When your personal or business information is stolen and used for fraud, the fallout can be severe. For Australian small-business owners and property investors, the risks are tangible from fraudulent tax returns lodged with the ATO to criminals illegally registering an ABN in your name. This guide on identity theft Australia explained provides a clear, practical action plan to protect your assets, manage compliance, and recover control if the worst happens.

Key Takeaways & Actions

• What It Is: The unauthorised use of your personal or business details (TFN, ABN, driver licence) to commit fraud or other crimes.
• Primary Risks: Fraudulent tax returns, illegal business registrations, damaged credit scores, and direct financial loss.
• First Call: Contact IDCARE, Australia’s national identity and cyber support service, for a tailored response plan.
• Priority Action: Act immediately. Quick reporting to agencies like the ATO and ASIC is critical to limit damage and secure your accounts.
• Business Focus: Directors and business owners must secure their myGovID and regularly check ABR and ASIC records for unauthorised changes.
• Prevention: Use strong, unique passwords, be vigilant against phishing scams, and control who has access to sensitive company data.

What is Identity Theft in Australia?

Identity theft in Australia occurs when a criminal unlawfully obtains and uses your personal or business information to commit fraud or other crimes. This isn’t just about a stolen credit card; for business owners and investors, it involves the core credentials of your financial identity.

Key pieces of information targeted include your:

• Tax File Number (TFN)
• Australian Business Number (ABN)
• myGovID login details
• Driver licence and passport numbers
• Bank account details
• Director Identification Number (Director ID)

Once a criminal has this data, they can impersonate you to access funds, obtain credit, or misuse your business’s good standing. According to the Australian Bureau of Statistics, an estimated 6.7% of people aged 15 years and over experienced personal fraud in 2022-23. You can review the complete personal fraud statistics on the ABS website.

Common Identity Theft Examples in Australia

Identity fraud in Australia manifests in several ways, often targeting high-value government and financial systems. Business owners and investors are particularly vulnerable due to the volume of sensitive data they handle. The Australian Institute of Criminology highlights that identity crime is one of the most common categories of cybercrime affecting Australians. You can find more cybercrime findings on the AIC website.

Here are some common examples:

Type of Identity Theft	What It Involves & Its Impact
ATO Tax Fraud	A criminal uses your stolen TFN to lodge a fraudulent tax return and diverts the refund. This creates a significant tax fraud & ATO disputes problem for you to resolve.
Business Identity Theft (ABN/ASIC)	Your details are used to illegally register a new business or alter your existing company details on the Australian Business Register (ABR). This can be used to obtain credit or conduct illegal activities under your business name.
myGov Account Takeover	Your myGov or myGovID credentials are compromised, giving a criminal access to linked services like the ATO, Centrelink, and Medicare. This can lead to unauthorised claims and data theft.
Financial Fraud	Your personal information is used to open bank accounts, apply for credit cards, or take out personal loans in your name, destroying your credit rating and leaving you in debt.
Property & Title Fraud	In rare but severe cases, criminals use forged documents to change property ownership records, enabling them to sell or mortgage a property without the owner’s knowledge.

Identity Theft vs. Identity Fraud: Explained Simply

While often used interchangeably, “identity theft” and “identity fraud” describe two distinct stages of a crime. Understanding the difference is key to explaining the situation to authorities.

• Identity Theft: This is the act of stealing your personal or business information. It can happen through a data breach, a phishing email, mail theft, or a lost wallet. At this stage, the information has been taken, but no crime has been committed with it yet.
• Identity Fraud: This is the act of using that stolen information to impersonate you and commit a crime, such as applying for a loan, lodging a false tax return, or accessing your bank accounts.

In short, theft is the acquisition of the data; fraud is the illegal use of that data.

What to Do Immediately If Your Identity Is Stolen

The moment you suspect your identity has been compromised, your response must be swift and methodical. The primary goal is to contain the damage by securing your accounts and creating an official record of the crime.

Do not delay. Every hour counts.

