Watch out for these tax scams


ACCOUNTANTS aren't the only ones at the top of their game at tax time.

As the end of the financial year looms on June 30, scammers are salivating at the prospect of making more bucks.

And they're dusting off and tweaking a sophisticated set of scams designed to relieve you of more than your tax refund.

It's a peak time for scammers, who bank on hitting businesses and individuals with official-looking emails and texts from financial institutions, and government agencies including the Australian Taxation Office (ATO) many of us might deal with only once a year.

And they've become more sophisticated and convincing in their methods by the day.

The best way to beat them?

Absolute scepticism.

"Believe nothing, open nothing," says Ashley Wearne from cyber security company Sophos.

"Whatever the format you receive them - SMS, email, whatever, never click on anything."

"Never click on a URL. Never click on a link. And if you have already, never, ever provide passwords or confirm details."

"Because contacting you or your business by SMS or email is just not the way legitimate bodies like banks, the ATO, ASIC (the Australian Securities and Investments Commission) or MyGov communicate."

Fact is, if the ATO wants to get in touch to chase a refund, or give you one, it's not going to do it via an unsolicited SMS or email.

And you can pretty much assume the same is true of ASIC, your bank, and anyone else wanting to confirm your details.

So if you do received a random communication which has anything to do with your finances, or your identity, assume it's a scam.

"Not all communications are bad, but the key is to be vigilant. The best place to check if something is safe is to log on independently from your browser and check for official communications or notices from the source's website - a trusted source," Mr Wearne said.

Scammers prey on human fallibility. Over-ride that by believing nothing.

If you receive an official-looking email or SMS, rather than click on the links provided, do your own independent search.

Go to the website independently, or phone. Usually, you'll find you've dodged a scam.

Businesses need to be extra wary at tax time, Mr Wearne said.

"Scammers target not just employees, but owners specifically, hoping the owner will think 'tax issue', and click," he said.

Scammers often target businesses by using malicious software 'Ransomware' that threatens to publish data or restrict access until a ransom is paid.

"Ransomware is where the money is. More than 50 per cent of all companies in Australia have been hit by Ransomware," Mr Wearne said.

"They'll take control and you don't get it back until you pay the ransom. And they don't just get hit once. They'll come again the day after and day after that."

Last year, according to Sophos, 45 per cent of Australian businesses were hit with Ransomware, with an average two attacks per organisation.

Here are the top five tax-time scams punters fall for:


The Australian Securities and Investments Commission scam is expected to peak again, with the ASIC's own website currently carrying a major warning about the scam, which involves an email purporting to be from ASIC about a renewal letter you need to submit or a fine you must pay.

It's got just the right hint of officialdom and business and tax-related associations to be perfect for tax time.


The ASIC company renewal scam. Supplied by Sophos
The ASIC company renewal scam. Supplied by Sophos


This mass phishing attack email includes a renewal letter hyperlink which is bogus.

More deviously, it also contains a second hyperlink, which spells out the URL.

Sophos says this is clever because to a user may take the fact that the URL is revealed as a matter of trust. In reality, it's a bogus hyperlink.


Surely the MyGov correspondence would be fine, right? Wrong.

The MyGov scam is a perfect tax time one, because at this time of year, it looks normal.






This is a perfect example of tax time, everything looks normal.

The fake email's recipients are hidden - which isn't unexpected, the domains look legitimate - except it's .net instead of The websites and logos are direct clones of the real thing - including on the fake My Gov. 'landing' page which looks 100 per cent legitimate.

It's not.


Scammers were at it last year with phishing text messages, and emails, and expect the action to ramp up around tax time.

Around tax time, service providers will send out notifications that statements helpful to include your tax return are available.

Phishing emails can be very, very convincing. And they just get more sophisticated by the day.


Just. Don’t. Click: And example of a Commonwealth Bank scam. Supplied by Sophos
Just. Don’t. Click: And example of a Commonwealth Bank scam. Supplied by Sophos


You can see how similar the phishing email is to the genuine one. The emails are presented as legitimate emails. However, the word document attached is more than likely laced with malware, or is harbouring URLS or additional call to actions that are circumventing spam filters. And don't think it's just Commonwealth Bank customers being targeted. Scams exist for whichever financial institution you have your accounts with.


The ATO has a swag of alerts on its website for scams using anything from voicemail to text to email.

With SMS scams, it's easy to "spoof" the senders name to seem like it's coming from the ATO, when in fact they're coming from a malicious source, says Sophos.

If the ATO really wants to get hold of you, it isn't going to randomly text.

Watch too for emails about tax refund reviews.

Another fake: If the ATO wants your money, they aren’t going to text you about it. Supplied by Sophos
Another fake: If the ATO wants your money, they aren’t going to text you about it. Supplied by Sophos



Police warned about this sophisticated scam attempting to fool subscribers handing over their credit card details earlier this year.

The email tells Netflix users their credit card details need updating - and invites you to click through to a second page that is a phishing site.

Mass phishing attacks such as the Netflix scam particularly target you as individuals: your data, your money, your credentials. Sophos says.

These attacks are largely opportunistic, taking advantage of a company's brand name to try and lure the brand's customers to spoofed sites where they are tricked into parting with credit card information, login credentials, and other personal information that will be later resold for financial gain.


An example of the Netflix scam. Supplied by Sophos
An example of the Netflix scam. Supplied by Sophos

Exciting addition to weekend’s Rocky Triathlon

Premium Content Exciting addition to weekend’s Rocky Triathlon

Hundreds expected for second edition of event, which was rescheduled due to...

New ‘out of this world’ experience takes Rocky by storm

Premium Content New ‘out of this world’ experience takes Rocky by storm

The immersive experience is already starting to book out for work Christmas...

Construction of new $1.65m Mobil service station to begin

Premium Content Construction of new $1.65m Mobil service station to begin

The plans have strict guidelines of when the works can be completed.