Protecting Your Tax Refunds: How Easy Identity Changes Are Being Exploited

A recent wave of fraud has shown just how vulnerable Australia’s tax refund system is. Cybercriminals have already redirected refunds worth over half a billion dollars by changing basic details like bank account numbers on government platforms. The problem isn’t just that fraud happens—it’s that these changes are easy to make, especially on services like myGov. Once someone gets access to your identity data—like a passport or bank statement—they can tweak your account details and reroute payments with little resistance. The Australian Taxation Office (ATO) relies heavily on personal banking info stored in online systems, and right now, that data isn’t protected well enough. Without stronger checks, it’s not just a matter of catching fraud—it’s about stopping it before it starts.

The way identity is verified online creates a lot of risk. The “100 Points of ID” system, which asks for documents like a driver’s license or bank statement, is meant to confirm who you are. But the more documents you submit, the more data hackers can collect. Recent breaches at Optus, Medibank, and Latitude Financial prove that stolen personal files can be used to build fake identities and gain access to accounts. Once inside, criminals can alter refund details and move money without being caught. The myGov platform is especially dangerous because it connects your tax records to your banking details. And right now, changing those details doesn’t require a second check—no phone call, no verification from a trusted source. That means a fraudster could simply log in, update your bank account, and redirect your refund to a different account.

How MyGov and Identity Verification Are Being Misused

• The “100 Points of ID” system creates a data dump: While it’s designed to verify identity, it collects a lot of personal details—some of which can be used to create fake identities. When these documents are stolen, they become a powerful tool for fraud.
• MyGov acts as a central gateway: Linking your tax records to myGov means your bank account number is exposed. If that number changes without scrutiny, it can be exploited to redirect refunds—especially since there’s no real-time verification of changes.
• The ATO hasn’t kept up with real-world threats: After past breaches like the PageUp incident, the ATO did step up and ask for identity reconfirmation. But it hasn’t applied that same level of caution to the current wave of myGov fraud. More proactive checks—like confirming bank changes through your employer or a trusted contact—could stop many of these scams before they happen.

Transparency matters. Government agencies need to be open about the risks of online identity verification. If they don’t talk honestly about where the gaps are, it’s hard for experts to fix them. Taxpayers should demand better—not just from the ATO, but from the systems that store their personal data. Being aware of how your details are used and how easily they can be changed is the first step in protecting your refund.

You don’t have to wait for a breach to act. If you see a change in your bank account details on myGov, report it. If you’re unsure who made the change, check with your bank and your employer. And keep pushing for stronger, smarter checks—because right now, the system is too easy to exploit.