• Security and privacy

    Both you and your clients may be targeted by criminal syndicates involved in identity crime and refund fraud. You need to protect yourself, your practice, your clients and the tax system against identity crime and fraud by taking appropriate security precautions.

    We have seen recent examples of newly registered agents providing AUSkey access, under their agent number, to others who are offering to bring them business. Avoid these arrangements unless you can adequately supervise and control their use (for example, you have an employee or contractor relationship). Limiting other people’s access to 'read-only' is not sufficient to prevent fraud. Compromising the security of the portal may result in suspension of access.

    You need to adequately protect the confidential client information you hold, both paper and electronic.

    See also:

    Reducing the risk of fraud in your practice

    Refund fraud can occur when tax returns, activity statements and other documents are deliberately falsified in order to claim a tax refund a taxpayer is not entitled to.

    Fraudulent claims have been lodged by individuals on their own account or by third parties on behalf of others. Sometimes this involves identity crime, where taxpayer identities are used by third parties to make fraudulent claims for personal gain.

    We have seen incidents where registered tax agents, BAS agents or their staff have been inadvertently involved in lodging claims that are fraudulent.

    Below are a few suggestions that may help your practice maintain high professional standards.

    Security of your internal systems

    Here you'll find information about steps you can take to minimise the risk of records being compromised.

    Procedures and security controls

    It is imperative to ensure you have appropriate procedures and security controls in place and that you and your staff follow these at all times. Inadequate internal controls can leave the door open for client records to be compromised.

    As a minimum, we recommend that you:

    • use individual user login details and passwords for all systems where this is possible, including laptop computers, and keep these private at all times
    • regularly change all passwords
    • remove user access and change shared passwords immediately when a staff member leaves
    • delete user accounts from within Access Manager (AM) when a staff member permanently leaves the practice
    • ensure staff do not leave online portals open, and lock computer screens when unattended
    • encrypt computer files where possible.

    To use most of our online services, including the portals and standard business reporting software, you and your staff need to have an AUSkey security credential. AUSkeys are allocated to an individual person and should not be shared.

    Electronic lodgment service (ELS) passwords should be secured through internal controls that provide adequate protection against incorrect or fraudulent lodgments. ELS passwords should be changed immediately where a staff member who had access leaves the practice.

    Ensure your computer has up-to-date security software. This should include anti-virus, anti-spyware, anti-spam and firewall security which protects your computer from malicious programs. These programs are often carried in something that looks harmless, such as an email, but can allow an intruder to access your computer without your knowledge. Keep this software up to date, install any updates immediately to protect yourself from the latest threats, and regularly enable security software to scan your computer.

    Check client records

    You need to regularly check your client list to make sure all your clients are recorded and registered for the correct tax roles.

    Monitoring client lodgment histories and running balance accounts can identify unexpected or unauthorised transactions. Proactively investigating these instances may uncover security breaches and fraud being committed on client accounts.

    If you identify potential fraud, contact us as soon as possible. We will work with you and your client to investigate and manage the incident. This can include issuing new AUSkeys, correcting records or, if necessary, assisting your client to establish a new identity.

    Bulk lodgment requests

    Watch out for people asking you or your staff to lodge bulk returns. Registered tax agents have been approached by people wanting them to lodge returns for groups of people. Sometimes these returns or statements are fraudulent, and the identities of the taxpayers have been stolen in order to commit refund fraud.

    When accepting bulk lodgments, you should ensure you are confident of the true identity of each taxpayer and authority of the person approaching you. It can be tempting to get easy money by lodging them without thoroughly checking the authority of the third party and the correctness of all details on the returns or statements. We strongly recommend that all tax agents conduct their own proof-of-identity checks directly with the taxpayers concerned.

    Security at your premises

    Ways you can protect the security of your premises include:

    • installing appropriate physical barriers, such as door and window locks, alarm systems and lockable storage for your files
    • securing taxpayer files when they are not in use
    • not leaving clients alone with files or allowing them unsupervised access to areas where files are stored
    • removing documents from printers and turning off fax machines at close of business and when the premises are unattended
    • considering whether you should have at least two staff members on your premises during opening hours.

    Ensure you keep your documents and records secure at all times. It only takes a moment for thieves to photograph or steal valuable information.

    Information security awareness

    Take the opportunity to talk to your clients and staff about personal information security and the potential risks. The more people are informed and vigilant about the importance of personal information security and the need to report any potential attacks, the more we can work together to stop criminals trying to make money by defrauding individuals, businesses and the community through the tax system.

    See also:

    Report suspected fraud

    To report suspected fraud or criminal activity:

    Make an online report

    Phone us on 1800 060 062 (between 8.00am and 6.00pm, Monday to Friday).

    See also:

    Last modified: 11 Nov 2016QC 43930