“Congratulations on selling your Footscray house,” an accountant told Sue* last month while the pair were discussing a routine tax return.
The comment was baffling. Sue didn’t own a house in Footscray.
But according to her Australian Tax Office (ATO) records, not only did her supposed inner-Melbourne home go under the hammer but her return had already been lodged.
In fact, more amendments had been put through on previous years’ tax returns and one more was still pending.
As Sue and her accountant pored over the details on his screen, a horrifying realisation set in. Someone had accessed her account, impersonated her, and fraudulently lodged five refunds from the ATO amounting to $25,000.
Amid the high-profile data breaches involving Medibank and Optus, she thought perhaps she was the victim of an unreported major government agency breach.
The truth was far more complicated.
Through Sue, ABC Investigations has uncovered a vulnerability in the myGov and ATO systems which is being exploited by cybercriminals to defraud the taxpayer.
It’s a loophole which no amount of careful management of your online activity can prevent.
‘Entirely up to me’
Sue has worked for several decades in the banking and large commercial sectors.
Recently retired, she divides her time between a city pad and a regional Victorian “tree change” property.
The Melbourne woman is what cyber security and information experts would characterise as the model citizen for digital hygiene.
She knows to never click on unsolicited or strange links; she never discloses her passwords, which are complex and unique; she keeps her myGov and ATO online sessions restricted to one device, which she has scanned extensively for malware or viruses.
Sue even shreds her physical receipts; but scrupulous security habits could only take her so far, as she discovered that day in her accountant’s office.
Whenever a user logs into myGov to access their ATO account, a two-factor authentication (2FA) is triggered; in Sue’s case, she was supposed to be sent a code to her phone.
She had not received any such account authorisation request in recent months.
“We found that the address, the [bank] account number, the telephone number, the email had all been changed,” Sue said.
Sue had been an Optus breach victim. She initially thought the hacker must have used that information to help crack into her ATO account — but ABC Investigations found this wouldn’t have been enough for the perpetrators to get in.
From her accountant’s office, Sue called the ATO right away and stumbled into the first of many hurdles.
“I think it was about three hours I sat in my poor accountant’s office that day,” Sue recalled.
The ATO locked her account but when she asked the agency if they would contact the police about the fraud, or UBank — which the fraudster was using to receive the bogus tax refunds — she received a disappointing response.
“The answer to all that was no, that was entirely up to me,” she said.
The tax office told Sue to wait for a call from a case manager.
“The time period in which they were likely to even start investigating was indicated to be around about three weeks,” Sue said.
“So whoever’s perpetrating this could be long gone before they even look.”
Sue was then sent down a labyrinth of UBank’s automated phone system for hours before finally being told to write to its parent company National Australian Bank (NAB).
She was anxious the entire time — whoever impersonated her could see her bank account number, and she knew it was only days until a large deposit was due to land in her savings.
“The stress was huge”, she said.
“This was all happening at the time when we were also moving house and had a property sale and a property settlement.”
More precious hours and days would pass as she went through the gruelling process of reporting it to the police, creating a new bank account, and informing her super fund of potential fraud.
Down the rabbit hole
ABC Investigations last month revealed myGov, ATO logins and Virgin Money credentials were being hawked online at bargain rates on the dark web.
Following the story, which also revealed how thousands of NDIS recipients had not been notified that their private details had been hacked, Minister Bill Shorten’s office and the Bank of Queensland contacted ABC Investigations to stress that neither the NDIS, myGov, nor Virgin Money had been directly attacked.
The report also prompted Sue to contact the ABC.
We went down the rabbit hole with her and despite being told by various agencies they had “robust protections” or that Sue’s accounts were “not compromised”, the vulnerabilities uncovered were hard to ignore.
Four weeks after Sue first complained to the tax office, and having heard nothing back, ABC Investigations contacted the agency about her case.
Shortly after, the ATO finally rang her to explain what it knew about how the hack was perpetrated.
Sue was told the fraudster created a bogus myGov account and on September 24 they linked this new profile to her ATO account using her tax file number (TFN), her date of birth, and another credential which the agency didn’t specify.
After changing her personal details, the fraudster severed Sue’s ATO account from her genuine myGov account which prevented her from seeing any refund assessment notices — it also bypassed the extra layer of protection provided by a two-factor authentication.
