ATO Account Got Hacked - How Long Will It Be Fixed?

Last year, my ATO account got hacked and the hacker managed to amend the previous years of my tax return so that he got paid around $25k. (Yes yes, lesson learnt. Always triple check email/sms/call from someone claiming to be from ATO).

I noticed on the day where the hacker made the changes and called ATO straight away. I told them to lock the account and cancel the payments because I got hacked - which they acknowledged they have stopped the payments.
Couple of days later, the payments got processed into the hacker's account (great job ATO).

I called again after that to check what am I going to do now and they mentioned that I can keep using the account as per normal (they just adding new layer of securities to login) and they will fix my account in next few weeks.

Now a year later….my account has not been fixed. I am still owed by ATO around $400 for my tax return 22/23…called ATO again and they were not helpful as always. Kept saying they will fix it and I can still submit the 23/24 tax return. Well…if I submit again, they will not process paying me because technically I am still in 'debt' to pay them back the $25k (PLUS INTEREST!!)

Anyone ever experienced this? How long will ATO fix this?

TLDR: ATO account got hacked. One year later, my account has not been fixed and ATO still owes me my tax return. How long will it take for ATO to restore an account that got hacked?

Related Stores

Australian Taxation Office
Australian Taxation Office


  • +86

    Lol ATO paid 25k to scammers even after you notified them it was a scam and 1yr later they don't even care. Yet they will hunt you down and penalise you for the tiniest deduction if you can't prove it. Good job ATO.

    • +25

      The ATO does not penalise people for making good faith mistakes, and the vast majority of people never get audited at all.

      • -2

        maybe.. I recall there being some pretty concerning posts on here about it in the past.
        Wait here we go

        • +8

          If your deductions are far outside the bounds of what the ATO considers reasonable for your job type then yes there's a good chance you'll be audited. That thread screamed audit me based on some of the comments and nuggets of what got claimed.

        • +2

          The replies to that post indicate that the ATO was probably right to audit in that situation

        • +2

          Okay, I wasn't planning to engage here on this thread, but sheesh, that's an embarrassing example. I can't imagine why the ATO might want to audit someone who works in aquaculture claiming as a work expense the transportation of "bulky tools and equipment" such as sporting gear, heart rate monitors, GPS trackers, uniforms, journals, books, fridge, webcam, speakers, water testing equipment, printer/ scanner and a coffee machine. /sarcasm

      • +1

        Ive had one of their 'Your claims are higher than usual' letters…. it makes you shit your pants….. especially when you pay for an accountant and do everything legit, by the book.

      • +2

        there are also the safe harbour provisions which protect the client if your tax agent is stupid.

      • Who would likely get audited?

        • If you are flagged for an audit it is normally because the deductions that you are claiming are significantly higher than other people working in similar jobs in the same industry. The ATO has decades of data on this stuff, they don't audit people for the LOLs.

    • -3

      Plot twist: Hackers got smarter, they already get paid ~1billion, the new scam calls Ukraine

    • Plot twist, OP is the hacker, tried to make amendment to get $25k refund and blamed the hacker for it bypassing the audit.

  • I told them to lock the account and cancel the payments because I got hacked - which they acknowledged they have stopped the payments.
    Couple of days later, the payments got processed into the hacker's account (great job ATO).

    Do you have this in writing?

    • -2

      Sent them a message in the ATO portal along with the screenshot of the 'revised' bank account details. Also confirming the phone conversation along with the ATO person's name in the message.

      But I am not sure now whether ATO reads any of the messages or not.

      • +3

        Where can you send messages "in the ATO portal"? I've always wanted a way to contact ATO rather than play phone-tag; a secure message service is exactly what I want.

        • +3

          Yeah I thought that functionality was for tax agents.

      • -1

        Such an important and urgent issue, yet OP couldn't be assed picking up the phone a day later? Hilarious

        • -3

          I suggest you to check your eyes urgently as it seems you have issues with it that make you unable to read properly.

          • @Taro Milk Tea: So did you call ATO the day AFTER you sent your message?

            If you have no idea if they read the message, sounds like you did not call them to confirm receipt of your message.

  • +4

    You can switch mygov to use passkeys, right @askbargain ?

    • -1

      No. Rarely login. Passkeys would prevent phishing.

    • yes, have just enabled it for myself
      there was a news the other day about the rollout

      they also have 2fa sms and 2fa mygov app (not good reviews with ppl getting locked out)

      I prefer third party google authenticator app instead which is not available

    • What you really want is login to ATO with myGovID with the Strong indicator of strength. Then the only way anyone can link or login to ATO is via myGovID with a Strong indicator (only passport holders can get Strong). This ensures that nobody can get access through your passwords/SMS/etc. but also prevents a criminal from creating a new myGov account and linking to ATO using information they could obtain from a breach.