First, contact IDCARE, Australia’s national identity and cyber support service. They provide free, expert guidance and will create a specific response plan for your situation. Then, secure your financial accounts by contacting your banks to cancel cards and freeze transactions. Finally, begin the formal reporting process with the relevant authorities, starting with the police. A rapid response can prevent further financial loss and significantly shorten the identity theft recovery Australia timeline.

How to Report Identity Theft in Australia:

Navigating the reporting process can be overwhelming. Follow this structured approach to ensure you cover all necessary bases and create the official paper trail required for recovery.

Step 1: Contact IDCARE Immediately

Your first action should be to call IDCARE on 1800 595 160. They are a not-for-profit charity that acts as a single point of contact to help you develop a response plan. A dedicated case manager will guide you through the specific steps required for your situation, reducing stress and administrative burden.

Step 2: Report the Crime to the Police

Report the identity crime online via ReportCyber. This is the national reporting service run by the Australian Cyber Security Centre. If money has been stolen or you are in immediate danger, also contact your local state or territory police. Obtain a police report number, this is critical evidence you will need for banks, government agencies, and credit reporting bodies.

Step 3: Notify Financial Institutions

Contact every bank, credit union, credit card provider, and superannuation fund you have a relationship with.

• Report any fraudulent transactions.
• Request that they cancel your cards and issue new ones.
• Ask them to place fraud alerts on your accounts.

Step 4: Secure Government Credentials

Notify all relevant government agencies whose services may have been compromised.

• ATO: Call the Client Identity Support Centre on 1800 467 033 if you suspect your TFN has been used for a stolen identity tax return.
• Services Australia: Report any unauthorised access to your myGov account or Centrelink details via their Scams and Identity Theft Helpdesk.
• ASIC & ABR: If you suspect business identity theft Australia involving your ABN or company details, report it to ASIC and the Australian Business Registry Services (ABRS).

Step 5: Place a Ban on Your Credit Report

Contact Australia’s three national credit reporting bodies and request a credit ban (also known as a credit freeze). This prevents criminals from opening new accounts in your name. You must contact each one individually:

• Equifax
• Experian
• Illion

A ban initially lasts for 21 days but can be extended if needed.

ATO, myGov & ABN Identity Theft Risks for Businesses

For small-business owners, directors, and property investors, identity theft poses unique and significant compliance risks. Criminals specifically target business credentials because they unlock higher-value fraud opportunities.

ATO & TFN Misuse: A compromised TFN is a direct threat. Criminals can lodge fraudulent tax returns or Business Activity Statements (BAS) to claim illegal refunds. This can result in you facing a tax debt for funds you never received and trigger a stressful ATO audit or dispute.

myGov and myGovID: Your myGovID is the master key to your digital identity. If compromised, it gives criminals access to linked ATO online services, your ABR profile, and more. They can update your bank details, change business associates, and access sensitive financial data.

ASIC & ABN Fraud: This is a major risk for company directors. With your details, a criminal can make unauthorised changes to your company register via ASIC, such as appointing themselves as a director. They can then use your company’s ABN and good credit history to take out loans or purchase goods, leaving your business liable for the debt. Fulfilling your ASIC company obligations includes safeguarding these credentials.

Worked Example: Stolen Identity and Tax Return Fraud

To understand the real-world impact, consider this common scenario involving myGov identity theft.

The Scenario: Sarah, a property investor from Melbourne, receives an unexpected SMS from myGov stating her bank details have been updated. She dismisses it as spam. A week later, she receives an ATO Notice of Assessment for a tax return she hasn’t lodged, showing a significant refund has been issued.

What Happened: A criminal obtained Sarah’s myGov login details from a data breach on an unrelated website where she had reused the same password.

1. Access: The criminal logged into Sarah’s myGov account.
2. ATO Link: They accessed her linked ATO online services.
3. Fraudulent Lodgement: They fabricated a tax return with false income and deductions to generate a large refund.
4. Diversion: Before lodging, they changed the linked bank account details to their own.
5. Payout: The ATO processed the fraudulent return and paid the refund into the criminal’s account.

