Inside the $500 million ATO heist

Fraudsters exploited a weakness in the identification system used by the myGov online portal to create fake myGov accounts, linking them to genuine taxpayers’ ATO accounts and redirecting tax refunds and other claims to their own bank accounts.

Most of the payments were for amounts less than $5,000, and were not flagged by ATO monitoring systems.

How the scam works

The cybercriminals create a fake myGov account using stolen documents, link it to someone’s ATO account and disconnect the ATO account from the real myGov account before lodging the fraudulent claims. This prevents the legitimate account holder from viewing any refund assessment notices.

1. Hackers gain access to secure consumer information, through data breaches (e.g. Medicare, Optus and many others).
2. Scammers get hold of enough consumer information to create fake myGov accounts using 100 points of ID.
3. Scammers link those fake myGov accounts to ATO records using a combination of ATO assessments, bank account details, payslips, Centrelink payments, or super accounts.
4. Scammers submit fake tax claims, including fraudulent BAS claims, and divert the payments to the scammers’ bank accounts.

Preventative measures

If a client has been affected by a cyber breach, they may carry increased risk for being scammed in the future. Clients can take the following steps to safeguard their accounts:

1. Use this website to find out if their email address and personal data has been included in a data breach.
2. Make sure that their ATO account bank details, phone numbers, and other information are all correct, then re-check before submitting a claim. Accountants should also assure clients that they will carry out these checks before submitting claims.
3. Review myGov account history under settings, check for unusual activity, and submissions from ATO accounts.
4. Monitor notifications, and ensure they are sent to an account that is checked regularly.
5. Protect tax file numbers, and only share them through secure channels. Only five entities should have access to tax file numbers: ATO, employers, tax agents, superannuation funds, and banks.

The government’s role in preventing fraud

There are steps that the government can take to prevent future instances of fraud, but it has to balance keeping the system accessible for taxpayers with preventing access to scammers.

ATO second commissioner Jeremy Hirschhorn told the ABC that the office is managing an acceptable level of risk, which provides little comfort to those affected by these scams. Arguably, if this level of risk is acceptable the ATO has a greater appetite for it than Terry Benedict from Ocean’s Eleven, because Danny Ocean only walked away with a third of the ATO haul.

via GIPHY

However, Hirschhorn added that his office will be more focused on overlinking – the often-legitimate practice of linking a new myGov account to an existing ATO account.

Verifying bank account detail changes with individuals through alternative channels could also mitigate fraud risk.. Hirschhorn has warned that increasing the monitoring of overlinking will also raise red flags when users alter bank details multiple times, alter contact details, or spontaneously submit several adjustments.

What to do if you suspect fraud

If fraud is suspected, the first thing to do is contact the ATO. Freeze the account to halt further activity, regain control, and check whether other accounts have been compromised.

CEO of Tailored Accounts Harry Hoang MIPA AFA is a former IPA ACT Member of the Year and former IPA ACT Practice of the Year.