The month of July is taxation time for Australians as they log into their myGov account to file tax returns. The expectations of millions of Australians about their myGov account are that it will safeguard their information. But alas! The story is different. The ATO, or Australian Tax Office, has admitted to the ABC that it was conned by fraudsters for more than half a billion dollars over two years. The fraud has exposed a glaring security gap in the ATO’s identity-checking system.
In December 2022, investigations done by ABC revealed how fraudsters gained unchecked entry to the ATO database. They could do so by creating duplicate myGov accounts and linking them to the tax files of taxpayers. Interestingly, myGov happened to be the central hub used to gain access to a range of Commonwealth services, namely Medicare, the ATO, and Services Australia.
The investigations revealed how cybercriminals used the stolen credentials obtained from high-profile hacks like Optus and Medibank to circumvent security mechanisms used by the ATO. They revealed how ATO singularly failed to detect such activity. It is only now that the ATO has revealed through a Freedom of Information request that more than $557 million was claimed by fraudsters in less than two years. They did so by cheating the identity checks and hacking into the ATO accounts of genuine taxpayers.
Not a One-of Case of Fraud
Shockingly, the siphoning of money was not a recent phenomenon but had taken place in the financial year 2021–22 as well. During that year, hackers claimed $237 million using false business activity statements and tax refund claims. The fraud had enveloped the accounts of more than 7,500 taxpayers. Last financial year, the amount had risen to $320 million and involved the accounts of around 8,100 taxpayers. You may also read about the Medibank data breach to understand the gravity of the situation.
ABC knows of many taxpayers who discovered claims to have been paid out to fraudsters through bank accounts that were emptied by them and closed. This way, fraudsters thwarted the bank’s ability to freeze the amount. The figures revealed by the investigations are only up to February 2023, which means the actual amount could be even higher. Vanessa Teague, Adjunct professor of cryptography at the Australian National University, was astounded by any lack of action by the ATO. She said that the poor security of the website maintained by the ATO dealt a heavy blow to ordinary, honest taxpayers. According to Manish Chaudhari, CISO of Cybernetic Global Intelligence, a globally accredited cybersecurity company, such incidents happen frequently as most websites (government or privately owned) have vulnerabilities that can be exploited.
To make matters worse, the ATO declined to reveal how much money was stolen by fraudsters for seven months. They cited the dangers of revealing the information. It appeared that the ATO did not have the details of this fraud when ABC investigations exposed it. Now it claims that a significant chunk of the $557 million fraudulently claimed was taken through the myGov loophole. According to the ATO’s second commissioner, Jeremy Hirschhorn, “there is a difficulty in identifying this particular type of fraud, as overlinking and adjustments are both frequently legitimate.” By overlinking, ATO meant the new myGov links to pre-existing accounts. Mr. Hirschhorn defended the security of the ATO’s setting by stating that they have to maintain a balance between making the system easily accessible for the majority of taxpayers and making it difficult to access for the fraudsters.
MyGov Hacks Draw Increased Focus
Taxpayers were able to detect many of the false refund claims by chance. This is due to the fact that payments were made by the Commonwealth and not individual taxpayers. Further, the false tax amendments were lodged either in early July before genuine taxpayers submitted their returns or during the quiet period of the financial year. Mr. Hirschhorn said that ATO has become focused on overlinking and is in the process of ramping up its capacity to prevent cybercrime of this nature.
A large taskforce has been set up for the job, led by Deputy Commissioner John Ford, Fraud and Criminal Behaviours Group. The ATO is also implementing algorithmic analysis of overlinking to detect suspicious behaviour. This will flag repeated alteration of contact details, bank account details, and the sudden submission of multiple adjustments.
The ATO has advised taxpayers to monitor their ATO files and list their current mobile numbers. This will help them receive a tax alert when a new myGov account is linked. It also encouraged taxpayers to follow good cyber hygiene and log into their bank accounts proactively to look for anything suspicious. However, victims of the fraud questioned ATO’s unwillingness to let them know what signs to look for. In its defence, the ATO revealed that the information could encourage more malicious actors to exploit the system.
Conclusion
The world of cybercrime is ever expanding and criminals are using new system vulnerabilities and loopholes to defraud institutions and individuals. The only way to mitigate cybercrime and prevent fraudsters or cybercriminals from gaining access to sensitive information is to implement strong cybersecurity measures. And it is important to seek the guidance of experienced players in the field, such as Cybernetic Global Intelligence, one of the best globally accredited cybersecurity companies. For details, call 1300 292 376, send an email to Contact@cybernetic-gi.com, or visit www.cyberneticgi.com.