As Australians gear up for the annual tax return lodgement, the revelation of an unsettling security breach by the Australian Tax Office (ATO) raises deep concerns about the security of our digital systems. The ATO has confessed to a staggering loss of over half a billion dollars over the past two years to fraudsters exploiting a significant security loophole in the agency's identity checking system.
The nature of these scams, as investigated by ABC, is unnervingly simple. Fraudsters create fake myGov accounts and link them to the tax files of genuine taxpayers, leading to unauthorised entries to the ATO's data. The recent report shows the bold audacity of these criminals, who have unabashedly taken advantage of the cyber vulnerabilities within the government system, leading to a colossal financial drain.
The rise in banking scams and cyber-attacks across the world is a sobering reality of our digital era. It forms part of an overarching strategy of identity fraud stemming from a surge in cybercrime and the establishment of syndicated cyber identity fraud rings, which have cast a wide net across Australia, the United Kingdom, and beyond.
In the UK, for instance, HM Revenue and Customs reported a staggering 975,420 cases of fraudulent tax rebates in 2020. These fraudsters, much like their Australian counterparts, exploited security loopholes and used stolen identities to dupe the system. Similarly, according to a report by the European Central Bank, Europe has experienced an astronomical rise in not only the number but also the sophistication of cyber attacks targeting major banks.
The ATO scam activity figures ballooned last financial year to $320 million, involving 8,100 taxpayer accounts. Some claims were cancelled before they were paid, however the ABC reported of numerous taxpayers who have discovered claims that were paid out to fraudsters, including through bank accounts that were immediately emptied by the criminal and closed down, thwarting the bank's ability to freeze the funds.
The latest figures are only up to February 2023, so the total fraud is likely higher than $557 million.
"I'm astounded," said Vanessa Teague, adjunct professor of cryptography at Australian National University.
"It goes to show that poor security really costs us, Why didn't they just turn it off? They need to close the holes allowing it to happen." - Vanessa Teague
The report exposed how credentials stolen from high-profile hacks like Medibank and Optus have been used by criminals to circumvent security checkpoints used by the ATO, and how the agency was failing to identify some fraudulent activity on accounts it managed.
ATO Second Commissioner, Jeremy Hirschhorn, admitted to the challenges of identifying this particular type of fraud and defended the ATO's system settings as a balance between accessibility and security. However, it is clear that the scales need to be tipped further towards robust security to prevent such incidents from recurring.
"We are managing an acceptable level of risk," Mr Hirschhorn said.
Increased focus on myGov hacks
The agency advises taxpayers to monitor their ATO file and ensure their current mobile number is listed, so that when a new myGov account is linked, they can receive a text alert.
Mr Hirschhorn said the ATO has "recently become more focused on overlinking" and is ramping up its capacity to combat this and similar frauds.
Digital crime academics and cyber intelligence professionals agree the government should take more aggressive action to address these system technical loopholes that are consistently being exploited by scammers and international cybercrime syndicates. This goes beyond patching the vulnerabilities in their systems. It involves building secure systems from the ground up, with robust safeguards that make it difficult for these fraudsters to gain access in the first place.
The recurring pattern in these incidents is the tactic of personal identity harvesting. Criminal syndicates employ advanced methods to steal personal data from banks, government agencies, and individuals. This stolen information is then used to craft fraudulent schemes, as seen in the cases involving the ATO, HM Revenue and Customs, and European banks.
Whilst ATO recent announcements is to ramp up staff to prevent wide-spread scam activity next year, the recent commonwealth agency has become another government victim within the global organised scam activity. Once again it is another national wake-up call. If the government does not take substantial action to improve public education and system security, these incidents will continue to rise. The onus is on the government to step up, educate the public, and most importantly, make the necessary changes to ensure such scams become a thing of the past.
