An Australian couple almost had $20,000 of superannuation stolen. The scam has exposed serious flaws in the federal government's early access scheme.

The federal government’s early access to super scheme has holes in it. (Tracey Nearmy, Getty Images)
  • Australians are being targeted by scammers using the federal government’s early access to super scheme to get their hands on up to $10,000 of retirement savings per victim.
  • At least 150 cases of identity fraud are being investigated by the Australian Federal Police (AFP) and the Australian Tax Office (ATO) has taken steps to try to secure the scheme.
  • A couple subject to the scam, Ange and Ben from Perth, spoke to Business Insider Australia about how they were targeted, how they identified the scam, and how their experience suggests other major flaws in the scheme.
  • Visit Business Insider Australia’s homepage for more stories.

When the federal government announced its scheme to allow people to crack open their superannuation accounts, it was met with understandable scepticism.

But while concerns abounded that out-of-work Australians might be inadvertently kneecapping their retirement fund, few expected the scheme could become a honey pot for criminals. However, that is exactly what has transpired with “sophisticated” and possibly offshore syndicates preying on Australians, according to the Australian Federal Police (AFP) Commissioner Reece Kershaw.

Perth resident Ange, 43, and her partner Ben, 42, were just two individuals targeted as part of the scam, which had designs on nearly $20,000 of their retirement savings. Business Insider Australia has withheld their surnames due to privacy concerns.

Three weeks ago, they received notifications from the Australian Tax Office (ATO) informing them they had successfully de-linked their myGov accounts from their Australian Tax Office (ATO) accounts. Neither had made the change.

“As we both received the ATO message simultaneously, we knew something wasn’t right,” she told Business Insider Australia. “We jumped on our PC and googled the ATO’s customer service number and rang them. While on hold, we logged into our genuine myGov accounts and saw that our ATO linked services were no longer there. We just received a ‘page not found’ message.”

“While we were on the phone to the ATO, we received messages from all of our super providers that applications had been received and that funds would be released within a timeframe of five to seven days.”

“What applications?” Ange thought. “What funds?”

The messages informed them their three superannuation accounts were disbursing $19,996 of their combined retirement savings.

What Ange and Ben didn’t know then was that a few days earlier someone had created new myGov accounts for both of them – a simple enough procedure that requires nothing more than a working email address.

The people who did already had the couple’s personal information. While they say they have always been careful to shred any sensitive documents, they had still been compromised.

“At some point in the last 5 years, some of our taxation or banking information has made its way into the wrong hands. Whether this was due to a keystroke virus on our computer, someone sifting through our rubbish for documents or bank statements or a breach of a tax agent we may have used, we really still don’t know,” Ange said.

Armed with whatever information they had managed to get their hands on, the scammers were now in the driver’s seat.

After a few failed attempts, the scammers managed to successfully answer some security questions – typically related to financial information from the last five years – and log in to Ange and Ben’s Services Australia accounts.

That was the hard part. Once in the system, they could easily change the couples’ contact details to stop any notifications getting through, and then simply link the couple’s legitimate accounts to the newly created myGov accounts they had created.

In essence, they had simply replaced Ange and Ben’s accounts with their own. From there, they could begin generating what appeared to be genuine applications to access their superannuation.

Business Insider Australia understands that this kind of identity theft is how many victims were targeted, with the ATO and Treasury maintaining there has been no breach of its IT systems.

The scam exposed major weaknesses in the government scheme

Under the federal government’s early access scheme, individuals can withdraw $10,000 of their super this financial year and next if they meet certain conditions – namely they are unemployed, have recently lost a job, receive government support payments, or have lost 20% or more of their income.

Now here’s the rub: neither Ange nor Ben ticks a single one of those boxes.

Their income has remained steady throughout the economic downturn and government shutdown – so why was their super even released?

“This never should have happened. We don’t qualify for early release of super under the government’s own criteria. So the fact that these people were able to get in fraudulently, lie on the applications and have them approved in less than 24 hours beggars belief,” Ange said.

“A simple cross-check would have shown the ATO we were still receiving steady super contributions from our employers, and the lodgements should never have been approved.”

And yet, that’s exactly what happened. The ATO gave their applications the green light almost immediately, and instructed their super funds to release the funds. In fact, Commissioner Chris Jordan even told the Senate Committee that it was “disappointing” the breach had taken the shine off how well the ATO had processed claims.

“Particularly disappointing, I think, for the victims involved,” Senator Katy Gallagher interjected.

