Is the ATO putting your personal details at risk?

Have you noticed that when you receive a call from the ATO, they always call from an UNLISTED number then ask YOU to verify YOUR PERSONAL DETAILS? And it’s not just the ATO, I’ve noticed the same when my bank calls me to confirm whether I made certain transactions on my credit card.

In an era where personal identify theft is RIFE, is it time these institutions reconsidered the way they approach personal identification verification?

I understand WHY they do it. If the ATO representative called from a number which was clearly identifiable as the ATO, many people would not answer it. No one really likes hearing from the ATO. And whether it’s a by-product of their job, or the selection criteria for hiring, the people who call you generally sound grumpy and seem to exhibit no sign of emotion.

When was the last time they called you to say “Hi Mr Rudduck, we just received your tax return and want to let you know that you’ve made a mistake, but we picked up on it. We’ve determined we owe YOU $5,000. Now you have a sensational day Sir.” ???

Now let me explain WHY I have an issue with the way in which these institutions contact us.

Back when I was in high school, I associated myself with a number of groups who shared information on practices that were not entirely legal. I won’t deny it, I was 16 and being able to make free phone calls and what not was cool for a young computer nerd. I got into trouble as a by-product, but thankfully one teacher in particular showed interest in me and encouraged me to use my talents in a more positive light. I still live by his most repeated mantra, “Prior Preparation and Planning Prevents a Piss Poor Performance“, but that’s another story all together.

Anyway, one of the most basic methods that I remember reading about being used to obtain credit card details was to simply call the prospect and pretend to be their bank, explaining that due to a computer malfunction some of their records had been lost. They would then proceed to ask them a bunch of personal questions and the unsuspecting prospect, wanting nothing more than to help the bank, would go ahead and give them their details.

This was back in the early 1990’s and the practice probably pre-dates that. You would think that we have moved beyond that, but I’d like to point out evidence as to why this is not so.

PHISHING, (pronounced fishing) is the process of sending a prospect a carefully crafted email which is designed to look like their bank, PayPal, eBay, Internet provider, or other institute that has the potential to provide the identity thief with account username and passwords and or personal information which could be used to forge paperwork so that the thief can obtain credit cards or finance in the suspects name.

We see it every day. In fact sadly one of our wonderful customers recently fell victim for one of these scams. They can be very convincing! I received an email the other day purporting to be from my own bank and realising it was a phishing scam I clicked on the link and was surprised to see how accurately it looked like my banks internet banking site. Looking at the web page source, I could clearly see where it was pushing the details into some scammers database.

We use a WELL KNOWN FUEL CARD PROVIDER (who I won’t name) to provide our team with a fuel allowance and I was very disappointed to receive an email from them asking me to click a link in the email to view my online statement. What idiot wrote that email? What thought went into the process of future proofing their customers details? They have set a precedence and now their customers will EXPECT emails to come from them with a link to their website. HELLO POTENTIAL SCAMMER RISK.

My mother, who is probably the most careful person in the world when it comes to her personal details, reviewing her bank statements, etc, recently had her credit card COPIED. She went to the shops, paid for her goods on her credit card and about 30 minutes later she got a call from the shop saying her credit card was at the front desk. She doesn’t even remember not getting it back. The following day she received a phone call from the bank asking her to confirm whether she’d made certain purchases in SYDNEY (we live on the Gold Coast).

It seems that somewhere between paying for her goods and leaving the store, someone had managed to swipe her card, copy the details from the magnetic strip and then produce a duplicate of her card in another City, a thousand kilometres away and then proceeded to run up a few thousand dollar bill, all in less than 24 hours. I remember when I worked at Woolworths, we were actually FORBIDDEN to touch the customers card, yet shop assistants do it EVERY DAY. I also remember one checkout attendant getting arrested for MEMORIZING a customers credit card details then going on a shopping spree in the same centre we worked at!

Even more ironically, I was talking to my girlfriend the evening when Mum had found out her credit card had been duplicated. Kath’s been working in Wellington, New Zealand on Peter Jackson’s “The Hobbit” so I’ve been receiving her mail, scanning it and emailing it to her. I had just been telling her Mum’s story and she then related a similar story about a number of people she worked on in a previous production being the victim of tax return fraud.

“Speaking of which”, I said. “I’ve got a letter here from your accountant. It’s your tax return. Apparently you’ve received a $x return this year.” At which point she exclaimed a number of profanities as she told me that the accountant on the letter was not hers, and we both realised that she too had been a victim of the same fraud. They suspect one of the crew members who was obviously privy to each individuals Tax File Number, must have been involved in tax return fraud.

So, back to the original focus of this RANT. With scammer’s looking for any way to get a hold of information that can provide them with a means to steal money, is it really acceptable that institutions like the ATO, banks and a number of other organisations, contact YOU from an UNLISTED number then ask YOU to verify YOUR identity?

I have in the past, when receiving a call from a blocked number on my mobile (which seems to be the standard practice), flatly denied to provide the caller with any details and asked them to provide me with the department they work in and their extension, so that I can call the institution back on it’s publicly listed numbers and be transferred to them to proceed with the call.

This doesn’t always work as a number of the outbound calls people are not directly linked to any of the departments who receive inbound calls. And likewise, do you really want to be telling the ATO “I’m sorry, unless I can verify you are who you say you are, I am not going to speak with you” – as I said before, I’ve very rarely spoken to a representative of the ATO who was cheery and showed any sign of empathy. The last thing I want that person to do is to put a red cross against my name and make my life difficult should I ever do something and need to ask for some form of leniency.

What’s your thoughts on the matter? Does this frustrate you too? Have you been the victim of identity fraud?

At Insane Technologies we take computer security very seriously. For a FREE Computer Security Risk Assessment, fill in the form below, or contact us on (07) 5539 6116.

[contact-form-7 id=”835″ title=”Free Security Audit”]

css.php