Cybercriminals have capitalised on the government’s move to give early access to superannuation during the pandemic, with hundreds of Australians saying they’ve been scammed.
The news comes via a report from the ABC who writes that fraudsters have been stealing Australians’ superannuation through the COVID-19 early access scheme, with the ATO and Federal Government moving to tighten up security protocols to curb the rate of fraudulent withdrawals.
In May, the Australian Taxation Office alerted the Government that cyber criminals had found ways to access the system using illicit identity records found on the dark web.
Now, the government is suspicious that cybercriminals have moved to set up fake MyGov log ins, and have applied to withdraw the superannuation funds of unsuspecting individuals oblivious to the fact a cybercriminal has withdrawn $10,000 of their superannuation.
Some, like Angelee Basset who had nearly $20,000 withdrawn without her consent, have pointed to potential flaws in the early access scheme that has allowed scammers to impersonate a legitimate withdrawal. “Until then, I had no idea that it was even possible to have more than one myGov account in your name,” Basset said. “In order to stop this happening to others, one of the things that should be put in place is a limit on the number of myGov accounts an individual is allowed to have.”
“It’s definitely a vulnerable system,” Ms Basset told the ABC. “The Government and all the agencies are just playing catch-up now,” she said.
“I think the Government would have been a lot more careful if this was their money rather than ours” she added, calling for the government to implement more scrutiny of withdrawals and additional identification checks.
According to the report, “Home Affairs Minister Peter Dutton said earlier this month some of the personal data used in the attack was believed to have been stolen from customer files of a tax agent who was hacked.”
The ABC also interviewed Daniel Bunten, a 23-year-old from Sydney that also had money from his superannuation account withdrawn without his knowledge or consent. Mr Bunten logged onto his banking app and noticed there was $9,000 missing from his Essential Super balance.
“I was lucky I could see my superannuation balance in my banking app,” he said. “I can’t imagine many 23-year-olds like me checking their superannuation.” Mr Bunten found, after the fact, that his account with the ATO had been delisted from his myGov account, and that scammers had lodged an early release on his behalf.
Essential Super has since refunded the missing funds “after being contacted by the ABC,” the report notes.
“We understand Mr Bunten has been through a distressing time and have worked hard to reimburse him as quickly as possible. We’re pleased to say the money has been returned to Mr Bunten in full,” a spokesperson from Essential Super said.
The government has said it has moved to tighten security, however, has refused to mention specific steps taken to reduce the potential for identity theft and superannuation fraud from cyber criminals.
Jane Hume, assistant minister for Superannuation has said that “the ATO constantly recalibrates its systems so that they’re secure, and the system has been working very well since.”
This, however, runs contrary to the testimony of the Australian Prudential Regulation Authority (APRA) who told a Parliamentary inquiry recently that “some identified cases of fraudulent account creation” since the ATO had upgraded their systems.
A spokesperson for Services Australia – the operator of myGov – has said that while it’s possible to open a number of myGov accounts in a single name, “a myGov account alone does not give access to any member services.”
“Identity fraud generally occurs when a person’s login credentials or identity information are compromised or stolen by another individual, and this information is then used to access their record,” they said.
The ABC’s report notes that “Australia’s biggest superannuation funds have publicly supported the scheme, but privately warned the Government from its inception about the security risks and the possibility of fraud.”
Superannuation groups penned a joint letter to ASIC, APRA, Treasury and the ATO calling for increased security protocols while screening applications, as well as “prior verification of bank account details submitted via myGov by the ATO against member account details held by the bank.”
Senator Hume has played down these calls, stating that “the ATO has substantial checks in place to detect fraud,” however pundits are pointing out that these checks have failed previously, and will likely fail to prevent all instances of fraudulent transactions. Senator Hume has since suggested that “the superannuation industry was trying to throw a little bit of grit in the wheels to slow the process down.”
Matthew Linden, deputy CEO of Industry Super Australia has since responded to Hume’s remarks, stating that “the correspondence was sent to make sure that we were looking after the interests of our members and make sure that no stone was left unturned in terms of additional safeguards.”
For those that have been scammed, it remains up in the air exactly where the blame lands, with Senator Hume stating that “it really depends on where the liability sits.”
“It may sit with the relevant agency, if it was the agency that was attacked. It may sit with the trustee of the super fund, if it was a super fund that was attacked. It may sit with the third party if it was the third party that was attacked,” Hume concluded.