How the $500 million ATO fraud highlights myGov identity flaws
Scammers have exploited a weakness in the myGov portal to redirect hundreds of millions of tax refund dollars, writes UNSW Business School's Rob Nicholls
The Australian Tax Office (ATO) paid out more than half a billion dollars to cyber criminals between July 2021 and February 2023, according to an ABC report. Most of the payments were for small amounts (less than $5000) and were not flagged by the ATO’s own monitoring systems.
The fraudsters exploited a weakness in the identification system used by the myGov online portal to redirect other people’s tax refunds to their own bank accounts.
The good news is there’s plenty the federal government can do to crack down on this kind of fraud – and that you can do to keep your own payments secure.
How these scams work
Setting up a myGov account or a myGov ID requires proof of identity in the form of 100 points of ID. It usually means either a passport and a driver’s licence or a driver’s licence, a Medicare card, and a bank statement.
Once a myGov account is created, linking it to your tax records requires two of the following: an ATO assessment, bank account details, a payslip, a Centrelink payment, or a super account. These documents were precisely the ones targeted in three large data breaches in the past year: at Optus, at Medibank, and at Latitude Financial.
In this scam, the cybercriminal creates a fake myGov account using the stolen documents. If they can also get enough information to link to the ATO or your Tax File Number, they can then change bank account details to have your tax rebate paid to their account.
It is a sadly simple scam.
How government can improve
One of the issues here is quite astounding. The ATO knows where salaries are paid, via the single touch payroll system. This ensures salaries, tax and superannuation contributions are all paid at once. Most people who have received a tax refund will have provided bank account details where that payment can be made. Indeed, many people use precisely those bank account details to identify themselves to myGov.
At present, those bank details can be changed within myGov without any further ado. If the ATO simply checked with the individual via another channel when bank account details are changed, this fraud could be prevented. It might be sensible to check with the individual’s employer as well.
Part of the problem is the ATO has not been very transparent about the risks. If these risks were clearly set out, then calls for changes to ATO procedures would have been loud and clear from the cybersecurity community. The ATO is usually good at identifying when a cyber security incident may lead to fraud. For example, when the recruitment software company PageUp was hacked in 2018, the ATO required people who may have been affected to reconfirm their identities. This was done without public commentary and represents sound practice.
Sadly, the millions of records stolen in the Optus, Medibank and Latitude Financial breaches have not led to a similar level of vigilance.
Another action the ATO could take would be to check when a single set of bank account details is associated with more than one myGov account. A national digital identity would also help. However, this system has been in development for years, is not universally popular, and may well be delayed until after the federal election due in 2024.
The most important thing to do is make sure the ATO does not use a bank account number other than yours. As long as the ATO only has your bank account number to transfer your tax rebate, this scam does not work.
It also helps to protect your Tax File Number. There are only four groups that ever need this number. The first is the ATO itself. The second is your employer. However, remember you do not need to give your TFN to a prospective employer, and your employer only needs your TFN after you have started work.
Your super fund and your bank may ask for your TFN. However, providing your TFN to your super fund or bank is optional – it just makes things easier, as otherwise they will withhold tax which you will need to claim back later.
Of course, all the usual data safety issues still apply. Don’t share your driver’s licence details without good reason. Take similar care with your passport. Your Medicare card is for health services and does not need to be shared widely. Don’t open emails from people you do not know. Never click links in messages unless you are sure they are safe. Most importantly, know your bank will not send you emails containing links, nor will the ATO.
Dr Rob Nicholls is an Associate Professor in the School of Management & Governance at UNSW Business School. His research interests focus on competition policy, the regulation of networked industries and the financial services sector with an emphasis on the effects of technology in the regulatory space. For more information, please contact Dr Nicholls directly. A version of this post first appeared on The Conversation.