ATO Account Got Hacked - How Long Will It Be Fixed?

Taro Milk Tea on 09/07/2024 - 13:05
Last edited 09/07/2024 - 13:17

Last year, my ATO account got hacked and the hacker managed to amend the previous years of my tax return so that he got paid around $25k. (Yes yes, lesson learnt. Always triple check email/sms/call from someone claiming to be from ATO).

I noticed on the day where the hacker made the changes and called ATO straight away. I told them to lock the account and cancel the payments because I got hacked - which they acknowledged they have stopped the payments.
Couple of days later, the payments got processed into the hacker's account (great job ATO).

I called again after that to check what am I going to do now and they mentioned that I can keep using the account as per normal (they just adding new layer of securities to login) and they will fix my account in next few weeks.

Now a year later….my account has not been fixed. I am still owed by ATO around $400 for my tax return 22/23…called ATO again and they were not helpful as always. Kept saying they will fix it and I can still submit the 23/24 tax return. Well…if I submit again, they will not process paying me because technically I am still in 'debt' to pay them back the $25k (PLUS INTEREST!!)

Anyone ever experienced this? How long will ATO fix this?

TLDR: ATO account got hacked. One year later, my account has not been fixed and ATO still owes me my tax return. How long will it take for ATO to restore an account that got hacked?

Financial

Related Stores

Australian Taxation Office
Australian Taxation Office

Comments

  • djsweet on 09/07/2024 - 13:08
    +86

    Lol ATO paid 25k to scammers even after you notified them it was a scam and 1yr later they don't even care. Yet they will hunt you down and penalise you for the tiniest deduction if you can't prove it. Good job ATO.

    • AngoraFish on 09/07/2024 - 14:40
      +25

      The ATO does not penalise people for making good faith mistakes, and the vast majority of people never get audited at all.

      • djsweet on 09/07/2024 - 14:54
        -3

        maybe.. I recall there being some pretty concerning posts on here about it in the past.
        Wait here we go https://www.ozbargain.com.au/node/850658

        • Randolph Duke on 10/07/2024 - 09:10
          +8

          If your deductions are far outside the bounds of what the ATO considers reasonable for your job type then yes there's a good chance you'll be audited. That thread screamed audit me based on some of the comments and nuggets of what got claimed.

        • blimpyboy on 10/07/2024 - 22:39
          +2

          The replies to that post indicate that the ATO was probably right to audit in that situation

        • AngoraFish on 10/07/2024 - 23:34
          +2

          Okay, I wasn't planning to engage here on this thread, but sheesh, that's an embarrassing example. I can't imagine why the ATO might want to audit someone who works in aquaculture claiming as a work expense the transportation of "bulky tools and equipment" such as sporting gear, heart rate monitors, GPS trackers, uniforms, journals, books, fridge, webcam, speakers, water testing equipment, printer/ scanner and a coffee machine. /sarcasm

      • Mintee on 10/07/2024 - 08:13
        +1

        Ive had one of their 'Your claims are higher than usual' letters…. it makes you shit your pants….. especially when you pay for an accountant and do everything legit, by the book.

      • Roentgenium on 10/07/2024 - 10:11
        +2

        there are also the safe harbour provisions which protect the client if your tax agent is stupid.

      • ATTS on 12/07/2024 - 17:53

        Who would likely get audited?

        • AngoraFish on 13/07/2024 - 08:35

          If you are flagged for an audit it is normally because the deductions that you are claiming are significantly higher than other people working in similar jobs in the same industry. The ATO has decades of data on this stuff, they don't audit people for the LOLs.

    • frewer on 10/07/2024 - 20:56
      -3

      Plot twist: Hackers got smarter, they already get paid ~1billion, the new scam calls Ukraine

    • RTX9090Ti on 11/07/2024 - 20:35

      Plot twist, OP is the hacker, tried to make amendment to get $25k refund and blamed the hacker for it bypassing the audit.

  • soan papdi on 09/07/2024 - 13:08

    I told them to lock the account and cancel the payments because I got hacked - which they acknowledged they have stopped the payments.
    Couple of days later, the payments got processed into the hacker's account (great job ATO).

