The Australian Taxation Office is warning businesses to review which staff members have access to their AUSkey for online tax services, following reports of thieves fraudulently obtaining AUSkey numbers and changing a business’s bank details.
An AUSkey allows a business to securely log in to a number of government services including those from the ATO, the Australian Securities and Investments Commission (ASIC), the Australian Business Register (ABR) and Austrade.
The ATO says it has identified a number of cases involving fraudulent use of AUSkeys belonging to legitimate businesses, including cases where changes have been made to the bank details nominated for transactions between the ATO and a business.
“Once an AUSkey has been allocated, access is gained to the Business Portal so that fraudulent Business Activity Statements can be lodged and bank details updated to accounts that are not controlled by the entity,” the tax office said in a statement.
Businesses are advised to regularly check which staff members are able to log into government services using the credentials associated with their AUSkey identity, and ensure employees that no longer work for the business cannot log in to the systems.
National Tax and Accountants’ Association spokesperson Andrew Gardiner says that while it’s not possible to know the scope of the breaches, the warnings are a good reminder to businesses that AUSKey security should be treated with the same level of care as credit card security.
“The fact that the ATO have issued an AUSKey alert would indicate there is activity on this and there could have been several occurrences where this has been problematic,” he tells SmartCompany.
As businesses become increasingly used to interacting with the tax office predominantly through online services, it is becoming increasingly important to double check which details and banking information the ATO has on record for them.
“Now that we deal with the ATO online on such a regular basis, people do become complacent. People just need to be diligent—and businesses that are diligent treat [their AUSkey] like their credit card.”
There are simple ways to prevent fraudulent activity, Gardiner says.
“Limit access to AUSkey information to staff that need that information and that protocol, and make sure access has been removed from staff who have moved from different roles or left the organisation,” he says.
Keeping in regular contact with your accountant can also ensure your business will be aware of, and can ask someone to pursue, any issues with lodgment of tax documents, or unusual activity through an account.