Tax and online fraud: protect yourself and your business

Since July this year, scams targeting both individual and business taxpayers have been running rife.

From fake Tax Office “delayed return” or “proof of identity” emails to telephone calls conveying similar requests, taxpayers have had to keep their guard up.  So how can individuals and businesses protect themselves from online fraud and crime?

Scams have always been around in some form or another, but have been given fertile ground since governments have started adopting cyber solutions to transform the way they interact with both individual and business taxpayers.

Lowering costs has been a big motivator behind this trend, including the cost of collecting tax. According to the government, a service transacted over the phone costs about 16 times the digital equivalent, through the post about 32 times more, and on face-to-face transactions it is about 42 times more costly. So, given the convenience and cost savings, digital is the way of the future. This is further evidenced by the introduction of the government’s myGov online portal and its myTax tool.  Individual taxpayers have already started to receive direct Tax Office contact through myGov rather than through their tax agent.

Therefore, cyber security looks like becoming an even bigger consideration for taxpayers into the future.

The more direct contact channels opened up online for taxation and superannuation transactions, the greater the temptation will be for hackers and fraudsters to target individuals and businesses. And the greater the volume of sensitive information out there in cyber space, the greater the need to be careful.

The Tax Office has a range of systems and controls to guard people’s data and records of its interactions with taxpayers.

• The Tax Office will never request personal information such as tax file numbers (TFNs) and bank details via an electronic communication (such as emails and SMS).
• If you do receive an SMS or email asking for personal information, do not follow any links or reply to the communication.
• The entire communication should be forwarded to [email protected].

If you are unsure about the legitimacy of any communication, remember that the team at Synectic are always happy to give you guidance.

Other tips to protect your online information include:

1. Be cautious when clicking on hyperlinks embedded in SMS messages and emails. If you’re not certain they are legitimate, don’t.
2. Keep your personal information secure. Never reply to emails with sensitive information, such as your TFN, including to prospective employers. See more about what to do if your TFN is compromised in our article “Victim of identity theft? The taxman can help”.
3. Protect you password (more on that below).

If you have a myGov account, you may receive notifications via myGov that, even as your tax agent, we may not receive. You can still confirm communications regarding tax matters with us to be sure they are legitimate.

If your myGov account was initially set-up to provide a portal to deal with government bodies other than the Tax Office (for example to deal with Medicare or Veterans’ Affairs, or regarding child support, superannuation matters and so on), it is also possible for notifications regarding taxation matters to be sent to your account, even though you may not have linked myGov to myTax. You should let us know if this is the case.

Cyber security issues such as identity theft no longer purely apply to consumers and individuals. Fraudsters have learnt that businesses also have identities that can be stolen, and the details used for easy money and/or goods.

Business identity theft can be much like its consumer counterpart and involves the actual impersonation of the business — that is, not the people behind the business, but the business entity itself.  This is somewhat different to the common notion of crime perpetrated against businesses (such as hacking into its database for financial records or confidential customer information).

A business identity can be stolen and used to commit tax fraud, create other fake business entities, lodge fraudulent GST claims, and take out loans. Unlike the identity theft of a consumer, who may notice a compromised bank balance fairly quickly, victimised businesses could unwittingly be giving thieves up to 30 days (a common payment term on invoices) after fraudulently ordering goods and services.

Of course, identity thieves who access your business’s information may also find they have access to employee personal information, such as TFNs, bank details from payroll data, super fund details and personal addresses.

To protect your business (and your employees) from identity theft, it is recommended that you:

1. Secure your business files and employee information when they are not in use.
2. Secure and regularly change all passwords (more below).
3. Ensure that you and all your staff log out of systems and lock computers when they are not in use.
4. Make sure that your computers and other devices have up-to-date security and anti-virus software.

It should also be emphasised that a business’s AUSkey needs to be kept safe. If it is used on multiple devises consider storing your AUSkey on a secure memory stick with a password. Other information that will need to be secured are your activity statements, forms and other records that hold supplier details, invoices and client information.

Considerable time and effort is required to restore a business’s identity, amend credit profiles and sort out financial arrangements. Feel free to talk to us if you have questions or concerns.

We know you’ve heard it all before, but you really must keep your passwords safe:

1. Ensure they are “strong”; that is, think about having a mixture of characters, numbers, upper and lower cases and perhaps symbols).
2. Have different passwords for different activities and change them regularly, particularly those for sensitive transactions such as banking, social networking and your computer log-on.
3. Select “no” when your computer offers to automatically remember a password when logging into a website, especially banking, social networking and web mail accounts. This is because scammers can use malware to find these stored within the computer.
4. Don’t store a list of your passwords on your phone or on your computer in a Word document – this makes it easy for anyone who gets into your computer to access your other accounts.
5. If it helps to write your passwords down do so, but hide them somewhere safe (not in a wallet which can be easily lost or stolen) and not together with your computer log-on. Try to disguise them in some way so they jog your memory but are not obvious to prying eyes (for example, note the password length or criteria, the first letter or number, but not the full password).