    Do you have this in writing?

    • Taro Milk Tea on 09/07/2024 - 13:13
      -2

      Sent them a message in the ATO portal along with the screenshot of the 'revised' bank account details. Also confirming the phone conversation along with the ATO person's name in the message.

      But I am not sure now whether ATO reads any of the messages or not.

      • SlickMick on 10/07/2024 - 08:38
        +3

        Where can you send messages "in the ATO portal"? I've always wanted a way to contact ATO rather than play phone-tag; a secure message service is exactly what I want.

        • reactor-au on 10/07/2024 - 09:38
          +3

          Yeah I thought that functionality was for tax agents.

      • Typical16-bitEnjoyer on 11/07/2024 - 13:31
        -1

        Such an important and urgent issue, yet OP couldn't be assed picking up the phone a day later? Hilarious

        • Taro Milk Tea on 11/07/2024 - 13:41
          -3

          I suggest you to check your eyes urgently as it seems you have issues with it that make you unable to read properly.

          • Typical16-bitEnjoyer on 11/07/2024 - 14:16

            @Taro Milk Tea: So did you call ATO the day AFTER you sent your message?

            If you have no idea if they read the message, sounds like you did not call them to confirm receipt of your message.

  • soan papdi on 09/07/2024 - 13:27
    +4

    You can switch mygov to use passkeys, right @askbargain ?

    • askbargain on 09/07/2024 - 13:36
      -1

      No. Rarely login. Passkeys would prevent phishing.

    • sntc on 10/07/2024 - 22:36

      yes, have just enabled it for myself
      there was a news the other day about the rollout

      they also have 2fa sms and 2fa mygov app (not good reviews with ppl getting locked out)

      I prefer third party google authenticator app instead which is not available

    • snappywan on 13/07/2024 - 22:12

      What you really want is login to ATO with myGovID with the Strong indicator of strength. Then the only way anyone can link or login to ATO is via myGovID with a Strong indicator (only passport holders can get Strong). This ensures that nobody can get access through your passwords/SMS/etc. but also prevents a criminal from creating a new myGov account and linking to ATO using information they could obtain from a breach.

      ATO is a bit glitchy when detecting myGovID so you might have to logout/login with myGovID a few times, and you will know if its working correctly if both (1) your Personal Details in ATO says your Online Strength is Basic/Standard/Strong & (2) if you try to login with password/2FA or Passkeys it will refuse to let you access the ATO account.

  • MS Paint on 09/07/2024 - 13:47
    +7

    Asking for a friend but what was modified by the scammers to go from a $400 return to a $25k return without suspicion by the ATO?

    • Taro Milk Tea on 09/07/2024 - 14:06

      the PAYG and deductions part

      • Gdsamp on 09/07/2024 - 14:11
        +2

        Anything more specific? Just want to make sure my account hasn't been hacked

        • netjock on 09/07/2024 - 16:44
          +8

          Say OP has PAYG of $50k from work.

          Hacker invents an negatively geared property sucking up $25k in interest expense. You're sorted.

          • Randolph Duke on 11/07/2024 - 08:26
            +2

            @netjock: Claiming 25k in deductible interest doesn’t give you a 25k return, it would be your marginal tax rate * 25k. To get 25k back needs much higher deductions. Seems odd ATO hasn’t picked it up.

            • netjock on 11/07/2024 - 09:38

              @Randolph Duke:

              To get 25k back needs much higher deductions

              That is true.

              ATO doesn't pick up things and it is never their fault.

              There was a TikTok GST scam and like 150 ex ATO staff and contractors caught up in it (I think they got fired on the spot so they can claim they are ex. It is like saying you forgotten how to ride a bike)

              https://ia.acs.org.au/article/2024/ato-officials-terminated-….

              Public servants are on the slow road to riches. They get paid less, they work even less and let compounding in their super sort out their retirement.

        • star-ggg on 09/07/2024 - 17:13
          -1

          Could be education expenses as well. 20k to 50k in occasional course fees would not be out of the ordinary for full timers.

