your TFN to a prospective employer, and your employer only needs your TFN after you have started work.

Your super fund and your bank may ask for your TFN. However, providing your TFN to your super fund or bank is optional – it just makes things easier, as otherwise they will withhold tax which you will need to claim back later.

Of course, all the usual data safety issues still apply. Don’t share your driver’s licence details without good reason. Take similar care with your passport. Your Medicare card is for health services and does not need to be shared widely.

Don’t open emails from people you do not know. Never click links in messages unless you are sure they are safe. Most importantly, know your bank will not send you emails containing links, nor will the ATO.

This article was first published on The Conversation, and was written by Rob Nicholls, Associate professor of regulation and governance, UNSW Sydney

Albo and Chalmers can't blame the co alition for this cockup?
 
if they were serious about tax evasion they'd be looking at the billionaires and religious organisations who owe millions, not spending more money chasing a few dodgy characters living on the breadline
 

Join the conversation

News, deals, games, and bargains for Aussies over 60. From everyday expenses like groceries and eating out, to electronics, fashion and travel, the club is all about helping you make your money go further.

Seniors Discount Club

The SDC searches for the best deals, discounts, and bargains for Aussies over 60. From everyday expenses like groceries and eating out, to electronics, fashion and travel, the club is all about helping you make your money go further.
  1. New members
  2. Jokes & fun
  3. Photography
  4. Nostalgia / Yesterday's Australia
  5. Food and Lifestyle
  6. Money Saving Hacks
  7. Offtopic / Everything else

Latest Articles

  • We believe that retirement should be a time to relax and enjoy life, not worry about money. That's why we're here to help our members make the most of their retirement years. If you're over 60 and looking for ways to save money, connect with others, and have a laugh, we’d love to have you aboard.
  • Advertise with us

User Menu

Enjoyed Reading our Story?

  • Share this forum to your loved ones.
Change Weather Postcode×
Change Petrol Postcode×