Yubico’s Geoff Schomburgk on the growing threat of tax fraud through stolen credentials and what businesses can do right now.
Australia has one of the world’s most digitised tax systems, ranking second globally in the OECD’s Digital Government Index. For Australian taxpayers, businesses and advisers, digitisation has made lodgement faster, compliance more efficient and refunds quicker. For criminals, it has enabled attacks on the identity layer, meaning the tax system can be manipulated.
The issue is not that Australia’s GST (Goods and Services Tax), ABN (Australian Business Number), or BAS (Business Activity Statement) rules have suddenly become unworkable. The deeper problem is that identity has become the gateway to tax compliance. If a criminal can take over a taxpayer’s digital identity, create or misuse an ABN, change bank account details, link a tax account or lodge a false tax return in order to receive a refund, the ATO may see this fraud as legitimate.
Weaponised identity
The most significant security gap in recent years has been at the intersection of identity verification and the digital portals used. Criminal syndicates have routinely used credentials and personal information stolen from corporate data leaks to set up fraudulent ABNs, hijack legitimate accounts and fabricate a BAS to apply for illicit refunds.
The Office of the Australian Information Commissioner (OAIC) reported 532 notifiable data breaches in the January to June 2025 period, with malicious or criminal attacks remaining the largest source of breaches. Every exposed email address, mobile number, date of birth, Tax File Number (TFN), or identity document can become raw material for refund fraud, false registrations, fake lodgements and unauthorised changes to taxpayer records.
In response, the Australian Government has moved Australia’s tax access environment towards a stronger digital identity. The myGovID app has now become myID and the Digital ID Act 2024 establishes the Australian Government Digital ID System, including privacy safeguards, accreditation and regulatory oversight. Australian citizens can remove passwords and replace them with passkeys on their personal myID service.
The Federal Government has also allocated $86.3 million over four years from 1 July 2026, plus ongoing funding, to deliver Phase 2 of its Counter Fraud Strategy. The funding is designed to modernise fraud prevention and detection in the tax and superannuation systems, enhance real-time detection, expand live monitoring of fraudulent account access and strengthen the Australian Tax Office’s (ATO) ability to combat fraud involving tax agents.
For accounting firms, tax agents, bookkeepers and corporate finance teams, this changes the risk equation. Tax professionals hold client identity documents, TFNs, company information, bank details, payroll data and authority to interact with the ATO. If a tax agent’s account is compromised, attackers may not need to impersonate a single taxpayer; they may gain access to many taxpayers.
This is why the accounting profession needs to treat authentication as a governance control rather than a helpdesk setting. Passwords and legacy multi-factor authentication (MFA), such as SMS codes and one-time passwords, are no longer sufficient for high-risk tax workflows because they can be phished.
Phishing-resistant, hardware-backed authentication can make it much harder for a criminal to use stolen credentials to access an agent portal, change client details, approve a high-risk transaction or lodge a fraudulent BAS. Passkeys, including security keys, such as the YubiKey, raise the bar because access depends on possession of a trusted device.
Risk-based deployment
Accounting firms should prioritise phishing-resistant authentication for administrators, partners, payroll teams, client money functions and anyone with authority to change bank account details or lodge on behalf of clients. Businesses should apply the same approach to finance teams, directors and staff managing ABNs, payroll, GST and superannuation.
Identity also needs to be embedded into process controls. Any request to change bank details, add a new user, link a new client, amend prior-year returns or submit unusually large GST refund claims should require MFA and independent approval. Today, suspicious activity is not only about unusual numbers; it is also about unusual identity behaviour.
Legislation relies on trust
Australia already has a clear legislative framework for fraud prevention. The Commonwealth Fraud and Corruption Control Framework 2024 requires Commonwealth entities to take reasonable measures to prevent, detect and respond to fraud and corruption. However, the GST and BAS framework, established under the Taxation Administration Act 1953, still relies on the trust that the information lodged and the entity lodging it are legitimate.
That trust model is now under pressure. In a high-risk digital environment where stolen credentials, synthetic identities and compromised accounts can be used to impersonate taxpayers or advisers, identity assurance can no longer be treated as a secondary control.
Making identity impossible to weaponise
Australia’s tax system will continue to be a target because it moves money at scale. The answer is not to slow down digital services or make compliance harder for legitimate businesses. The answer is to make identity harder for the bad guys to weaponise.
Tax fraud prevention now starts before the tax return is lodged, before the tax refund is calculated and before a suspicious company is registered. It starts at login, enrolment, authorisation and account recovery. In the Australian tax system, identity is the new perimeter, and protecting it through phishing-resistant authentication has become essential for safeguarding revenue, businesses and public trust.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