      • Wiadro on 09/07/2024 - 14:20
        +4

        Yeah what was the deductions and payg change?
        Asking for a friend

        • netjock on 09/07/2024 - 16:45

          Invent an investment property with really high interest expenses (loan shark)

        • larndis on 10/07/2024 - 11:49

          I think literally just increasing the deductions by a ridiculous amount.

        • CandyMan on 10/07/2024 - 12:44

          F

  • Lord Fart Bucket on 09/07/2024 - 13:53
    +12

    Just pay them with giftcards.

    • Wiadro on 09/07/2024 - 14:20
      -1

      Nah easier to feed cash into the bitcoin machine

    • CandyMan on 10/07/2024 - 12:45

      iTunes?

    • blackwind on 10/07/2024 - 14:21

      Or pay them with Disney+ gc?

  • autolux on 09/07/2024 - 14:23
    +7

    Wild. At this point, it sounds like you need a lawyer/tax lawyer.

    That is a bold hack attempt. Quite a few layers of confirmations & change notifications to get through and ultimately you need the money paid out into an account you can access, by the govt.

    • freefall101 on 09/07/2024 - 14:30
      +7

      It happens a lot. Current scam is get someone’s details, transfer their super to a smsf then just withdraw it.

      Plus there was the billions that went out in “advice” from TikTok to start a business, claim GST and it’s a free loan from the government until the banks forced them to do something about it.

      ATO compliance is a shitshow.

      • Ghost47 on 09/07/2024 - 16:31

        Read a lot of stories lately of people’s ATO accounts/myGov getting hacked. It’s actually quite scary. Everything is just getting worse and worse.

        • RedHab on 10/07/2024 - 04:17
          +11

          You can thank Medibank and Optus for leaking around 55% of Australian's personal data online through bad security.

          These provide a hacker with all the ID points they need to impersonate you with the ATO or open a credit card account in your name.

          You can also blame the ATO and banks for closing physical branches to save money, trying to do everything online. The ATO has voice identification which is now very easily spoofed. They don't care.

          • Ghost47 on 10/07/2024 - 12:22

            @RedHab: Yeah voice spoofing using AI is quite scary. Criminals only need to record a few seconds of your voice to be able to mimic it.

            The thing too is that in Australia what are the most popular websites? Probably this website and Whirlpool, I can’t think of any others because let’s face it we aren’t the biggest country out there. And guess what? Hackers can easily access these forums and understand what people are thinking. If one of these major websites gets breached and emails aren’t encrypted they could cross reference them with other data breach details and figure out the details of specific users. That’s why having multiple different emails for various uses can be important.

            There’ve been a few interesting reddit threads lately regarding breaches. Here’s one. Someone in that thread says it’s possible for hackers to use your details to open a second myGov account under your name and link the ATO to it then they can access it [second myGov account] pretty easily. Don’t know about anyone else but I think it’s absolutely ridiculous that more than one myGov account can be created for someone.

          • Nom on 10/07/2024 - 15:04
            +2

            @RedHab: The infuriating thing is that you'd easily be able to stop most of these hacks by simply sending a physical letter.

            If <making a change with the ATO> or <opening a financial account like a Credit Card> required a physical letter sent to the address on record (ie not another address chosen by the scammer) then you'd find out when a scam was happening to you. The letter would simply need to say "XYZ is happening, if this was not instigated by you then call this number immediately to stop the process".

            But because everything is now online, you don't find out until it's too late !!

        • Mintee on 10/07/2024 - 08:11
          +4

          I dont really get how these hacks work with myGov. Dont they force you to have 2FA? I always get a SMS code when attempting to login?

          • Herbse on 10/07/2024 - 10:13
            +1

            @Mintee: They do and have for many years. The problem is people give out the code when they're on the phone and skip the "do not give this pin to anyone" part of the SMS

          • Ghost47 on 10/07/2024 - 12:16
            +1

            @Mintee: They do but one of the 2FA methods on myGov is a secret question, I think this carried over when myGov was updated. People who are using that could be susceptible if that data was leaked in another breach.