      ATO is a bit glitchy when detecting myGovID so you might have to logout/login with myGovID a few times, and you will know if its working correctly if both (1) your Personal Details in ATO says your Online Strength is Basic/Standard/Strong & (2) if you try to login with password/2FA or Passkeys it will refuse to let you access the ATO account.

  • +7

    Asking for a friend but what was modified by the scammers to go from a $400 return to a $25k return without suspicion by the ATO?

    • the PAYG and deductions part

      • +2

        Anything more specific? Just want to make sure my account hasn't been hacked

        • +8

          Say OP has PAYG of $50k from work.

          Hacker invents an negatively geared property sucking up $25k in interest expense. You're sorted.

          • +2

            @netjock: Claiming 25k in deductible interest doesn’t give you a 25k return, it would be your marginal tax rate * 25k. To get 25k back needs much higher deductions. Seems odd ATO hasn’t picked it up.

            • @Randolph Duke:

              To get 25k back needs much higher deductions

              That is true.

              ATO doesn't pick up things and it is never their fault.

              There was a TikTok GST scam and like 150 ex ATO staff and contractors caught up in it (I think they got fired on the spot so they can claim they are ex. It is like saying you forgotten how to ride a bike)


              Public servants are on the slow road to riches. They get paid less, they work even less and let compounding in their super sort out their retirement.

        • -1

          Could be education expenses as well. 20k to 50k in occasional course fees would not be out of the ordinary for full timers.

      • +4

        Yeah what was the deductions and payg change?
        Asking for a friend

        • Invent an investment property with really high interest expenses (loan shark)

        • I think literally just increasing the deductions by a ridiculous amount.

        • F

  • +12

    Just pay them with giftcards.

    • -1

      Nah easier to feed cash into the bitcoin machine

    • iTunes?

    • Or pay them with Disney+ gc?

  • +7

    Wild. At this point, it sounds like you need a lawyer/tax lawyer.

    That is a bold hack attempt. Quite a few layers of confirmations & change notifications to get through and ultimately you need the money paid out into an account you can access, by the govt.

    • +7

      It happens a lot. Current scam is get someone’s details, transfer their super to a smsf then just withdraw it.

      Plus there was the billions that went out in “advice” from TikTok to start a business, claim GST and it’s a free loan from the government until the banks forced them to do something about it.

      ATO compliance is a shitshow.

      • Read a lot of stories lately of people’s ATO accounts/myGov getting hacked. It’s actually quite scary. Everything is just getting worse and worse.

        • +11

          You can thank Medibank and Optus for leaking around 55% of Australian's personal data online through bad security.

          These provide a hacker with all the ID points they need to impersonate you with the ATO or open a credit card account in your name.

          You can also blame the ATO and banks for closing physical branches to save money, trying to do everything online. The ATO has voice identification which is now very easily spoofed. They don't care.

          • @RedHab: Yeah voice spoofing using AI is quite scary. Criminals only need to record a few seconds of your voice to be able to mimic it.

            The thing too is that in Australia what are the most popular websites? Probably this website and Whirlpool, I can’t think of any others because let’s face it we aren’t the biggest country out there. And guess what? Hackers can easily access these forums and understand what people are thinking. If one of these major websites gets breached and emails aren’t encrypted they could cross reference them with other data breach details and figure out the details of specific users. That’s why having multiple different emails for various uses can be important.

            There’ve been a few interesting reddit threads lately regarding breaches. Here’s one. Someone in that thread says it’s possible for hackers to use your details to open a second myGov account under your name and link the ATO to it then they can access it [second myGov account] pretty easily. Don’t know about anyone else but I think it’s absolutely ridiculous that more than one myGov account can be created for someone.

          • +2

            @RedHab: The infuriating thing is that you'd easily be able to stop most of these hacks by simply sending a physical letter.

            If <making a change with the ATO> or <opening a financial account like a Credit Card> required a physical letter sent to the address on record (ie not another address chosen by the scammer) then you'd find out when a scam was happening to you. The letter would simply need to say "XYZ is happening, if this was not instigated by you then call this number immediately to stop the process".

            But because everything is now online, you don't find out until it's too late !!

        • +4

          I dont really get how these hacks work with myGov. Dont they force you to have 2FA? I always get a SMS code when attempting to login?

          • +1

            @Mintee: They do and have for many years. The problem is people give out the code when they're on the phone and skip the "do not give this pin to anyone" part of the SMS

          • +1

            @Mintee: They do but one of the 2FA methods on myGov is a secret question, I think this carried over when myGov was updated. People who are using that could be susceptible if that data was leaked in another breach.

