As we enter tax season, authorities are already warning Australians are to be on high alert for tax scams. Cybercriminals are amping up their scam activity, with a predicted 400% increase of scams during EOFY.
Alarmingly, this year has seen a rise in impersonsation scams targeting individuals during tax time, a period when people are more likely to engage with financial and government agencies and official communication from the Australian Tax Office (ATO). Scammers exploit this heightened activity by posing as ATO representatives, sending fraudulent emails, texts, or making phone calls to steal personal information and money from hard-working Australians.
Small and medium businesses are especially at risk because AI-powered scams are becoming more sophisticated and convincing making it harder to identify a scam attempt. This highlights the importance of staying alert this tax season. This article outlines the top four scams to be aware of this financial year (FY23/24) and provide tips on how to avoid falling victim to them.
- Impersonation Scams On The Rise
- myGov Email Impersonation Scams
There has been a surge in phishing scams targeting myGov accounts, with scammers cleverly disguising creating fake ATO emails containing links that encourage people to click on a link that directs them to fake myGov sign in pages designed to steal their username and password. This tactic is proving highly effective, with ATO-branded emails being the most commonly reported scam in February 2024. Over the past six months, a staggering 75% of all email scams reported to the ATO involved a fake myGov login link. This highlights just how widespread and sophisticated these phishing attempts have become. The ultimate goal of these scams is to steal your myGov credentials. The following images are examples of the format this scam can take.
Scammers are also exploiting other digital channels such as SMS messaging to get individuals to click on fake myGov sign in pages designed to steal their username and password. Scammers use different phrases to trick people into opening these links. Some examples are:
- ‘You are due to receive an ATO Direct refund’
- ‘You have a new message in your myGov inbox – click here to view”
- ‘You need to update your details to allow your Tax return to be processed’
- ‘We need to verify your incoming tax deposit’
- ‘ATO Refund failed due to incorrect BSB/Account number’
- ‘Your income statement is ready, click on the link to view’
- ATO Social Media Impersonation Accounts Scams
This scam is popular on social media (Facebook, Twitter, Instagram, TikTok etc.). These scams are impersonating both the ATO itself and ATO employees. The intent is to get you to interact with the pages, send messages, and ask questions with the end goal of tricking you into sharing personal information such as email addresses, phone numbers and bank account details.
The ATO does have an official presence on Facebook, Twitter and LinkedIn, all of which hold the blue tik of authentication. You can see in the two screenshots below that there is no blue tick for authentication, and the follower counts are very low.
The image above is from the ATO website.
The image above is from the ATO website.
How to spot a fake
- The ATO prioritises secure communication. They’ll never send email or social media links directing you to log in to myGov or other online services. Treat any such requests as scams.
- The ATO’s official accounts are on Facebook, Twitter and LinkedIn. However, they’ll never initiate contact through these channels. They also have no presence on Instagram, so any ATO message there’s guaranteed to be a phish.
- Be wary of suspicious ATO accounts. Legitimate profiles typically boast tens of thousands of followers and have been active for years. Steer clear of any new or low-follower accounts claiming to be the ATO.
- The ATO won’t send you an SMS or email with a link to log on to online services. They should be accessed directly by typing ato.gov.au or my.gov.au into your browser.
- While the ATO may use SMS or email to ask you to contact them, they will never ask you to return personal information through these channels.
By keeping these tips in mind, you can easily identify and avoid fake ATO social media scams. Remember, if you’re unsure, it’s always safer to contact the ATO directly through verified channels.
- Multifactor Authentication (MFA) Phishing Scams
This scam preys on the growing adoption of MFA. Scammers send emails claiming the ATO requires an “MFA update” for your account.
The images below are examples of what the scam may look like.
How to spot a fake
- The ATO will never ask you to update MFA via email, especially with a QR code, or a link to log in to online services. These codes typically lead to fake myGov login pages designed to steal your credentials.
