Watch out for these tax scams

 

ACCOUNTANTS aren't the only ones at the top of their game at tax time.

As the end of the financial year looms on June 30, scammers are salivating at the prospect of making more bucks.

And they're dusting off and tweaking a sophisticated set of scams designed to relieve you of more than your tax refund.

It's a peak time for scammers, who bank on hitting businesses and individuals with official-looking emails and texts from financial institutions, and government agencies including the Australian Taxation Office (ATO) many of us might deal with only once a year.

And they've become more sophisticated and convincing in their methods by the day.

The best way to beat them?

Absolute scepticism.

"Believe nothing, open nothing," says Ashley Wearne from cyber security company Sophos.

"Whatever the format you receive them - SMS, email, whatever, never click on anything."

"Never click on a URL. Never click on a link. And if you have already, never, ever provide passwords or confirm details."

"Because contacting you or your business by SMS or email is just not the way legitimate bodies like banks, the ATO, ASIC (the Australian Securities and Investments Commission) or MyGov communicate."

Fact is, if the ATO wants to get in touch to chase a refund, or give you one, it's not going to do it via an unsolicited SMS or email.

And you can pretty much assume the same is true of ASIC, your bank, and anyone else wanting to confirm your details.

So if you do received a random communication which has anything to do with your finances, or your identity, assume it's a scam.

"Not all communications are bad, but the key is to be vigilant. The best place to check if something is safe is to log on independently from your browser and check for official communications or notices from the source's website - a trusted source," Mr Wearne said.

Scammers prey on human fallibility. Over-ride that by believing nothing.

If you receive an official-looking email or SMS, rather than click on the links provided, do your own independent search.

Go to the website independently, or phone. Usually, you'll find you've dodged a scam.

Businesses need to be extra wary at tax time, Mr Wearne said.

"Scammers target not just employees, but owners specifically, hoping the owner will think 'tax issue', and click," he said.

Scammers often target businesses by using malicious software 'Ransomware' that threatens to publish data or restrict access until a ransom is paid.

"Ransomware is where the money is. More than 50 per cent of all companies in Australia have been hit by Ransomware," Mr Wearne said.

"They'll take control and you don't get it back until you pay the ransom. And they don't just get hit once. They'll come again the day after and day after that."

Last year, according to Sophos, 45 per cent of Australian businesses were hit with Ransomware, with an average two attacks per organisation.

Here are the top five tax-time scams punters fall for:

ASIC

The Australian Securities and Investments Commission scam is expected to peak again, with the ASIC's own website currently carrying a major warning about the scam, which involves an email purporting to be from ASIC about a renewal letter you need to submit or a fine you must pay.

It's got just the right hint of officialdom and business and tax-related associations to be perfect for tax time.

 

The ASIC company renewal scam. Supplied by Sophos
The ASIC company renewal scam. Supplied by Sophos

 

This mass phishing attack email includes a renewal letter hyperlink which is bogus.

More deviously, it also contains a second hyperlink, which spells out the URL.

Sophos says this is clever because to a user may take the fact that the URL is revealed as a matter of trust. In reality, it's a bogus hyperlink.

MYGOV

Surely the MyGov correspondence would be fine, right? Wrong.

The MyGov scam is a perfect tax time one, because at this time of year, it looks normal.

 

 

 

 

 

This is a perfect example of tax time, everything looks normal.

The fake email's recipients are hidden - which isn't unexpected, the domains look legitimate - except it's .net instead of .gov.au. The websites and logos are direct clones of the real thing - including on the fake My Gov. 'landing' page which looks 100 per cent legitimate.

It's not.

COMMONWEALTH BANK

Scammers were at it last year with phishing text messages, and emails, and expect the action to ramp up around tax time.

Around tax time, service providers will send out notifications that statements helpful to include your tax return are available.

Phishing emails can be very, very convincing. And they just get more sophisticated by the day.

 

Just. Don’t. Click: And example of a Commonwealth Bank scam. Supplied by Sophos
Just. Don’t. Click: And example of a Commonwealth Bank scam. Supplied by Sophos

 

You can see how similar the phishing email is to the genuine one. The emails are presented as legitimate commbank.com.au emails. However, the word document attached is more than likely laced with malware, or is harbouring URLS or additional call to actions that are circumventing spam filters. And don't think it's just Commonwealth Bank customers being targeted. Scams exist for whichever financial institution you have your accounts with.

ATO

The ATO has a swag of alerts on its website for scams using anything from voicemail to text to email.

With SMS scams, it's easy to "spoof" the senders name to seem like it's coming from the ATO, when in fact they're coming from a malicious source, says Sophos.

If the ATO really wants to get hold of you, it isn't going to randomly text.

Watch too for emails about tax refund reviews.

Another fake: If the ATO wants your money, they aren’t going to text you about it. Supplied by Sophos
Another fake: If the ATO wants your money, they aren’t going to text you about it. Supplied by Sophos

 

NETFLIX

Police warned about this sophisticated scam attempting to fool subscribers handing over their credit card details earlier this year.

The email tells Netflix users their credit card details need updating - and invites you to click through to a second page that is a phishing site.

Mass phishing attacks such as the Netflix scam particularly target you as individuals: your data, your money, your credentials. Sophos says.

These attacks are largely opportunistic, taking advantage of a company's brand name to try and lure the brand's customers to spoofed sites where they are tricked into parting with credit card information, login credentials, and other personal information that will be later resold for financial gain.

 

An example of the Netflix scam. Supplied by Sophos
An example of the Netflix scam. Supplied by Sophos

Fun Day to help our farmers

Fun Day to help our farmers

Emerald World of Learning raised more than $2500 to help farmers.

Central Highlands remain dry

Central Highlands remain dry

No rain in sight for Central Highlands.

Impact on local health services

Impact on local health services

Provide feedback on local hospital and health services

Local Partners