Watch out for these tax scams
ACCOUNTANTS aren't the only ones at the top of their game at tax time.
As the end of the financial year looms on June 30, scammers are salivating at the prospect of making more bucks.
And they're dusting off and tweaking a sophisticated set of scams designed to relieve you of more than your tax refund.
It's a peak time for scammers, who bank on hitting businesses and individuals with official-looking emails and texts from financial institutions, and government agencies including the Australian Taxation Office (ATO) many of us might deal with only once a year.
And they've become more sophisticated and convincing in their methods by the day.
The best way to beat them?
"Believe nothing, open nothing," says Ashley Wearne from cyber security company Sophos.
"Whatever the format you receive them - SMS, email, whatever, never click on anything."
"Never click on a URL. Never click on a link. And if you have already, never, ever provide passwords or confirm details."
"Because contacting you or your business by SMS or email is just not the way legitimate bodies like banks, the ATO, ASIC (the Australian Securities and Investments Commission) or MyGov communicate."
Fact is, if the ATO wants to get in touch to chase a refund, or give you one, it's not going to do it via an unsolicited SMS or email.
And you can pretty much assume the same is true of ASIC, your bank, and anyone else wanting to confirm your details.
So if you do received a random communication which has anything to do with your finances, or your identity, assume it's a scam.
"Not all communications are bad, but the key is to be vigilant. The best place to check if something is safe is to log on independently from your browser and check for official communications or notices from the source's website - a trusted source," Mr Wearne said.
Scammers prey on human fallibility. Over-ride that by believing nothing.
If you receive an official-looking email or SMS, rather than click on the links provided, do your own independent search.
Go to the website independently, or phone. Usually, you'll find you've dodged a scam.
Businesses need to be extra wary at tax time, Mr Wearne said.
"Scammers target not just employees, but owners specifically, hoping the owner will think 'tax issue', and click," he said.
Scammers often target businesses by using malicious software 'Ransomware' that threatens to publish data or restrict access until a ransom is paid.
"Ransomware is where the money is. More than 50 per cent of all companies in Australia have been hit by Ransomware," Mr Wearne said.
"They'll take control and you don't get it back until you pay the ransom. And they don't just get hit once. They'll come again the day after and day after that."
Last year, according to Sophos, 45 per cent of Australian businesses were hit with Ransomware, with an average two attacks per organisation.
Here are the top five tax-time scams punters fall for:
The Australian Securities and Investments Commission scam is expected to peak again, with the ASIC's own website currently carrying a major warning about the scam, which involves an email purporting to be from ASIC about a renewal letter you need to submit or a fine you must pay.
It's got just the right hint of officialdom and business and tax-related associations to be perfect for tax time.
This mass phishing attack email includes a renewal letter hyperlink which is bogus.
More deviously, it also contains a second hyperlink, which spells out the URL.
Sophos says this is clever because to a user may take the fact that the URL is revealed as a matter of trust. In reality, it's a bogus hyperlink.
Surely the MyGov correspondence would be fine, right? Wrong.
The MyGov scam is a perfect tax time one, because at this time of year, it looks normal.
This is a perfect example of tax time, everything looks normal.
The fake email's recipients are hidden - which isn't unexpected, the domains look legitimate - except it's .net instead of .gov.au. The websites and logos are direct clones of the real thing - including on the fake My Gov. 'landing' page which looks 100 per cent legitimate.
Scammers were at it last year with phishing text messages, and emails, and expect the action to ramp up around tax time.
Around tax time, service providers will send out notifications that statements helpful to include your tax return are available.
You can see how similar the phishing email is to the genuine one. The emails are presented as legitimate commbank.com.au emails. However, the word document attached is more than likely laced with malware, or is harbouring URLS or additional call to actions that are circumventing spam filters. And don't think it's just Commonwealth Bank customers being targeted. Scams exist for whichever financial institution you have your accounts with.
The ATO has a swag of alerts on its website for scams using anything from voicemail to text to email.
With SMS scams, it's easy to "spoof" the senders name to seem like it's coming from the ATO, when in fact they're coming from a malicious source, says Sophos.
If the ATO really wants to get hold of you, it isn't going to randomly text.
Watch too for emails about tax refund reviews.
Police warned about this sophisticated scam attempting to fool subscribers handing over their credit card details earlier this year.
The email tells Netflix users their credit card details need updating - and invites you to click through to a second page that is a phishing site.
Mass phishing attacks such as the Netflix scam particularly target you as individuals: your data, your money, your credentials. Sophos says.
These attacks are largely opportunistic, taking advantage of a company's brand name to try and lure the brand's customers to spoofed sites where they are tricked into parting with credit card information, login credentials, and other personal information that will be later resold for financial gain.