            As mentioned people are also susceptible if they aren’t diligent and give out the 2FA info. Even SMS 2FA now isn’t the most secure since hackers can call up a telco and request to get your number ported out if they have your details from a data breach. And the myGov code generator app needs to be treated carefully because you could lose access to myGov if you delete it accidentally or don’t deauthorise it properly before moving to a new phone. I’m sure a lot of people out there will accidentally do one of these things at some point and then the ATO is going to have to help them out with regaining access. Sometimes when designing something you need to account for the lowest common denominator to prevent further issues from arising down the road.

            On top of all this, if you’re busy with a 9-5 (which really isn’t a 9-5 but more like 8-6 these days), raising kids etc. will you even consider any of this if you haven’t been hacked before? I don’t think many people would.

            • @Ghost47:

              Even SMS 2FA now isn’t the most secure since hackers can call up a telco and request to get your number ported out if they have your details from a data breach

              I'm interested to know which Telco allows to port out number without the authentication code for porting.

              • @No ONE: Looks like verification laws were updated in 2022. Probably not as common anymore as I thought although it looks like Medion (provider of Aldi mobile) was hit with a lawsuit earlier this year for not complying with the updated laws.

              • @No ONE: iiNet is notorious for this.

      • -5

        Only happens to people who don't have SMSF. Imagine getting a letter to the SMSF you run a member wants to transfer out and that is yourself. LOL

        • +1

          But they don't send a letter, that's the whole point. You don't find out until the money is already transferred !

          • +1

            @Nom: Most people don't get the joke.

            If you have and run your own SMSF then you know all the beneficiaries so a scammer can't transfer your super out.

            Most super transfer scams are getting you to transfer to a non compliant fund (pretending they have a tax loophole to help you access your super) so they can syphon away your money overseas.

    • Lol. A 'lawyer' isn't going to help. The ATO isn't going to be liable to insta-stop a transfer that might have already been in motion.

      OP says he got 'hacked' but he gave his 2FA details to the person accessing his account - not exactly a hack.

  • +20

    Have you tried the Inspector-General of Taxation and Taxation Ombudsman?

    If you haven't already, lodge a formal complaint with the ATO and go from there.

    IGT have also recently done an investigation into the ATO's actions in response to complaints about the ATO's response in relation to compromised tax accounts and identity fraud. Case Study 1 (page 24) seems to refence very similar circumstances to yours.

    • Thanks, I will keep this option in mind in case they demand me to pay.

  • Scammer AKA was ME

    This thing won't sell anymore.

  • +10

    Why did you give your 2 factor authentication details to a hacker?

    How much responsibility would a court place on you vs on the ATO for the loss?

    • -1

      these days its not tough for hackers to hack your sms (ATO 2 factor is only via SMS i believe) before you can. (happens mostly at night when you are deep sleep and phone on DND)

      • +1

        I think I’ve read about that too. Hackers call up your telco provider and pretend to be you because they have all your data (e.g. passport number, licence number etc.) which they obtained from one of the big data breaches then they get your number ported out to another provider. Then they can start receiving your 2FA SMS. If your phone ever shows SOS it’s a sign your number could’ve been ported out.

        That’s why it was important for people to update their ID etc after getting hacked.

        • But phone porting these days mandate that you do NOT switch your SIM as the system will send an SMS confirming that you are porting away and you need to say Y or N before your phone turns into SOS mode. This is if you are doing it online.

          If you are brute forcing the switch, from experience, they would make you go to a branch / store and ID yourself and the scammer will be exposed by then.

  • +7

    Appoint a tax agent, explain your situation and get the agent to lodge a complaint with the ATO to expedite the resolution. Yes it will cost you money but the agent will be better placed to push the ATO in the right direction and so that you can also get your 23/24 return submitted.

    • -1

      Well I will not pay any further money to get this fixed - as long as ATO does not demand me to pay, I will wait. They confirmed that they will fix it anyway, it's just frustrating how slow they do their job

      • +12

        Well I will not pay any further money to get this fixed

        famous last words

      • +10

        There are many well publicised cases of government agencies failing to fix known problems, with individuals suffering the consequences. You need to go on the front foot to stop it getting worse. If that means spending money, consider it an investment in protecting your interests.

        • Fair call. Thanks for the suggestion

      • Do you have anything in writing from the ATO? If you don't have a full paper trail get that ASAP .

  • +7

    @Taro Milk Tea are you expecting the $25,000 loss to just be magically covered by the ATO ? Have they told in you in writing that they accept responsibility for this loss ? Tread carefully, because if they decide you contributed to the hack then you could absolutely be on the hook for the $25K !!

    • -4

      then you could absolutely be on the hook for the $25K !!