            As mentioned people are also susceptible if they aren’t diligent and give out the 2FA info. Even SMS 2FA now isn’t the most secure since hackers can call up a telco and request to get your number ported out if they have your details from a data breach. And the myGov code generator app needs to be treated carefully because you could lose access to myGov if you delete it accidentally or don’t deauthorise it properly before moving to a new phone. I’m sure a lot of people out there will accidentally do one of these things at some point and then the ATO is going to have to help them out with regaining access. Sometimes when designing something you need to account for the lowest common denominator to prevent further issues from arising down the road.

            On top of all this, if you’re busy with a 9-5 (which really isn’t a 9-5 but more like 8-6 these days), raising kids etc. will you even consider any of this if you haven’t been hacked before? I don’t think many people would.

            • No ONE on 10/07/2024 - 17:41

              @Ghost47:

              Even SMS 2FA now isn’t the most secure since hackers can call up a telco and request to get your number ported out if they have your details from a data breach

              I'm interested to know which Telco allows to port out number without the authentication code for porting.

              • Ghost47 on 10/07/2024 - 18:16

                @No ONE: Looks like verification laws were updated in 2022. Probably not as common anymore as I thought although it looks like Medion (provider of Aldi mobile) was hit with a lawsuit earlier this year for not complying with the updated laws.

              • RedHab on 11/07/2024 - 05:12

                @No ONE: iiNet is notorious for this.

      • netjock on 09/07/2024 - 16:46
        -5

        Only happens to people who don't have SMSF. Imagine getting a letter to the SMSF you run a member wants to transfer out and that is yourself. LOL

        • Nom on 10/07/2024 - 15:06
          +1

          But they don't send a letter, that's the whole point. You don't find out until the money is already transferred !

          • netjock on 10/07/2024 - 16:00
            +1

            @Nom: Most people don't get the joke.

            If you have and run your own SMSF then you know all the beneficiaries so a scammer can't transfer your super out.

            Most super transfer scams are getting you to transfer to a non compliant fund (pretending they have a tax loophole to help you access your super) so they can syphon away your money overseas.

    • justworld on 10/07/2024 - 22:57

      Lol. A 'lawyer' isn't going to help. The ATO isn't going to be liable to insta-stop a transfer that might have already been in motion.

      OP says he got 'hacked' but he gave his 2FA details to the person accessing his account - not exactly a hack.

  • Dumax on 09/07/2024 - 14:25
    +20

    Have you tried the Inspector-General of Taxation and Taxation Ombudsman?

    If you haven't already, lodge a formal complaint with the ATO and go from there.

    IGT have also recently done an investigation into the ATO's actions in response to complaints about the ATO's response in relation to compromised tax accounts and identity fraud. Case Study 1 (page 24) seems to refence very similar circumstances to yours.

    • Taro Milk Tea on 09/07/2024 - 15:13

      Thanks, I will keep this option in mind in case they demand me to pay.

  • Fredfloresjr on 09/07/2024 - 14:29

    Scammer AKA was ME

    This thing won't sell anymore.

  • drfuzzy on 09/07/2024 - 14:31
    +10

    Why did you give your 2 factor authentication details to a hacker?

    How much responsibility would a court place on you vs on the ATO for the loss?

    • hopper on 10/07/2024 - 10:18
      -1

      these days its not tough for hackers to hack your sms (ATO 2 factor is only via SMS i believe) before you can. (happens mostly at night when you are deep sleep and phone on DND)

      • Ghost47 on 10/07/2024 - 12:28
        +1

        I think I’ve read about that too. Hackers call up your telco provider and pretend to be you because they have all your data (e.g. passport number, licence number etc.) which they obtained from one of the big data breaches then they get your number ported out to another provider. Then they can start receiving your 2FA SMS. If your phone ever shows SOS it’s a sign your number could’ve been ported out.

        That’s why it was important for people to update their ID etc after getting hacked.

        • burningrage on 11/07/2024 - 11:20

          But phone porting these days mandate that you do NOT switch your SIM as the system will send an SMS confirming that you are porting away and you need to say Y or N before your phone turns into SOS mode. This is if you are doing it online.

