The attempted heist on Angelee Basset’s retirement savings had the hallmarks of a skilled cyber-criminal sting — stolen identity records, a stealthy hack through a government website and a mysterious bank account waiting to receive the cash.
But she believes the attack was made easier by massive flaws in the federal government’s early release superannuation scheme that are yet to be fixed.
“It’s definitely a vulnerable system,” she said.
“The Government and all the agencies are just playing catch-up now.”
Ms Basset and her husband, from Perth, are among at least 150 Australians whose super was targeted by fraudsters during the first month of the scheme, which is designed to unlock billions of dollars for workers hit by the COVID-19 economic crisis.
Now she wants the government to impose tougher controls on the application process to guarantee there are no more attacks.
“I think the government would have been a lot more careful if this was their money rather than ours,” she said.
Scammers set up fake myGov accounts
In early May, the government was forced to suspend withdrawals for two days after the Australian Tax Office revealed criminals had infiltrated the system using stolen identity records.
Authorities are now investigating whether the attackers tapped into the scheme by setting up fake myGov accounts in their victims’ names, then lodging fraudulent early release super applications worth up to $10,000 each.
In Ms Bassett’s case, the fraudsters appear to have set up duplicate myGov accounts in her name and her husband’s name, and then used stolen identity information to access their ATO portals.
They successfully applied for almost $20,000 in the couple’s names, but Ms Bassett and her husband managed to thwart the fraud before the money left their accounts.
“Until then I had no idea it was even possible to have more than one myGov account in your name,” she said.
“In order to stop this happening to others, one of the things that should be put in place is a limit on the number of myGov accounts an individual is allowed to have.”
Ms Bassett does not know how the attackers accessed her identity information, but Home Affairs Minister Peter Dutton said early this month some of the personal data used in the attack was believed to have been stolen from customer files of a tax agent who was hacked.
‘I can’t imagine many 23-year-olds check their super balance’
Daniel Bunten, from Sydney, is another victim of the fraud attack, but wasn’t as lucky as Ms Bassett.
He had no idea money had been taken from his account until it was too late.
Last month, he noticed about $9000 was missing from his account after logging on to the Commonwealth Bank mobile app, which displays his Essential Super balance alongside his other accounts.
Essential Super is part owned by CBA.
“I was lucky I could see my superannuation balance in my banking app,” he said.
“But I can’t imagine many 23-year-olds, like me, checking their superannuation balance.”
Mr Bunten discovered that his ATO account had been disconnected from his myGov account, and an early release super application was lodged in his name.
Essential Super told Mr Bunten that he would be refunded the lost super money, but the super fund only deposited the missing amount into his account after being contacted by the ABC.
“We understand Mr Bunten has been through a distressing time and have worked hard to reimburse him as quickly as possible. We’re pleased to say the money has been returned to Mr Bunten in full,” an Essential Super spokesperson said in a statement to the ABC.
The government and the ATO insist the scheme’s security has been tightened and there has been no more fraud, but have declined to provide any detail about the changes.
“The ATO constantly recalibrates its systems so that they’re secure, and the system has been working very well since,” Assistant Minister for Superannuation Jane Hume said.
However, Australia’s financial regulator, the Australian Prudential Regulation Authority (APRA), told a parliamentary inquiry last week that there had been “some identified cases of fraudulent account creation” since the ATO upgraded its system, but said the fraud was small.
Services Australia, which operates myGov, confirmed in a statement that it was possible to set up multiple myGov accounts in one person’s name.
“However, a myGov account alone does not give access to any member services,” it said.
“Identity fraud generally occurs when a person’s login credentials or identity information are compromised or stolen by another individual, and this information is then used to access their record.”
Self-assessment process also under scrutiny
For Ms Basset, the second big security gap revealed by the attack on her and her husband was that the couple were not even eligible to access their super savings under the scheme.
“My understanding is that the early release of super is only accessible to those who have had a 20 per cent reduction in their income or who are eligible for government benefits, and we don’t qualify under any of the government criteria,” she said.
“Despite this, the applications were approved in less than 12 hours.”
It appears the fraudulent applications were successful because the scheme does not require applicants to provide evidence that they are eligible. The process is entirely self-assessed.
Senator Hume defended the design of the scheme and said the Government and the ATO had no plans to tighten eligibility screening.
“It’s a self-assessment process applying for the early release of superannuation, not dissimilar to a self-assessment process that people undertake when they put in their income tax assessment forms as well,” she said.
In the same way that you wouldn’t lie on your income tax assessment forms, you wouldn’t lie to the ATO about early release of superannuation.”
Australia’s biggest superannuation funds have publicly supported the scheme, but privately they warned the government from its inception about the security risks and the possibility of fraud.
In a joint letter to the ATO, Treasury, APRA, ASIC as well as Senator Hume, the super industry groups called for tighter screening of applications, including “prior verification of bank account details submitted via myGov by the ATO against member account details held by bank.”
Such a measure may have thwarted the attempted fraud against Ms Bassett and other victims.
But in her reply to one peak superannuation body, Industry Super Australia (ISA), the senator said “the ATO has substantial checks in place to detect fraud”.
A day after the letter was received by ISA, the first case of fraud was detected and handed over to the Australian Federal Police for investigation.
Senator Hume stands by her response.
“I think what the superannuation industry was trying to do was throw a little bit of grit in the wheels to slow the process down,” she said.
Industry Super Australia denied that the super industry was trying to delay the rollout of the scheme.
“The correspondence was sent to make sure that we were looking after the interests of our members and make sure that no stone was left unturned in terms of additional safeguards,” deputy CEO Matthew Linden said.
While some victims have managed to stop the fraud before the money left their accounts, it remains unclear who will repay those unwitting victims who have had their money stolen.
Nor, is it clear when their money will be returned.
“It really depends on where the liability sits,” Senator Hume said.
“It may sit with the relevant agency, if it was the agency that was attacked. It may sit with the trustee of the super fund, if it was a super fund that was attacked. It may sit with the third party if it was a third party that was attacked.”
The New Daily is owned Industry Super Holdings