Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Business
Exclusive by Katie Hamann, Eleni Psaltis, Nicole Hegarty and Sarah Dingle

Accountants report spike in hackers lodging false tax returns, superannuation claims

With almost half the adult population of Australia affected by the Optus security breach, questions are swirling about how stolen identity data can be misused.

Sharon Brownie has learned the hard way just how dangerous someone in possession of your personal information and ID documents could be.

She was one of a group of people who came forward to RN Drive this week alleging their online government accounts had been compromised, with false tax returns and applications for early superannuation drawdowns lodged on their behalf.

Dr Brownie had spent four decades working as a nurse, public service executive and academic.

A dual Australian-New Zealand citizen, her tax affairs have been complicated by stints working across the ditch, in the Middle East, Africa and the Pacific, and the transaction of properties here and at home.

For more than 12 years she has relied on Melbourne accountant Ercole Lanzon to lodge her returns.

"I have confidence that a certified accountant is lodging things correctly, whereas I could make mistakes without actually realising, which could have big implications for my work", Dr Brownie said.

Two weeks ago, she called Mr Lanzon and they agreed to meet in October to reconcile last year's return.

Days later, Mr Lanzon received an email from the ATO regarding his client, saying her recent application for a determination for the release of more than $11,000 from her superannuation account under the First Home Super Saver scheme (FHSS) had been approved.

But Dr Brownie had not made any such application — nor was she even eligible to do so.

"He [Ercole] and I both know that I've had a home before and that I have several investment properties, and that I had sold one last year and was currently selling the others," she said.

"He's done my taxes for 12 years; every year we declare it.

"The ATO knows all of this information, so why would they approve an application from me, and then within that application approve that $11,500 could be drawn from my superannuation account?"

The FHSS scheme was introduced in 2017 to enable first home buyers to make voluntary contributions to their superannuation fund for the purposes of saving for a deposit.

To apply under the scheme, individuals need to request a determination from the ATO.

According to their website, to do this you log into ATO services online through myGov.

In Dr Brownie's case, it was here that mystery deepened, because she said there was no record of this application on her myGov account.

"When I went into my myGov account to see my transaction history, there were no entries for the months of August and September," she said.

"The only service I have linked to is Medicare, for my COVID health record, and myGovID.

"I haven't linked my ATO account."

Not an isolated incident

Alarm bells were already ringing for Mr Lanzon.

A fellow accountant, Rohan Dyson, had recently told him of a similar breach at his practice.

Mr Dyson discovered that a series of fraudulent Business Activity Statements had been lodged on behalf of one of his clients totalling $200,000.

The ATO didn't pay the claim, but instead launched an audit.

He says the first he knew of any of this was when the ATO informed him it was auditing his client, after he had been locked out of the client's account.

"Basically they must have somehow set up a phoney or a new myGov account on her behalf and then linked it to the ATO," Mr Dyson said.

But Services Australia, which manages myGov, has rejected these claims.

In a statement to RN Drive, Services Australia said myGov could be used to link to up to 15 federal and state government services.

"An email address is needed to create a myGov account," the statement read.  

"Customers can then link a government service to their myGov account, if they meet the proof of record ownership requirements of that service.

"Customers cannot link the same government service to multiple myGov accounts.

"It is optional for customers to have a myGovID Digital Identity. [They] can choose to connect their myGovID digital identity to a myGov account [and] this allows customers to sign in to their myGov account using their myGovID digital identity.

"myGovID is administered by the ATO."

Locked out of account

After hearing of Mr Dyson's experience, Mr Lanzon's concerns about his client Dr Brownie escalated.

When he tried to access her account via the ATO portal, which is only accessible to registered tax agents, he found he was locked out.

When he did regain access, he discovered, in addition to the application to withdraw super, that a false tax return had been lodged in Dr Brownie's name for $7,000 on September 6.

The ATO acknowledged the breach and placed a block on her tax account, setting in motion a laborious and worrying quest for answers.

Closer to home

Suspecting this was unlikely to be a one-off case, Mr Lanzon sought assurances that his own family's accounts were secure. It was then that he learned that someone had taken over his son's tax profile.