          If you are brute forcing the switch, from experience, they would make you go to a branch / store and ID yourself and the scammer will be exposed by then.

  • Browsers on 09/07/2024 - 14:32
    +7

    Appoint a tax agent, explain your situation and get the agent to lodge a complaint with the ATO to expedite the resolution. Yes it will cost you money but the agent will be better placed to push the ATO in the right direction and so that you can also get your 23/24 return submitted.

    • Taro Milk Tea on 09/07/2024 - 15:10
      -1

      Well I will not pay any further money to get this fixed - as long as ATO does not demand me to pay, I will wait. They confirmed that they will fix it anyway, it's just frustrating how slow they do their job

      • Duckie2hh on 09/07/2024 - 15:13
        +12

        Well I will not pay any further money to get this fixed

        famous last words

      • Browsers on 09/07/2024 - 15:30
        +10

        There are many well publicised cases of government agencies failing to fix known problems, with individuals suffering the consequences. You need to go on the front foot to stop it getting worse. If that means spending money, consider it an investment in protecting your interests.

        • Taro Milk Tea on 09/07/2024 - 15:39

          Fair call. Thanks for the suggestion

      • larndis on 10/07/2024 - 11:53

        Do you have anything in writing from the ATO? If you don't have a full paper trail get that ASAP .

  • Nom on 09/07/2024 - 15:15
    +7

    @Taro Milk Tea are you expecting the $25,000 loss to just be magically covered by the ATO ? Have they told in you in writing that they accept responsibility for this loss ? Tread carefully, because if they decide you contributed to the hack then you could absolutely be on the hook for the $25K !!

    • jv on 09/07/2024 - 15:46
      -4

      then you could absolutely be on the hook for the $25K !!

      That's not how it works…

      • Iwantthebestprice on 09/07/2024 - 18:34
        +7

        How? If I provide my banking details to a scammer, the scammer withdraws all my money and transfers it to another account, after I gave them the SMS authentication code etc the bank certainly will not cover those losses, so why should the ATO (aka me, u the taxpayer) cover someone’s stupidity! While it’s all well and good the OP called the ATO to report it, the hack should not have occurred in the first place!

        • bioxeed on 11/07/2024 - 10:38

          I agree with you in principle about this. But in this instance OP called and notified the ATO BEFORE any payments were made. It's fully on the ATO to have paid out after they were notified that the account was compromised.

          • Marty131 on 11/07/2024 - 12:11

            @bioxeed: Does OP have evidence of this conversation? Are all phone calls to ATO recorded? Written evidence would have been ideal.

            • bioxeed on 11/07/2024 - 13:52

              @Marty131: I'm just going by what's been given in the original post. No idea what ATO would have recorded or otherwise. Definitely having written evidence would be the best.

          • Typical16-bitEnjoyer on 11/07/2024 - 13:41
            -1

            @bioxeed: OP has not provided the actual timeframe and the ATO doesn't use something like ING. They would have tens of thousands of payments scheduled in advance and provided to financial institutions in advance, and can't just jump in and cancel a single one of those. It was likely too late to stop payment.

  • iTzTeFish on 09/07/2024 - 15:15
    +5

    You will have a compromised TFN for life now, have fun with that.

    • snappywan on 13/07/2024 - 22:15

      You can actually have ATO reissue you a new TFN, it'll take a bit of perserverence but it can be done.

  • jv on 09/07/2024 - 15:45

    I am still owed by ATO around $400 for my tax return 22/23

    I hope you are charging them interest…

    • hopper on 10/07/2024 - 10:19
      +1

      interest…

      will it be taxable income?

    • md333 on 10/07/2024 - 12:24

      I was surprised last year, I paid my tax bill early and the ATO credited me interest for the period from then until it was due.

      • jv on 10/07/2024 - 12:37

        will it be taxable income?

        • md333 on 10/07/2024 - 15:11

          Of course. Otherwise I'd be deliberately over paying my tax for the sweet tax free interest returns.

