Cyber criminals have scammed the Australian Tax Office of more than half a billion dollars. They have done so by exploiting a weakness in the identification system used by the myGov online portal. The weakness allows them to redirect other people’s tax refund to their own bank accounts. Setting up a myGov accounts requires 100 points of ID. This is usually either a passport and driver’s license or a driver’s license, a medicare card or bank statement. And linking the myGov account to your tax records requires any two of the following documents. ATO assessment, bank account details, a payslip, a centrelink payment, or a super account. Unfortunately those are the kind of information that were impacted by the three largest Australian breaches in the past year, the Optus breach, the Medibank breach and the more recent Latitude Financial breach. Once the cyber criminals have enough information to link your tax records, they can then change the bank account details to have any tax rebate paid to their account. It is a sadly simple scam and as most payments made were for small amounts, they were not flagged by the tax office’s own monitoring system. The only way to stay safe is to make sure you don’t share your ID documents without good reason, and if you were impacted by the recent breach, make sure to get your id replaced. And to also check that the Australian Tax Office only has your bank account number on file.
https://ia.acs.org.au/article/2023/ato-pays–500m-to-cyber-criminals.html
This segment was created for the It’s 5:05 podcast