In terms of verifying Ange and Ben, however, that was pretty much it. Now it was simply a matter of their super funds filing the necessary paperwork and depositing the cash into the nominated bank account.

“The biggest disappointment was that out of three super providers, two of them would simply have released our money without question. Only one required me to call, navigate their own security measures and confirm banking details before they would have released the money. This seems very short-sighted and lax,” Ange said.

In other words, had nothing else happened, Ange and Ben would have lost years of savings in a matter of days and may not have even become aware of the theft.

“We think the only reason we still got the messages is that they were generated with details held by Services Australia [and] not details held by the ATO, as by this stage, those details had been changed,” Ange said.

The couple were only then able to stop it, spending an entire day on the phone to their super funds – who they say were “fantastic” in blocking the application once notified – as well as the ATO.

But they consider themselves the lucky ones. The AFP has indicated that at least $120,000 in stolen withdrawals have been frozen.

“We count ourselves as fortunate that we opted not to just ignore those text messages,” Ange said.

She believes that others have become victims simply by virtue of not having had a myGov account or a link to the ATO notifying them of changes. They also may have simply ignored those notifications altogether because they’d never applied for early super release and may have even believed those red flags to be fraudulent.

“In this situation, doing nothing would have played directly into the scammer’s hands as it gave them the time they needed to get away with the money without anyone noticing,” Ange said.

The AFP told Business Insider Australia it would not comment on an ongoing criminal investigation.

The government says the scheme has been tightened, but questions remain

But while Ange, Ben and others informed the Australian Cyber Security Centre, they were told something they didn’t want to hear: the AFP would not intervene until the ATO invited them to do so.

It took around one full week for that to happen, with the AFP coming on board in early May. The Home Affairs Minister Peter Dutton was informed on May 3, and the Treasury was briefed three days later, quickly deciding to pause the scheme.

ATO Commissioner Chris Jordan (Dominic Lorrimer)

“We paused the processing of applications for one day to further enhance our systems in response to new techniques criminals are using to try to steal Australians’ identities,” an ATO spokesperson told Business Insider Australia, noting applications were still being accepted during the freeze.

“To further bolster our systems, we have applied additional risk filters to all files before they are delivered to funds, and we are also providing additional information to funds to assist them in discharging their own obligations to apply fraud prevention processes.”

In a separate statement issued after the scheme recommenced however, Sukkar insisted the scheme was secure against identity fraud.

“Australians can have confidence in the security measures the ATO has in place to protect the integrity of the early release of superannuation scheme,” he said.

According to his office, as of early May, 1.2 million eligible Australians had used the program to cash out more than $10 billion.

Business Insider Australia has contacted the office of Assistant Treasurer Michael Sukkar for further comment.

While the criminal organisation that has targeted the scheme may be sophisticated, their incursions into it indicate the scheme is anything but.

The ATO, for its part, had believed it was as secure as it could be against identity theft – in fact, the government has indicated it ran the program through the ATO specifically for this reason.

“We of course then have various checks to identify what appear to be suspicious applications, and identity fraud has been very much top of mind for us throughout the entire design of this measure. There are layers of that. No system is perfect, but there are layers of checking that we do,” ATO second commissioner Jeremy Hirschhorn told Senate estimates.

“We then pass on information to the super funds, and super funds are then meant to apply their ordinary antifraud checking. So the tax office provides an extra layer, and multiple hidden layers, of protection against identity fraud.”

Australians queue up at Centrelink for the JobSeeker Allowance (Photo by Florent Rols, SOPA Images, LightRocket via Getty Images)

All those very many layers, it turns out, just weren’t enough to protect the country’s $3 trillion superannuation nest egg. In Ange’s experience, at least, it appears some funds haven’t been doing their due diligence.

Then again, others seem to have been aware of the problem. Rest Super, which has processed around 10% of all applications, confirmed to Business Insider that it has identified some 2,312 applications – or 1.6% of its total – that have raised fraud or money laundering concerns and will be further scrutinised.

Ange now believes the early access scheme, while vital, is in urgent need of an overhaul.

“I think the scheme is necessary for some people in our community and may be the only thing keeping some families’ heads above water at the moment. For that reason we wouldn’t like to see it cancelled but certainly, it needs a better application management system in place to ensure that only the people who truly need the money and meet the government’s own criteria can access it,” she said.

Have scammers tried to access your superannuation? Get in touch at [email protected]

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.