Scammers impersonating ATO employees to extort money, Australians' personal data sold on black market

Updated

Scammers posing as Australian Tax Office (ATO) employees are using personal data to extort money from hundreds of victims across the country.

The ATO scam has been operating for months but in an alarming development, police now say personal details of Australians are being hacked and sold on a black market to scammers overseas.

Detective Superintendent Brian Hay from the Queensland Police Fraud and Cyber Crime Group has told the ABC the ATO scam is becoming more prevalent each year.

"What that probably reflects is there's more Australian data in the dark markets of the internet and there's more Australian identity data out there that allows these crooks to target people," he said.

"It also reflects that the criminal markets in the cyber underworld are commoditising these products which gives non-cyber-related criminals the application and the tools necessary to perpetrate such frauds with greater ease, without all that expert knowledge.

"To give you an example, I can go into the underground black markets and buy say 10,000 Australian compromised credit cards for as little as 8 cents each.

"If I want the CVV number to go with those cards it will cost $8 each, but if I want sufficient identity details to change the billing address on the card that will cost me $80 each.

"So it's the identity that increases the criminal commodity by 1,000 per cent."

Perth woman Sudeshna Majumdar was scammed last week.

She told the ABC the scammers knew her tax file number, her home address, the name of her husband and the history of a lodgement issue that she cleared up some months ago.

I can go into the underground black markets and buy say 10,000 Australian compromised credit cards for as little as 8 cents each. Detective Superintendent Brian Hay

"He verified the tax file number and I got scared that time, I have no other choice and he is telling don't try and put down the phone because it is a conference call in between federal police, ATO and you," she said.

Mrs Majumdar was home alone and did put the phone down but the scammers repeatedly called back.

Then, the man told her he had a warrant out for her arrest.

"He started continuously telling me I had to pay money otherwise the federal police would come," she said.

Mrs Majumdar was told to buy a 'Load & Go' card at the post office to load money onto it so she could pay a shortfall in her tax bill from the last financial year.

She unwittingly paid $628 to the scammers.

"So I bought this card and they told me I had to load the money, I loaded the money and then the post office lady gave me a receipt and when I came out from the post office they told me to tell them the card number otherwise they would not get the money," she said.

"So I gave them the card number, then they said I had to pay another $300 to stop the federal police."

Information that was supposed to be private with her and the ATO was used in a really threatening situation. Soolagna, whose mother was scammed

Mrs Majumdar's daughter Soolagna was not home when the harassment began and is furious with the scammers.

"The fact they were able to state the tax file number and also the specific dates of when this lodgement issue started and ended, that really stuck out to me," she said.

"Information that was supposed to be private with her and the ATO was used in a really threatening situation. She was scared, she felt vulnerable, and she felt like she really had to get out of the situation as soon as possible."

Phishing one cause of identity theft

Authorities say phishing - where you are sent an email that appears to be from a legitimate source and asked to update your personal details on a website - is still one of the biggest ways personal data is compromised.

The emails look as though they are from a trustworthy source and send people to a fake website that looks exactly like a legitimate website.

Detective Superintendent Brian Hay says many people are voluntarily surrendering personal information without realising it.

"You'll find that sometimes the phishing email, when people respond to it, has harvested the tax file number and people have willingly put that in," he said.

"Especially for example, some of the ATO information, they want to give you a refund, they can be asking for the tax file number in that so what happens is that goes into a big data bucket and the crooks then sell it to other criminals."

He says there are three other main areas where data could be compromised.

"One, your own home PC where you could keep electronic taxation records," he said.

"Two, keyloggers on people's machines so when they do lodge their online tax return they've got a keylogger and a piece of malware installed in the machine which has actually harvested that data and sent it off to the criminals.

"Or three, a tax agent has had their computer compromised which has allowed that material to be scraped."

Hundreds of Australians being scammed

Australian Competition and Consumer Commission deputy chairwoman Delia Rickard says since January, more than 300 people have reported the ATO scam.

It's not so much the topic of the scam but the signposts of it, being asked to pay money to get money that you're told is yours, that is a classic sign of a scam and people should be aware of it and not fall for it. ACCC's Delia Rickard

"But most of them tend to come in the second part of the year when people are expecting refunds," she told the ABC.

"It's a form of reclaim scam, and we've had over 6,000 complaints of reclaim scams this year, some from the ATO, some in relation to overpaid utility bills, refunds of bank fee charges, there's a whole raft of versions of the scam.

"They'll take a topical issue of the day, it could be carbon, it could be tax, it could be a whole range of things and they'll build a scam around it.

"It's not so much the topic of the scam but the signposts of it, being asked to pay money to get money that you're told is yours, that is a classic sign of a scam and people should be aware of it and not fall for it."

How to stay safe

Detective Superintendent Hay has advice for people who worry their data could be compromised.

"We have to make sure when we operate online that we do so safely and that the machines we're using are safety to use online," he said.

"So you don't do personal information on a public access system, an internet cafe you're not going to do you financial or taxation business on such a machine, you want to make sure it's got the latest operating system.

"For example Windows XP, it doesn't cut it any more, it's not being patched, it's insecure, so you want an up-to-date operating system.

"You want to make sure it is patched appropriately every time it can be patched, you have it patched automatically.

"That you've got the latest anti-virus patched on a daily basis, that you run regular systems scans.

"And from a behaviour perspective you've got to be a bit more disciplined about what you surrender to the internet, so you don't post too much personal information or post any photographs on a device that has activated the geo-locator settings because that's just telling the crooks where you are."

Auditor-General's report criticises security measures

A report by the Auditor-General on seven government agencies, including the ATO, found they remain "vulnerable" to cyber attacks.

It found the agencies are behind in implementing updated security patches for applications and operating systems.

"The selected agencies had not yet achieved full compliance with the top four mitigation strategies mandated by the Australian Government in 2013; a requirement reflecting heightened government expectations in response to the risk of cyber attack," it said.

"Further, none of the selected agencies are expected to achieve full compliance by the Government's target date of mid-2014, notwithstanding their advice regarding further initiatives which, when implemented, would strengthen ICT (information and communications technology) security controls and protection against cyber attacks.

"Based on their stage of implementation of the top four mitigation strategies and IT general controls, the selected agencies' overall ICT security posture was assessed as providing a reasonable level of protection from breaches and disclosures of information from internal sources, with vulnerabilities remaining against attacks from external sources to agency ICT systems.

"In essence, agency processes and practices have not been sufficiently responsive to the ever-present and ever-changing risks that government systems are exposed to."

Detective Superintendent Hay says anyone who is connected to the internet is at risk.

"Every time you connect to the internet there is a degree of risk, every time you drive your car down the M1 or Pacific Highway you can never guarantee you won't have an accident and the same applies to the internet," he said.

Do you know more on this story? Email investigations@abc.net.au

Topics: business-economics-and-finance, consumer-protection, law-crime-and-justice, crime, crime-prevention, fraud-and-corporate-crime, australia

First posted