Hackers are harvesting potentially thousands of bogus tax returns as they exploit ongoing security weaknesses in the Australian Taxation Office’s online portal and the commonwealth’s myGov system.

Unsuspecting taxpayers and their accountants are discovering that hackers have infiltrated their myGov accounts, filed fake tax returns and directed the refunds to their own bank accounts despite the ATO having taken steps to clamp down on the practice.

The incidents are the latest of several brazen massive frauds and hacking attacks around Australia, including a series of hacks targeting superannuation funds in April, and they show the ongoing ­dangers posed by hackers who are holding information stolen from prior data breaches.

While victims, accountants and the tax ombudsman have all flagged issues in the myGov and ATO systems that they say have at least contributed to the success of the frauds, the ATO said incidents of “unusual activity” in ATO ­accounts were likely related to identity theft.

“Identity information can be compromised in a variety of ways, including requests for information by malicious actors, phishing emails, large-scale data breaches, and individual device or home ­network hacking,” the ATO said.

“The ATO can confirm that its systems are secure, resilient and have not been compromised.

“The ATO continues to remain vigilant for new and emerging cyber threats.”

Questions to the ATO about the exact number of Australians caught up in the saga, the amount of money both paid out to and recouped from fraudulent returns, and whether or not any arrests have been made over the incidents, were not addressed. But victims who have been through the process of resolving the breaches believe there are likely thousands of others in the same position.

Perth woman Kate Quinn, who works in the not-for-profit sector, discovered that hackers had filed a fraudulent tax return in her name earlier this year when her husband asked their accountant to prepare their tax returns.

The accountant found that they were no longer authorised to manage her tax affairs and that an $8000 tax return had been lodged on her behalf for the last financial year. The hackers had changed ­Ms Quinn’s linked bank account details, ensuring that they received the tax refund.

Ms Quinn told The Australian she was staggered to find just how easy it was for hackers to commit the frauds when armed with the necessary information.

She said ATO officers had told her that it could take hackers only seconds to execute the fraud.

“They hack in, they untick ‘notify me or notify my tax agent’ and change the bank account details. (The ATO officer) said it probably takes all of 10 to 15 seconds (to) change the bank account details and the money’s gone, and the case is closed and no one’s notified,” she said.

Ms Quinn said the changes to her myGov information were made without triggering any of the two-factor authentication processes designed to reduce the risk of hacking incidents.

She said she was shocked to discover during her interactions with the ATO just how common such incidents were.

She said she spoke to several ATO personnel who were working full-time solely on investigating and resolving such incidents, and as a result of those interactions believed there were thousands of other people in the same situation.

She was initially told the backlog of cases was so large that her matter might take at least a year to resolve, but after four months she escalated her matter to the ATO’s complaints department and had it sorted out in a matter of days.

“There are people who are really desperate to get their returns and people who would have been counting on that money. I just find it incredible,” she said.

More than 14 million taxpayers have linked their myGov account to their ATO Online accounts.

Accountant Adrian Raftery told The Australian one of his clients had an almost identical experience. Like with Ms Quinn, the fraud was discovered only when the accountant went to file the most recent tax return.

In this case, the hackers had not only filed a new tax return but had also successfully amended the prior year’s return and had tried and failed to amend another. The hackers had successfully collected more than $14,000 in fraudulent returns before their third attempt failed.

He said the ATO should have systems in place to automatically flag instances where bank account details were changed, tax agents removed and amended or unusually large returns filed.

“If there was an amendment done to a prior-year return that was lodged by a tax agent previously, but an amendment is done personally, that should be a trigger point for the ATO, combined with a change in bank account details,” he said.

The original source of the data used for the hacks was unclear, but Mr Raftery suspected much of the information may have come from historical data hacks of large super funds. He said he believed full scale of the hacking was likely to be much larger than authorities believed.

“I’m certain there’s probably been a lot of $1000, $2000 and $3000 refunds that have been ­issued to third parties without people knowing,” he said.

The claiming of fraudulent returns through myGov and the ATO’s online portal has long been an issue. The Inspector-General of Taxation and Taxation Ombudsman previously launched an investigation into the problem in late 2023 and handed down interim findings more than a year ago.

That report made more than a dozen recommendations aimed at tightening the ATO’s systems, including introducing additional security measures for instances where bank account details and contact information were changed.

The ombudsman found at the time the ATO had “limited” automated checks and controls, and its account monitoring processes likely had “limited effectiveness in mitigating the risk”.

In a statement, the ATO said it had taken a number of steps to improve its security.

“In the past year, we have introduced a range of measures to better protect client identity and accounts, including Online Access Strength, client-agent linking, and a new risk model ­targeting fraudulent links to the ATO’s Online Services for Individuals,” the ATO said.

“We continue to encourage individuals to use myID when interacting with the ATO’s online services and to set up to the highest identity strength where possible to make it harder for fraudsters to exploit their identities.”

More Coverage

Call this safe, Mary? Super attack should be a woke-up call for funds

Jared Lynch

How to spot scammers and not become the next victim

James Gerrard

Paul GarveySenior Reporter

Paul Garvey is an award-winning journalist with more than two decades' experience in newsrooms around Australia and the world. He is currently the senior reporter in The Australian’s WA bureau, covering politics, courts, billionaires and everything in between. He has previously written for The Wall Street Journal in New York, The Australian Financial Review in Melbourne, and for The Australian from Hong Kong before returning to his native Perth. He was the WA Journalist of the Year in 2024 and is a two-time winner of The Beck Prize for political journalism.

@PDGarvey

More related stories

Nation

Watt promises North West Shelf call ‘by end of month’

New Environment Minister Murray Watt has promised a decision on the North West Shelf gas project, long delayed under his predecessor Tanya Plibersek, by May 31, adding that some groups 'will be unhappy' with the outcome.

Read more

Politics

Back in black, just, as kids ride free

A $600m budget surplus will be unveiled on Tuesday – almost $1b smaller than originally forecast while debt will continue soaring towards $200bn.

Read more