The Recovery Process: Sarah immediately contacts IDCARE, who advises her to report the crime to the ATO’s Client Identity Support Centre. The ATO places additional security measures on her account and begins an investigation. Sarah must now work with her tax agent to prove her identity, re-lodge her correct tax return, and wait for the ATO to resolve the matter, a process that can take several months.

This example underscores the critical importance of using unique passwords for sensitive accounts and acting on any unusual account notifications.

How to Protect Yourself and Your Business From Identity Theft

Proactive defence is the most effective strategy. Implementing robust security habits for your personal and business affairs significantly reduces your risk profile. Focus on practical, consistent measures recommended by authorities like the Australian Cyber Security Centre.

Key Security Measures for Directors and Investors

• Secure Your Digital Identity: Use a strong, unique password for your myGovID. Never share your login details with anyone, including staff or family. Treat it with the same security as your bank PIN.
• Recognise Phishing Scams: Be sceptical of unsolicited emails or SMS messages claiming to be from the ATO, ASIC, or myGov. Never click links in these messages. Always log in to the official portal directly through your browser to verify any requests.
• Control Information Access: Limit who in your organisation can access sensitive data like TFNs, financial records, and ASIC keys. Ensure your team is trained to identify and report potential security threats.
• Shred Sensitive Documents: Don’t just bin old bank statements, tax records, or company documents. Invest in a cross-cut shredder to destroy them securely.
• Regularly Review Records: Schedule quarterly checks of your details on the Australian Business Register (ABR) and with ASIC. This allows you to spot unauthorised changes early.
• Protect Your TFN: Be cautious about who you provide your TFN to. Store your TFN securely and never share it via email. Learn more about how to protect and find your TFN in our detailed guide.

Adopting these habits is fundamental to managing your small business tax risks and protecting your investments from fraud.

Common Mistakes and Quick Fixes

Even vigilant business owners can make simple errors that expose them to risk. Here are common mistakes and how to fix them.

• Mistake: Reusing the same password across multiple services, especially for myGov, banking, and email.
  • Quick Fix: Use a reputable password manager to generate and store strong, unique passwords for every single online account.
• Mistake: Ignoring small, unrecognised transactions on bank or credit card statements.
  • Quick Fix: Review your statements monthly. Criminals often test stolen card details with a tiny transaction before making large purchases. Report any anomaly immediately.
• Mistake: Clicking a link in an “urgent” email from the ATO or ASIC to log in.
  • Quick Fix: Never use links in emails to access sensitive accounts. Always type the official URL (e.g., ato.gov.au) directly into your browser’s address bar.
• Mistake: Delaying reporting a suspected breach out of uncertainty or embarrassment.
  • Quick Fix: Treat any suspicion as a real threat. It is always better to report it and be wrong than to wait and let the damage escalate. Call IDCARE immediately.

Identity Theft Response Plan

In a crisis, clarity is power. Save this checklist to your phone or print it out. If you suspect identity theft, follow these steps methodically.

Immediate Actions (First 24 Hours)

•  Contact IDCARE: Call 1800 595 160 for a tailored response plan.
•  Secure Financial Accounts: Call all banks. Freeze accounts, cancel cards, and report fraudulent transactions.
•  Change Critical Passwords: Immediately change passwords for myGovID, online banking, and your primary email account.
•  Report to Police: Lodge a report via ReportCyber and get a police report number.

Secondary Actions (Next 3-5 Days)

• Notify Government Agencies:
  •  ATO: Call 1800 467 033 for TFN/tax fraud.
  •  Services Australia: Report myGov/Centrelink compromise.
  •  ASIC/ABRS: Report fraudulent business activity.
• Request a Credit Ban: Contact all three credit reporting bodies to freeze your credit file.
  •  Equifax
  •  Experian
  •  Illion

Ongoing Monitoring

•  Review Statements: Scrutinise all financial statements weekly for the first month, then monthly.
•  Check Credit Reports: Order a free credit report from each agency every 3-4 months to check for new, unauthorised accounts.

Frequently Asked Questions