Is myGov our secret weapon to disarm SMS scammers?

In the Federal Budget announced last month, Jim Chalmers unveiled several worthy investments to protect citizens against online fraud. These included the proposed establishment of an SMS sender ID registry — a simple, commonsense idea. By notifying telecommunication organisations to blacklist any mobile numbers that are used by scammers, the government would make it more difficult for con artists to send spoof government agency messages (or make cold calls) asking people for phony ATO payments.

The move will make it harder for fraudsters to persuade innocent — and often vulnerable — people to give away valuable personal information or unwittingly make payments in good faith to bad guys. However, there are limits to the benefits of SMS sender ID registry schemes, and experience from overseas shows mixed results.

Beware the unintended consequences

SMS scammers have certainly been frustrated in their efforts by having their numbers blocked in those jurisdictions where SMS blacklists have been implemented. But, as we all know, criminals are a creative bunch. There has been a corresponding increase in new mobile number registrations, which have then been used to blast citizens with even more fraudulent messages and calls.

In a classic case of unintended consequences, using SMS registries to stop scammers may simply descend into an ever more frantic game of ‘whack-a-mole’ as new numbers pop up.

A different approach

In the long term, such a Sisyphean task could suck valuable time and resources that would be better used on a more effective method to stop scammers. It is a method which could simultaneously lead to a national digital identity system that protects citizens from both fraud and overreach into their privacy by government agencies.

The method I am talking about already lives on our phones in an app that most of us have downloaded and used: myGov. myGov and myGov ID proved a masterstroke during COVID and the newest version has made life easier for citizens to access government services like Medicare, Centrelink and the ATO.

Through a series of careful steps, we can weaponise these apps in the next five years to wipe out fake government agency fraud and create a world-leading national digital ID that honours our citizens’ privacy and makes their lives better.

Step one is already happening: myGov already requires users to prove who they are to securely sign into certain government online services and is increasingly used as a centre point for some agencies’ communications with citizens. It is also possible to use a myGov ID to log into certain sites, instead of using a Facebook or Google account as an authenticator. The next step? We must drive greater adoption of myGov ID, through education and awareness campaigns, and citizens should be using it to sign up for their next phone or credit card.

But myGov ID must also operate as a two-way street. If we are asking citizens to hand over confidential information or biometrics to authenticate themselves, we need to earn their trust in a world where trust in electronic communications has been damaged by relentless phishing and fraud.

For example, a phone call from someone claiming to be from the ATO should also deliver a simultaneous authentication pop-up in the myGov app and the caller should say: “Hi, I’m calling from the ATO call centre and I’ve popped a message in your app to show this is a genuine call”. The accompanying education campaign for that feature could carry relevant warning information, such as: “If you get a call claiming to be from a government agency and there is no message in your myGov app authenticating the caller and their name, hang up on them!”

In time, use of the myGov ID app could to do away with emails, calls and texts altogether, with all communications carried out through a live chat mechanism in the app. It will require education for citizens to turn notifications on, and to offer suitable alternatives for elderly and vulnerable citizens who may not have smart phones or the ability to use them.

Data-sharing considerations

But most importantly of all, we must ensure citizens have control over what agencies can access their personal data, and what they are authorised to share with other agencies and related organisations.

There will be essential things certain departments can see — and advantages to having superannuation funds linked straight to ATO accounts or the ability to update records across all agencies simultaneously — but individuals must be able to opt out of sharing anything beyond the strictly necessary.

Many of these developments are currently residing in the too-hard basket. But with the will, the technical know-how and the right policy settings, we can whack the scammers back into their holes and build a federated national digital identity system that makes our lives both simpler and safer.

Image credit: iStock.com/PeopleImages