Tax and cyber security: Are you prepared?

Since July this year, scams targeting both individual and business taxpayers have been running rife.

From fake Tax Office “delayed return” or “proof of identity” emails to telephone calls conveying similar requests, taxpayers have had to keep their guard up. So how can individuals and businesses protect themselves from online fraud and crime?

Why are cyber scams on the rise?

Scams have always been around in some form or another, but have been given fertile ground since governments have started adopting cyber solutions to transform the way they interact with both individual and business taxpayers.

Lowering costs has been a big motivator behind this trend, including the cost of collecting tax. According to the government, a service transacted over the phone costs about 16 times the digital equivalent, through the post about 32 times more, and on face-to-face transactions it is about 42 times more costly. So given both the convenience and possible cost savings, digital is the way of the future. This is further evidenced by the introduction of the government’s myGov online portal and its myTax tool.

Cyber security therefore looks like becoming an even bigger issue for taxpayers now and into the future. This has been underlined by the fact that individual taxpayers have already started to receive direct Tax Office contact through myGov rather than through their tax agent.

With more direct contact channels being opened up online for taxation and superannuation transactions, the greater the temptation will be for hackers and fraudsters to target individuals and businesses. And the greater the volume of sensitive information out there in cyber space, the greater the need to be careful.

How can individuals protect themselves?

The Tax Office says it takes the security and privacy of individuals’ personal information very seriously, and has a range of systems and controls to guard people’s data and records of its interactions with taxpayers.

It has undertaken to never request personal information such as tax file numbers (TFNs) and bank details via an electronic communication (such as emails and SMS).

If you do receive an SMS or email asking for personal information, the Tax Office advises that the entire communication should be forwarded to ReportEmailFraud@ato.gov.au.

If you are unsure about any other communication that looks like it could have come from the Tax Office, make sure you ask this office for assistance.

Tips for individuals

Other tips to protect your online information include:

Be cautious when clicking on hyperlinks embedded in SMS messages and emails

Make sure you keep your TFN and passwords secure. Don’t share your password with others and never reply to emails with your password or other sensitive information, such as your TFN, including to prospective employers. We recommend you change your passwords regularly

If you are unsure about the legitimacy of any notification you receive, check with this office.

Your myGov account

If you do have a myGov account, you may well receive notifications via myGov that this office may not necessarily receive. If any communications received are regarding tax, it will be best to confirm with this office.

If your myGov account was initially set-up to provide a portal to deal with government bodies other than the Tax Office (for example to deal with Medicare or Veterans’ Affairs, or regarding child support, superannuation matters and so on), it is also possible for notifications regarding taxation matters to be sent to your account, even though you may not have linked myGov to myTax.
It is important that you let us know if this is the case.

Protect your password

Passwords are of course central in protecting your sensitive information, but you must ensure they are “strong” (that is, think about having a mixture of characters, numbers, upper and lower cases and perhaps symbols).

Password safety tips include:

  • Have different passwords for different activities and change them regularly, particularly those for sensitive transactions such as banking, social networking and your computer log-on
  • Don’t store a list of your passwords on your phone or on your computer in a Word document – this makes it easy for anyone who gets into your computer to access your social networking, banking and other accounts
  • Select “no” when your computer offers to automatically remember a password when logging into a website, especially banking, social networking and web mail accounts. This is because scammers can use malware to find these stored within the computer.

If it helps to write your passwords down, especially if they are “strong” (that is, complicated), do so – but hide them somewhere safe, away from prying eyes and not together with your computer log-on.

What can businesses do to protect themselves?

All of the above applies equally to anyone running a business, but cyber security issues such as identity theft no longer purely apply to consumers and individuals. Fraudsters have learnt that businesses also have identities that can be stolen, and the details of unsuspecting businesses can be used for easy money and/or goods.

Business identity theft can be much like its consumer counterpart and involves the actual impersonation of the business — that is, not the people behind the business, but the business entity itself. This is somewhat different to the common notion of crime perpetrated against businesses (such as hacking into its database for financial records or confidential customer information).

A business identity can be stolen and used to commit tax fraud, create other fake business entities, lodge fraudulent GST claims, and take out loans. Unlike the identity theft of a consumer, who may notice a compromised bank balance fairly quickly, victimised businesses could unwittingly be giving thieves up to 30 days (a common payment term on invoices) after fraudulently ordering goods and services.

Of course, identity thieves who access your business’s information may also find they have access to employee personal information, such as TFNs, bank details from payroll data, super fund details and personal addresses.

Tips for business

To protect your business and your employees from identity theft, it is recommended that you:

  • Secure your business files and employee information when they are not in use
  • Regularly change all passwords
  • Ensure that you and all your staff log out of systems and lock computers when they are not in use
  • Make sure that your computers and other devices have up-to-date security and anti-virus software.

It should also be emphasised that a business’s AUSkey needs to be kept safe, and that if it is used on multiple devises to consider storing your AUSkey on a secure memory stick with a password. Other information that will need to be secured are your activity statements, forms and other records that hold supplier details, invoices and client information.

And remember, considerable time and effort is required to restore a business’s identity, amend credit profiles and sort out financial arrangements. Talk to this office for our help if you have concerns.