A recent case in Perth revealed that scammers had lodged a fake $8,000 tax return using stolen personal information. By changing the bank details linked to Kate Quinn’s account, they diverted the refund to themselves before Ms Quinn even realised what had happened.
Unfortunately, this is part of a broader trend. The Australian is reporting that thousands of Australians could be at risk, with over 14 million people having connected their myGov and ATO online accounts.
How did this happen?
According to the ATO, these breaches are not random incidents. They are part of a growing, coordinated wave of identity theft and online fraud, where cyber criminals exploit a combination of weak security practices, large-scale data leaks, and sophisticated scam tactics to infiltrate individuals’ myGov and ATO-linked accounts.
These attacks can be fuelled by:
Phishing
Scam emails or text messages designed to trick people into handing over their personal information. These messages often impersonate trusted organisations (like the ATO, banks, or super funds) and might ask the recipient to “verify” their identity, reset a password, or click on a malicious link. Once clicked, victims can unknowingly give hackers access to everything from login credentials to bank details.
Large-scale data breaches
An example is the recent Australian super funds incident, which compromised the sensitive personal data of millions of Australians. Once this kind of information is leaked onto the dark web, it becomes a valuable asset for scammers looking to impersonate real people.
Device-level and home network vulnerabilities
These vulnerabilities are opening the door for hackers. If someone’s laptop, smartphone, or Wi-Fi network isn’t properly secured, cyber criminals can exploit these weak spots to access stored passwords, emails, and financial data. All it takes is outdated software, a reused password, or a lack of multi-factor authentication to provide a way in.
What is the ATO doing about it?
A spokesperson from the ATO said:
“We have introduced a range of measures to better protect client identity and accounts, including Online Access Strength, client-agent linking, and a new risk model targeting fraudulent links to the ATO’s Online Services for Individuals.”
Online access strength:
This is a new feature that allows users to set different levels of identity verification when accessing ATO services via myGovID. By setting their account to the highest level of identity strength, users add an extra layer of protection, making it much harder for cyber criminals to gain unauthorised access, even if they have some of your personal information.
Client-agent linking:
This updated process makes it more secure for individuals and tax agents to connect their accounts. It’s designed to prevent cyber criminals from impersonating clients or agents to access sensitive tax records. Now, both parties must complete a stronger linking procedure before any account or information can be shared.
New risk models:
The ATO has also developed smarter detection systems that can flag suspicious activity in real time. These risk models monitor for unusual behaviour, such as attempts to access accounts from unexpected locations or devices, or efforts to change bank account details before a refund is issued. If something doesn’t look right, the system can trigger a review or temporarily block the transaction.
These measures are already being used to investigate and stop fraudulent tax returns and protect taxpayer refunds. While no system is foolproof, these upgrades are a crucial part of the ATO’s strategy to stay ahead of cyber criminals.
What can you do to stay safe?
The ATO stresses that keeping personal information secure is a shared responsibility. These new tools work best when individuals also take simple steps to protect themselves, such as:
- Using a digital ID, like myGovID, and setting it to the highest identity strength
- Enabling multi-factor authentication wherever possible
- Staying alert to phishing scams. If an email asks for personal details, seems urgent or suspicious, or comes from an odd address, don’t click on anything.
Cyber threats are becoming more sophisticated, but by staying alert and following best practices, you can help protect yourself and your business.
Gain the essential knowledge you need to stay safe online with the growing range of free and simple Cyber Wardens courses.
