Phishing and skimming scams are common at tax time. Scammers know that we’re expecting communications from the Australian Tax Office. So, they can insert themselves into your tax return process by pretending to be the ATO. To stop you thinking critically about what’s happening, they’ll often try to create an emotional reaction. Again, influencing you to act faster and with less judgement. It might be a positive emotion – you have a huge tax return! Or it might be a negative emotion – we will audit you if you do not immediately supply these documents. Either can work in the scammer’s favour.
So, what can you do about it?
Education is your best defence.
Below I’ve listed the top scams from the last couple of years, and explained how they work. This will help you recognise Australian tax time scams when they arrive. Then, you can short-circuit the emotional manipulation and avoid the traps.
Australian Taxation Office has calculated your tax return, you are entitled to a tax refund of…
This text message was everywhere last financial year. It’s been seen this year, too. The message includes a link that takes you to a form that requests personal information, including your credit card details. Supposedly, this is so the ATO can send your payment through. The idea is to incite greed and get you to click the link before you really think about the situation.
People who click through and fill out the form share their data and payment information with scammers. Once they have access to this data, scammers can buy products online with victims’ credit cards or sell the data for use in identity theft.
Your 2023 tax return was received on ___. Please log in to upload the required documents.
This scam email pretends to be from the ATO, acknowledging your tax return lodgement. However, it claims that you need to send supporting information. It requests that you upload specific documents, and provides a link. The email links to a fake page that mimics a Microsoft portal login. This is designed to inspire stress and concern, so you click the link and comply without asking questions like why is the ATO giving me this information in an email?
People who click on the link see a faked Microsoft page explaining that they need to log in to upload their documents. If they log in, they share their Microsoft login credentials with scammers. This can provide access to personal documents, intellectual property, and other accounts thanks to single sign-on (SSO).
What to keep in mind
Communications from the ATO often inspire strong emotion. But when you see one, try to keep these things in mind:
- The ATO will never send you a text message disclosing your tax return or debt – it’s a privacy risk. Instead, it will typically send you an email telling you that you have a message available in the secure gov.au portal.
- Credit card details are not required for someone to give you a payment online. If you need to update your payment information with the ATO, log in to the online portal.
- Don’t click on links in text messages and emails! Instead, go to the official website and log in.
- The ATO doesn’t use third party services like Microsoft for document uploads. It uses its own online portal for that sort of thing.
- Don’t open attachments from senders claiming to be the ATO.
How to protect your employees
We’ve covered how to protect yourself from tax time scams in Australia – but how about your staff? If your staff fall prey to these scams, your business can be put at risk. That makes scam protection a key priority for businesses of all sizes.
Choose an email service such as Outlook, which includes scam protection. These security measures utilise algorithms to identify common phrases used in phishing scams, offering an added layer of protection without being overly intrusive. Additionally, if a message is flagged as suspicious, it aids in raising awareness among your staff about potential threats.
Ensure that your staff receive cyber security awareness training around this time of year. This helps them to recognise risky emails and text messages. Once they know what they’re looking at, risky behaviour is much less likely.
PhishNet trains people to recognise everyday scams and cyber threats through our Cyber Security Awareness Training platform. With clear measurable results, orgnaisations can meet compliance requirements and proactively reduce the risk of cyber incidents. Talk to us about how awareness training can help protect your people and business.