Sue was told by an ATO officer this was not uncommon and was advised “there are lots of fraudulent myGov accounts accessing tax files”.
Services Australia confirmed to ABC Investigations all that is required to create a myGov account is an email address. No proof of identity is necessary and there is no limit on how many accounts can be opened.
“It’s a gaping hole,” Sue said about the exploit the government said it would tighten after the ABC exposed it in 2020.
How hackers obtained Sue’s TFN was mystifying. That kind of information, as far as she knew, wasn’t stolen during the Optus breach.
The ATO has since clarified with ABC Investigations that TFNs are not required to link myGov and ATO accounts.
Days later, Sue was still pressing the ATO to find out what information the hacker had about her. As of Friday morning, she was told that the criminal(s) did in fact need her TFN.
The hackers had repeatedly changed the bank account details in her ATO profile between refunds. The UBank account Sue saw on November 15 was just the last in a string of accounts which were used to perpetrate the fraud.
Sue asked whether the relatively small size of the refunds the criminal(s) claimed, about $5,000 each, was the reason they weren’t flagged, despite multiple changes in her personal details.
She says the ATO officer agreed higher amounts would’ve been detected, and told her that the ATO now has a system to monitor for multiple changes to a bank account.
But it hadn’t been triggered in her case. Sue said the ATO officer confirmed the fraud on her account was not discovered before she raised the alarm.
ABC Investigations also approached both Services Australia, which manages myGov, and UBank about Sue’s case — neither could provide a full picture of what happened.
UBank confirmed the accounts the ATO paid those refunds into were not in Sue’s name and did not have her TFN linked to it.
It wouldn’t say if those refunds were returned to the ATO, only that “once … funds have been moved it can often be difficult to recover”.
It declined to answer how many UBank accounts have been flagged for this type of tax fraud this year.
Services Australia told ABC Investigations it had analysed Sue’s genuine myGov account and found it had never been hacked and all fraudulent activity had originated from the fake one.
It said myGov had “robust protections” and that Sue’s account “remains secure and was not compromised”.
It did not address why there were few restrictions around creating bogus myGov accounts, but pointed to the security steps required to be met before myGov would let users into other accounts like the ATO.
“Setting up a myGov account alone is not sufficient to access member service accounts,” it said.
The ATO declined to answer any questions around its detection systems or provide further information about how common this type of fraud was. It said this was “to ensure the risk of fraud proliferation is minimised”.
Cybersecurity in secret
Adjunct professor of cryptography at Australian National University and founder of Thinking Cybersecurity, Vanessa Teague, believes keeping information about cyber security problems secret does more harm than good.
“There’s a particularly pernicious Australian habit of hiding details and saying, ‘Oh, we’re keeping it secret for security reasons’, which is not justified,” Ms Teague said.
“If the protocol isn’t sound, then it’s not helping anybody to obscure it from the public … because the bad people are going to figure out how it works, and you’re just obscuring the opportunity for good people to help you.
“If we actually knew what was going wrong, then every other organisation that had sensitive information about people would be able to use each attack as a learning experience, instead of just constantly repeating the same mistakes.”
Security company CyberCX’s Katherine Mansted told the ABC last month how hacking victims were often left in the dark.
“We’ve had something of a national reckoning on privacy and data protection and just the value and the importance and sensitivity of people’s personal private information,” she said.
“It’s long overdue for us to be focusing on that, but I think there’s a need for law enforcement and for the government to rethink and review their processes around notifying victims.”
Throughout her ordeal with the ATO, something was playing on Sue’s mind. The hack was a series of small frauds in plain sight that went completely undetected for weeks.
“Most people aren’t even going to look at their tax accounts until next July,” Sue said.
“If this is actually a whole lot of other people as well… they’re never even going to know this is happening. This could be going on willy-nilly until July next year.
“It could be millions of dollars, or even worse. As taxpayers, we’re all going to end up wearing that.”
The ATO has implemented additional security measures to her account, but Sue believed the agency should be more alarmed by her case.
She contacted her local MP, Mr Shorten, who is also responsible for myGov. His office redirected her to the minister for cybersecurity Clare O’Neill.
Ms O’Neill’s office was polite, Sue said. They listened to her and then thanked her for sharing her story.
She hasn’t heard from them since.
*Sue is a pseudonym. The ABC changed her name to protect her privacy