EOFY and Tax Time Scams

I imagine most of the people who read this article as a link from LinkedIn would be cyber professionals, so the information provided in this article will not be anything new. That’s ok. The article was not meant directly for you! It was meant as a resource for your relatives, friends, and colleagues to help empower them against threat actors. After all, knowledge is power, and as I always say, the only way we will stop being victims of cybercrime is to bring cybercrime into our everyday conversation.

Seasonal phishing emails

Here is a little bit of trivia for you. Before COVID, phishing emails surged around Christmas and tax time. Christmas, because people’s online purchases increased, and tax time because most people do their taxes. Since COVID, everyone has moved online, so the surge we saw pre-COVID is now our everyday life. Every day is a seasonal phishing day! I would imagine around Christmas, the type of phishing emails we will receive will predominantly revert to emails around parcel deliveries and fictitious purchases, the same way I believe we will see a surge in phishing emails around tax time. It is not rocket science, nor am I Nostradamus. Threat actors are quick to jump in on a theme. When Elon Musk took over as CEO of Twitter and spoke about possibly bringing in a $20 fee for verified users, threat actors quickly sent emails to verified users to scam them out of their money and login details.

In May 2023, the threat was closer to home when phishing emails and text messages appeared directly after the 2023 Australian Federal Budget announcement.

This should not surprise us, as threat actors are unscrupulous. Their job is to devise new and inventive ways to scam money, data and personal information from unwary people. And it is only getting worse.

Tax-time scams

Below are a few examples of previous tax time scams. These examples only skim the surface of the scams that are circulating. It is estimated that 3.4 billion phishing emails are sent out daily, so it would be impossible to provide an example of all the scams currently out there. Threat actors are busy bees!

I have also provided some pointers on how to identify these scams as fraudulent. However, there are not always tell-tale signs that an email, text message or phone call are scams. The best advice I can give you is: do not trust any text, email, phone call or voice message you receive. Instead, contact the institution directly with a known phone number or email address. Do not use the phone number or email address in your received message.

Four tax time scam examples

Example One – ATO refund notification email

Example Two – ATO rebate SMS

Remember, it is a threat actor’s full-time job to try and trick you, and they will do so using various methods, including using your details against you to appear more legitimate.

Example Three – ATO tax refund email

Or they may spoof a phone number or email address of the company or agency they are pretending to mimic.

Example Four – ATO tax refund SMS

Stepping away from the cyber realm, it is essential to acknowledge that phishing scams can also occur via the telephone. Scammers may call you, claiming to be from the government, to trick you into giving away personal information or paying a fraudulent bill. The same rules apply. Do not give away anything over the phone, and do not pay anything. Assume the person on the other end of the phone is a threat actor. Do not engage in conversation. Hang up and call the government department back on a known number. Threat actors are tricky; once they have engaged you in a conversation, they will not let you go. They will keep you talking so you do not have time to think. HANG UP!!!!!!!!!!!!! It is better to be rude than be taken in by a threat actor. Threat actors are counting on you being polite to take advantage of you.

But threat actors are from places like Russia and China, aren’t they?

Most people believe threat actors are from foreign countries, so we feel safe when someone calls with an Australian or English accent. News flash, we have crime syndicates here in Australia, and currently, there is a very active crime syndicate working out of the UK that is targeting Australians. We expect a threat actor to have a foreign voice. We feel safe when we hear a familiar Aussie or English accent. Well, you are not! Treat any unsolicited call the same, with scepticism. Hang up and call them back.

It is the end of the world as we know it! And I feel… um…

I know this article seems very doomy and gloomy, and honestly, it will only get worse. People turn to crime during financial hardships, like the kind of financial hardship the global economy is experiencing. It is much easier to trick someone out of their cash via a telephone call, text message or email than to hold up a service station or mug someone on the street; a lot less risk and a greater reward. We can expect as the economy worsens, cybercrime will increase.

Time to be empowered! Go go power… cyberawareness…

On that happy note, here are some key takeaways to help you empower yourself to fight against the insidious criminals who are stealing our money and causing so much pain and suffering to our family and friends:

1. The ATO will never call you demanding money, send you a text message or email asking you to click on a link, and will not send unsolicited files for you to download.
2. If you do receive a link in an email, do not click on it. Always use a known URL or pick up the phone if you are concerned.
3. Any email, text or phone call that causes the slightest bit of panic is most likely a phishing attempt.
4. If someone calls you asking to give away personal information or pay a bill over the phone, hang up and call back on a number that is known to you, or search for the number online.
5. Do not trust the person on the other end of the phone to provide you with a number or email address to call or contact them back with. Go searching for it yourself.
6. Threat actors can harvest your personal information from breaches or online databases, including your full name, Australian business number or tax file number. Knowing this does not legitimise the correspondence.
7. Do not download documents from unsolicited emails, no matter how legitimate they look.
8. Do not be afraid to hang up on someone who calls you from the tax office, government department or financial institute. It is better to be rude than be a victim of crime.