ato logo
Search Suggestion:

Security advice for tax professionals

Tax professionals must use strong security practices and report fraud to protect their clients and business.

Last updated 27 February 2023

Security advice

Criminals may target your practice to steal your or your clients' information. They may also use your business to lodge fraudulent claims.

As a tax professional you need to protect your business and client information, including making sure it is safe online.

We recommend you:

  • check the proof of identity for all new clients and question any discrepancies
  • only lodge for clients whose identity you have confirmed
  • ensure your computer security systems are up to date and protected against cyber attacks
  • train your staff in the need to, and methods of, securing client information
  • ensure your staff understand what is appropriate to discuss on social media or via email
  • have a process in place to regularly back up your data, software and settings, to help keep your business running should you need to restore your systems and data.

You should remain vigilant, take precautions, address security, and uphold your client and business privacy by assessing your online practices at least quarterly.

The Australian Cyber Security CentreExternal Link has resources and guides to help businesses protect against common cyber threats.

Know what to protect

Identity thieves may target your:

  • myGovID
  • business activity statements
  • employees' personal information
  • business records containing personal or business information.

Secure your business premises

It only takes a few moments for thieves to photograph or steal information at your workplace. You can help keep your business, client and employee information safe by:

  • installing physical barriers such as locked doors and windows
  • making sure you have appropriate alarm systems in place
  • filing documents in lockable storage units.

Secure your systems

To protect yourself and your business from identity thieves, we recommend:

  • securing your business files and employee information when they are not in use
  • changing all passwords on a regular basis
  • making sure all employees log out of systems and lock computers when not in use
  • making sure your computers and other devices have up-to-date security and anti-virus software
  • ensuring that only approved applications can run on your systems to protect against malicious code – also known as malware
  • only provide the functions and accesses your staff need to do their jobs. This will minimise the pathways that cyber criminals can use to gain access to your business.

When sourcing software for your business, you may wish to ask vendors how they make sure they are providing secure systems and services. For example:

Make sure you have internal controls

You can protect your business and employees by:

  • performing background checks on new employees
  • restricting new employees' access to systems and credentials
  • being able to track employees’ actions when dealing with sensitive and personal information
  • removing access to systems and credentials from employees as soon as they leave your employment.

Protect your myGovID

myGovID uses encryption and cryptographic technology and the security features in your device, such as fingerprint or face, to protect your identity.

If you are aware or suspect someone has inappropriately accessed your personal information in myGovID, you need to report this immediately.

Contact the myGovID support line on 1300 287 539 (option 2) between 8.00am and 6.00pm Australian Eastern Standard Time (AEST), Monday to Friday.

International callers can contact us by phoning our switchboard on +61 2 6216 1111 between 8.00am to 5.00pm AEST, Monday to Friday, and request your call be transferred to the myGovID support line.

For more information and tips about myGovID security and staying safe online, see myGovID securityExternal Link.

Report fraud

Fraud can be the result of many things, including criminals:

  • stealing someone's identity to lodge incorrect returns and steal refunds
  • obtaining access to your client records to gain information
  • impersonating your business to gain a benefit.

To report suspected fraud or criminal activity:

  • make a tip-off
  • phone us on 1800 060 062 (between 8.00am and 6.00pm AEST, Monday to Friday).

Acting quickly will help minimise harm to you and your clients.

To reduce the risk of fraud in your practice, we suggest that you:

  • always confirm the identity of new clients, especially when they are requesting bulk lodgments or amendments
  • restrict access to your systems and records to those with a genuine need
  • check existing client records for unusual updates or lodgments
  • ensure both the physical and cyber security of your premises is strong, using adequate filing systems and software to protect your client records
  • contact the myGovID support line on 1300 287 539 (option 2) between 8.00am and 6.00pm AEST, Monday to Friday if you suspect the misuse of your myGovID.

Data breaches

If you have experienced a data breach in your practice, data breach guidance for tax professionals outlines the steps you may need to take to secure your client records and protect them against potential refund and superannuation fraud.

We also have information on how to get help for identity theft.

QC50500