  • jugsy on 09/07/2024 - 15:54
    +2

    My partner got her account locked out (no actual breach) over a year ago and they still haven't "fixed" it. They can temporarily allow login when she calls, so every time she needs access she has to call, wait, be escalated, wait again, etc

    • SoapyWooder on 11/07/2024 - 08:25

      How it started? High income individual? Expat?

      • jugsy on 11/07/2024 - 12:43

        Nope

  • Ghost47 on 09/07/2024 - 16:01
    +2

    Give it another 10 years. Can’t wait for digital ID to roll out, it will be so secure. /s

  • netjock on 09/07/2024 - 16:47
    +4

    Always triple check email/sms/call from someone claiming to be from ATO

    If you get an email now. Don't click on the link. Go straight to the website to login. Emails are so unsafe.

    • reactor-au on 10/07/2024 - 09:44
      +3

      Only emails I get from ATO say there a new message from ATO in mygov inbox

      Why would anyone click a link in an email from a bank or ATO is beyond me, how can there be so many idiots out there

      • netjock on 10/07/2024 - 09:59

        Most work on a sense of urgency so you would follow the instructions. Why go to the website, login and find the issue when a simple click of the link would sort it.

        I had a call from the UK pretending to be from HSBC. The person spoke the Queen's English but I was suspicious considering I don't have anything in the UK with HSBC. They said it was your Australian account and I am like given the time difference and cost of labour it doesn't make sense to be calling from the UK. Don't forget there is also data protection laws about where your information should be based therefore they wouldn't do personal accounts out of the UK because it is so low value. You're more likely to get a call from India or the Philippines. I was at my desk so I was actually delaying them while I was checking out my accounts but if you were out and about, can't get immediate access and had lots of money in there. I only keep a running balance less than $1k.

      • Typical16-bitEnjoyer on 11/07/2024 - 13:42

        Because in general, people are idiots.

  • cashless on 09/07/2024 - 16:54
    +3

    Nice try ATO

  • MS Paint on 09/07/2024 - 19:40
    +2

    Anyone ever experienced this?

    No. Because you are one of a hand full of people who have given scammers the authentication code that states do not share this code, the ATO will never request this code. FFS

    • GOCAT9 on 10/07/2024 - 10:44
      +1

      Not necessarily true! We had our ATO account hacked as OP did, but no security authentication information was given to ANYBODY. We received no phone calls/sms/emails from anywhere requesting information or inviting us to click on links. It just happened. The ATO would not specifically say how they got in.

      As far as I am aware, the ONLY way to access the ATO is via MyGov. Same, never any phishing attempts!

      • Nom on 10/07/2024 - 15:12

        We received no phone calls/sms/emails from anywhere

        Isn't it ridiculous !?!? If they had simply sent an SMS to your registered mobile number, an email to your registered email address, and a physical letter to your registered home address at the very least to inform you that action XYZ was being taken then you could have contacted them immediately to stop it.

        Lack of notification when someone is ammending your tax return and changing your bank details to extract $25,000 as per the OP, is inexcusable.

  • Deals For Days on 10/07/2024 - 03:04
    +3

    Get the feeling that, given you’re the one who gave the ‘hacker’ (actually scammer, they didn’t ‘hack’ anything) access to your account, you’re going to have to escalate and get some professional legal advice on this one.

    I doubt the ATO are just going to cop the 25K loss due to your error, but you might get lucky. Since you notified them before the transfer, that will probably mean there is some responsibility on their end, but I think it’s going to end up a complicated dispute unfortunately.

    Best to speak to the ombudsman as others have said.

    • Brianqpr on 10/07/2024 - 08:09
      -1

      If OP contacted the ATO before the payments were made it should be on the record. If they've then stuffed up and paid it that's on them.

      I deal with banking scams in my job. No way would AFCA not hold the bank responsible in similar circumstances.

      • regenade on 11/07/2024 - 03:11

        Getting ATO to own up is much harder ! It takes upto 10 years for even the ombudsman to make changes to the ATO

        • Brianqpr on 11/07/2024 - 22:54

          The call should be recorded and on the record. If it is it confirms they knew about the issue before making the payment. They wouldn't have a leg to stand on.

Login or Join to leave a comment
Login Join