Key Takeaways
- Over $557 million has been unlawfully claimed over the past two years due to a security flaw in the myGov system, according to the Australian Tax Office (ATO).
- In this scheme, fraudsters created phoney myGov accounts and used them to gain access to legitimate taxpayers’ information.
- With a focus on ‘overlinking’ and using computational analysis to spot fraudulent activity, the ATO has taken steps to combat this fraud.
- Victims of this theft say the ATO isn’t doing enough to protect taxpayers, with many uninformed that such fraud has occurred on their accounts.
Now in July. It’s tax season. Across Australia, millions of people will be accessing their myGov accounts to submit their tax returns. Since the government protects your privacy, you may believe the system is safe.
Over the past two years, fraudsters have claimed over $500 million from the Australian Taxation Office (ATO) by taking advantage of a major security flaw in the agency’s identity-checking system, the ATO confessed to the ABC.
ABC Investigations published a report in December detailing how crooks were breaking into the ATO’s database by posing as legitimate users and linking their myGov accounts to real people’s tax records.
The Australian Taxation Office (ATO), Medicare, and Services Australia may be accessed through myGov, the major portal for all Commonwealth services.
The audit revealed that the ATO was missing some fraudulent activity on controlled accounts because of compromised credentials obtained in high-profile hacks like Medibank and Optus.
Through a Freedom of Information request, the tax office has disclosed that fraudsters who bypassed the tax office’s identity checks and hacked into legitimate taxpayers’ ATO accounts falsely claimed almost $557 million in less than two years.
Business Activity Statement (BAS) and tax refund fraud totalled over $237 million in the 2021-22 fiscal year alone. More than 7,500 tax returns were affected by the scam.
This number had risen to $320 million in the previous fiscal year, affecting 8,100 taxpayer accounts.
However, ABC has heard from multiple taxpayers who have identified fraudulent claims that were paid out, often through bank accounts that the criminals promptly emptied and closed before the bank could freeze the funds.
Recent data only goes as far as February 2023. Thus, the amount of stolen money is almost certainly far larger than $557 million.
The ATO refused ABC’s request for seven months, citing the danger of disclosing this information and the “complexity” of the request as their reasoning for not answering how much money had been taken via this technique.
The data release revealed that the ATO did not have reliable statistics regarding this specific fraud when ABC Investigations first announced it. Even today, all it can say is that the $557 million in fraudulently claimed funds included a “significant component” obtained through the myGov loophole.
The ATO’s deputy commissioner Jeremy Hirschhorn recently told ABC, “It’s hard to spot this kind of fraud because overlinking and prior adjustments are often perfectly legal,” the authors write.
New connections between myGov and existing tax accounts are known as “overlinking” by the ATO. The ATO has more lax identity requirements for my connection than other government agencies like Medicare.
An Enhanced Emphasis on myGov Hacks
Chance by taxpayers uncovered many bogus refund claims and fraudulent payments.
This is because payments are disbursed by the Commonwealth rather than by individual taxpayers. The bogus tax revisions are typically made in early July, just before the annual return submission deadline, or during the slow time of the fiscal year.
According to Mr Hirschhorn, the ATO has “recently become more focused on overlinking” and is increasing its capabilities to resist this and related scams.
With “further growth anticipated” over the coming year, the ATO has already assigned hundreds of employees to the task, including those in the newly formed Fraud and Criminal Behaviours group directed by deputy commissioner John Ford.
The IRS also uses algorithmic overlinking analysis to identify potentially fraudulent activities.
Taxpayers are urged to check their ATO records and update their mobile phone numbers to ensure they receive a text message when they link a new myGov account.
At least one case identified by ABC included a Melbourne lady named Sue*, whose mobile number was fraudulently changed in her ATO file without her knowledge.
However, Lindsay from Queensland, whose account was hacked three times in the past month, received a text alert 14 to 31 hours after each incident.
The imposter had supposedly updated Lindsay’s banking and email information and made expense claims totalling $13,000, all of which were denied by the ATO within a week.
Lindsay’s account has been disabled, just like Sue’s. He needs to call the ATO and set up a temporary unlock so he can use it for two days. But according to Lindsay, the third time the account was breached was after it had been shut.
The ATO employee he spoke to told him that the 48 hours don’t include weekends, which he disputed.
Lindsay is unconvinced by the ATO’s answer, despite Mr Hirschhorn’s assurances that the organisation is not “complacent” regarding security.
It’s wrong, he added, and if calling attention to the problem can lead to positive change, he’s all for it.
They need guidance as to what to look for.
Taxpayers, the ATO added, should exercise good “cyber hygiene” by “proactively logging in and looking for anything suspicious, in the same way they would monitor their bank accounts.”
However, some who have fallen prey to this scam have questioned the agency’s reluctance to warn the public about what red flags to look out for.
Regular taxpayers are the only ones who don’t know what’s happening. They won’t be on the lookout for fraud if they have no idea what constitutes fraud.
The ATO is aware of the possibility of copycat identity crime fraud proliferation and does not want to promote further criminal conduct by exploiting our systems or processes. Thus, they are careful about the information they release regarding the “how” of identity crime fraud occurrences and their audit processes.
Despite the ATO’s compliance requirements, most of my fraud instances uncovered by the ABC involved relatively small amounts (typically under $5,000).
Conclusion
Over $557 million was fraudulently claimed by criminals from the Commonwealth of Australia, according to the Australian Taxation Office (ATO). Criminals engaged in this scheme by creating phoney myGov accounts and using those accounts to access legitimate individuals’ tax records. Through a Freedom of Information request, the tax office has disclosed that fraudsters who bypassed the tax office’s identity checks and hacked into legitimate taxpayers’ ATO accounts falsely claimed almost $557 million in less than two years.