- If you receive an email like this, do not scan the QR code, click on links, open attachments or download files. Forward the email to reportscams@ato.gov.au, and then delete it.
- Tax Refund SMS Scams
This scam increased in popularity in 2023 and is a continued concern for 2024. This is a smishing scam (malicious/fake SMS) designed to get you to click on the link. You are then taken to a fake website (that looks real) with a form for you to complete so you can get your money. Once again, scammers are looking for your personal information.
How to spot a fake
- The real ATO will never send an SMS with a link on it.
The image above is from the ATO website.
- Tax Lodgement email scam
You guessed it, this email scam shares fake information about your tax return lodgment date with a fake receipt number. Then the message is very manipulative as it tells you not to call them. Instead, the email suggests that it is better for you to check the attachment and ensure that all your information is correct.
If you do happen to click on the attachment, you will be taken to another screen that looks like an official Microsoft Sign-in (IT IS FAKE). The intent of this scam is to collect your login details and password. Access to your Microsoft account has the potential for cybercriminals to access your personal device providing access to everything you have. Plus, if you happen to reuse your passwords, there is a high chance that cybercriminals will use these details to attempt to access other applications.
How to spot a fake
- The real ATO will never send you an email with a link on it or an attachment to open.
The image above is from the ATO website.
The image above is from the ATO website.
Stay Vigilant And Aware
Remember that scammers, also known as cybercriminals, will refer to their playbook throughout the year and re-use or update scams, especially if they were successful (most of them are). The challenge for you is to be aware of them all and remain vigilant and aware. So remember:
For all incoming communication from the ATO
- If you receive an email, SMS, or phone call that says it is from the ATO, STOP and take a breath.
- If it includes a link – IT IS A SCAM. Do not engage and report it.
- If it includes an attachment (usually in an email) – IT IS A SCAM. Do not engage and report it.
Remember
- The real ATO will never send you any links to click on.
- If the real ATO does contact you, they will only ever ask you to contact them directly via their official sites, such as https://www.ato.gov.au or https://my.gov.au/, to log into your account.
- Call the ATO on 1800 008 540 if you are unsure or want to clarify something.
Advice for Business Owners
- Communicate to your people, outlining precisely what to expect from your HR or Payroll Department at tax time.
- Provide precise details as to what they will receive and warn them that there is a very high chance cybercriminals will be targeting them at tax time.
- Step your people through relevant, engaging, and ongoing security awareness training and allow them to test their knowledge with simulated phishing and other social engineering tests.
- Share the tips below with your employees, customers, vendors and suppliers, as cybersecurity is everyone’s responsibility.
Advice for Employees (and everyone else)
- Ask your HR Department or Payroll when and how you will receive your Group Certificate.
- Only deal with the ATO or MyGov via official channels https://my.gov.au/ or https://www.ato.gov.au
- The real ATO will never send links in emails or SMS
- The real ATO will never request personal details like bank account details via email, SMS or voice mail.
- The real ATO will never ask you to pay for anything with gift cards, credit cards or cryptocurrency (like Bitcoin).
Advice for Tax Professionals
Cybercriminals are actively looking to gain unlawful access to your client data as it is of great value to them. Take a moment to consider all the personal and sometimes business information you hold for each of your clients and the potential repercussions if you suffered a data breach.
They will even pose as a client sending you an email with a malicious attachment in the hope that you open it and grant them access to your system. Once inside, they can access your entire inbox and your client’s data. You need to be on the lookout for all suspicious emails and be vigilant at tax time.
Is that all? Sadly no, there are more tax time and ATO-related scams to be found here: https://www.ato.gov.au/General/Online-services/Identity-security-and-scams/
If (or more likely when) you receive an ATO or MyGov related scam, take a screenshot and send it to this email ReportScams@ato.gov.au. Feel free to share these hints and tips far and wide with everyone in your world who will be required to lodge a tax return, to help safeguard against scams this tax season.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.