"When I got into my son's account, to my horror, I noticed that his 2022 tax return had been lodged and a refund of $7,410.26 was paid out, not to him, but to someone else," he said.

It appeared that whomever had accessed the account had also changed the bank account details for the refund, which had already been paid out.

"The ATO told me on the phone, that as long as there's a bank account there they will simply just pay the money. They don't check the name on the bank account with the account number — I was staggered," he said.

Mr Lanzon's son is an apprentice engineer who earns roughly a third of the $100,718 in income that the false tax return alleged.

Mr Lanzon says at least 12 of his clients' tax profiles have been breached in the past two months. These violations have included another attempt to access superannuation via the FHHS scheme, and false GST registrations.

"By registering someone for GST they can lodge false GST returns, get paid out and if they didn't know that, they'll get an audit for fraudulent tax returns," he said.

Mr Lanzon says tax file numbers can't be transferred, so once compromised you remain at risk forever.

Concerned that his own systems may have been hacked, he contracted a cybersecurity expert to examine his business.

"We don't use any online software and only one of my computers is linked to the ATO gateway, and it's a secure link," he said.

"The technician said there was no sign of any hacking."

Mr Lanzon's technician has confirmed to RN Drive that he did a sweep of the businesses computers and detected no unusual activity.

But Suelette Dreyfus, from the University of Melbourne's School of Computing and Information Systems, says small businesses, like personal accountancy practices, are particularly vulnerable to hacking attacks.

"There is a long history of accountants being attacked," she said.

"The NotPetya ransomware attack, which crippled companies across the world, started with an online software company that specialises in software for accountants, by infecting the software with malware."

Under the notifiable data breaches scheme, tax practitioners are obliged to take all reasonable steps to protect client data and have sufficient IT controls.

Long waits, few answers

Meanwhile, the experience has up-ended Dr Brownie's life.

She says after confirming the false claims with the ATO, she was advised to contact her superannuation fund, banks, myGov and IDCARE, a registered charity contracted by the government to assist victims of data breaches.

She has now added other layers of security, including voice recognition, to her ATO account.

One of her banks went so far as to suggest she could return to in-person banking only.

She has lodged a complaint with the police but is holding off renewing her drivers licence and Medicare card until she knows more about where and how the breach has occurred, and what personal information and identification was used.

"Until I know how the ATO unauthorised activity occurred, I'm not wasting my time getting new cards and numbers if they then link with a system that may share data across a system that is compromised," she said.

"There are still certain vulnerabilities. How do I know if I go to the doctor and I get a refund from Medicare, that the money won't go somewhere else?"

IDCARE has confirmed that Dr Brownie contacted them to report her complaint.

They said they've been inundated with requests for help in the wake of the Optus data breach.

Dr Brownie is not an Optus customer, nor has she been in the past.

In July, IDCARE told ABC Brisbane that they had recorded 42,000 community engagements on tax and myGov fraud issues since the start of the pandemic.

IDCARE managing director David Lacey said one in five people had no idea how their sensitive data had been stolen and it could take weeks or months to resolve the issue.

What is certain is that Dr Brownie's TFN is likely to remain compromised for years to come.

"Now for the rest of this person's tax life, they own a compromised TFN," said Mr Dyson.

"I would have thought you get a brand new one — they do it for companies and partnerships and trusts — but for individuals you've got it, and it's been corrupted, and it's under lock and key for the rest of your life."

RN Drive approached the ATO for comment, In a statement, they said the ATO continually monitors for ongoing threats to client information.

"The security of taxpayer information is our primary concern, and as such it would be inappropriate to comment publicly on the specific matter due to our obligations of confidentiality and privacy under the law," the ATO said.

"The ATO undertakes a range of checks for all FHSS release requests, including assessing the factors you have noted; these checks can prevent fraudulent requests resulting in the release of an individual's superannuation under the FHSS scheme.

"While a FHSS release request may be submitted successfully, this does not mean it will result in super amounts being released.

"Where a client is known to have a compromised identity, as a precaution, the ATO places safeguards and additional assurance checks on their ATO account until we can complete our investigation."

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.