      That's not how it works…

      • +7

        How? If I provide my banking details to a scammer, the scammer withdraws all my money and transfers it to another account, after I gave them the SMS authentication code etc the bank certainly will not cover those losses, so why should the ATO (aka me, u the taxpayer) cover someone’s stupidity! While it’s all well and good the OP called the ATO to report it, the hack should not have occurred in the first place!

        • I agree with you in principle about this. But in this instance OP called and notified the ATO BEFORE any payments were made. It's fully on the ATO to have paid out after they were notified that the account was compromised.

          • @bioxeed: Does OP have evidence of this conversation? Are all phone calls to ATO recorded? Written evidence would have been ideal.

            • @Marty131: I'm just going by what's been given in the original post. No idea what ATO would have recorded or otherwise. Definitely having written evidence would be the best.

          • -1

            @bioxeed: OP has not provided the actual timeframe and the ATO doesn't use something like ING. They would have tens of thousands of payments scheduled in advance and provided to financial institutions in advance, and can't just jump in and cancel a single one of those. It was likely too late to stop payment.

  • +5

    You will have a compromised TFN for life now, have fun with that.

    • You can actually have ATO reissue you a new TFN, it'll take a bit of perserverence but it can be done.

  • I am still owed by ATO around $400 for my tax return 22/23

    I hope you are charging them interest…

    • +1


      will it be taxable income?

    • I was surprised last year, I paid my tax bill early and the ATO credited me interest for the period from then until it was due.

      • will it be taxable income?

        • Of course. Otherwise I'd be deliberately over paying my tax for the sweet tax free interest returns.

  • +2

    My partner got her account locked out (no actual breach) over a year ago and they still haven't "fixed" it. They can temporarily allow login when she calls, so every time she needs access she has to call, wait, be escalated, wait again, etc

    • How it started? High income individual? Expat?

      • Nope

  • +2

    Give it another 10 years. Can’t wait for digital ID to roll out, it will be so secure. /s

  • +4

    Always triple check email/sms/call from someone claiming to be from ATO

    If you get an email now. Don't click on the link. Go straight to the website to login. Emails are so unsafe.

    • +3

      Only emails I get from ATO say there a new message from ATO in mygov inbox

      Why would anyone click a link in an email from a bank or ATO is beyond me, how can there be so many idiots out there

      • Most work on a sense of urgency so you would follow the instructions. Why go to the website, login and find the issue when a simple click of the link would sort it.

        I had a call from the UK pretending to be from HSBC. The person spoke the Queen's English but I was suspicious considering I don't have anything in the UK with HSBC. They said it was your Australian account and I am like given the time difference and cost of labour it doesn't make sense to be calling from the UK. Don't forget there is also data protection laws about where your information should be based therefore they wouldn't do personal accounts out of the UK because it is so low value. You're more likely to get a call from India or the Philippines. I was at my desk so I was actually delaying them while I was checking out my accounts but if you were out and about, can't get immediate access and had lots of money in there. I only keep a running balance less than $1k.

      • Because in general, people are idiots.

  • +3

    Nice try ATO

  • +2

    Anyone ever experienced this?

    No. Because you are one of a hand full of people who have given scammers the authentication code that states do not share this code, the ATO will never request this code. FFS

    • +1

      Not necessarily true! We had our ATO account hacked as OP did, but no security authentication information was given to ANYBODY. We received no phone calls/sms/emails from anywhere requesting information or inviting us to click on links. It just happened. The ATO would not specifically say how they got in.

      As far as I am aware, the ONLY way to access the ATO is via MyGov. Same, never any phishing attempts!

      • We received no phone calls/sms/emails from anywhere

        Isn't it ridiculous !?!? If they had simply sent an SMS to your registered mobile number, an email to your registered email address, and a physical letter to your registered home address at the very least to inform you that action XYZ was being taken then you could have contacted them immediately to stop it.

        Lack of notification when someone is ammending your tax return and changing your bank details to extract $25,000 as per the OP, is inexcusable.

  • +3

    Get the feeling that, given you’re the one who gave the ‘hacker’ (actually scammer, they didn’t ‘hack’ anything) access to your account, you’re going to have to escalate and get some professional legal advice on this one.

    I doubt the ATO are just going to cop the 25K loss due to your error, but you might get lucky. Since you notified them before the transfer, that will probably mean there is some responsibility on their end, but I think it’s going to end up a complicated dispute unfortunately.

    Best to speak to the ombudsman as others have said.

    • -1

      If OP contacted the ATO before the payments were made it should be on the record. If they've then stuffed up and paid it that's on them.

      I deal with banking scams in my job. No way would AFCA not hold the bank responsible in similar circumstances.

      • Getting ATO to own up is much harder ! It takes upto 10 years for even the ombudsman to make changes to the ATO

        • The call should be recorded and on the record. If it is it confirms they knew about the issue before making the payment. They wouldn't have a leg to stand on.

Login or Join to leave a comment