ACSC warns businesses of tax-time email hacking campaigns

The Australian Cyber Security Centre (ACSC) is urging businesses to strengthen their email security practices to protect their private information and that of their customers in the lead-up to tax time.

29 June 2022

As tax time approaches, the ACSC is encouraging individuals, businesses and organisations to be alert, and aware of business email compromise (BEC) threats. 

BEC occurs when cybercriminals access email accounts aiming to steal sensitive and financial information or commit fraud by impersonating employees or company email accounts to obtain money or data.

To stay safe online at tax time, the ACSC suggests simple, preventative and protective measures that are cost-effective and immediately beneficial.

“Protective measures can help by preventing your email accounts from being compromised and making it harder for a cybercriminal to impersonate you,” the ACSC said.

The ACSC said having multi-factor authentication is the first step in defence and increases the security on email accounts. 

“Multi-factor authentication means there are two checks in place to prove your identity before you can access your account,” the ACSC said.

“For example, you may need to supply an authentication code from an app as well as your password. Remember to use a strong passphrase for your email account if you cannot use multi-factor authentication."

Businesses will also need to take measures to safeguard their domain name. If a domain name expires, it will become available for anyone to purchase. A criminal could purchase the previous domain name and use it to impersonate the business by setting up an email address and contacting its customers, according to the ACSC.

“Your customers or contacts may recognise your domain name and believe you are still operating that email address, when in fact, they are really corresponding with a cybercriminal,” the ACSC said.

"A common fraud method cybercriminals use is to register a domain name which looks very similar to your business name. At a glance, email addresses made through fraudulent domain names may look similar enough to your own that your contacts may not realise they are not emailing the real you.


Explore our cyber training and resources to defend against online threats to your business. Plans start from only $10/month.

“Remember to renew your domain names, even if you don't use these anymore. This will stop your digital identity from falling into the wrong hands. Find out when your domain names expire and set a reminder in your calendar to renew them ahead of their expiry.”

If a business has its own business domain which is used for emailing, setting up email authentication protocols on the domain may help to prevent email spoofing attacks, according to the ACSC. 

“Email spoofing occurs when someone forges the ‘From:’ field of an email to say that it was sent from an email address other than their own,” the ACSC said.

“If someone tries to spoof your email address, setting up email authentication protocols will identify that those emails are not legitimate. 

"These protocols help prevent spoofed emails from making it to their destination – these will normally go either to the recipient’s spam folder or won’t be delivered at all.

“Have a discussion with your service provider about adding Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) records to your domain name. If your DNS hosting is with a separate provider, you will need to contact them also.”

To ensure better protection, the ACSC said businesses can introduce policies and procedures to address security risks and help keep their business safe.

Businesses can consider introducing an approval process for requests that ask to change payment details or make a large transfer and verify any such requests by calling the sender. 

It can also ensure workers have clear guidance to verify account details and to think critically before actioning unusual requests and have a reporting process to report threatening demands for immediate action, pressure for secrecy or requests to circumvent protective business processes.

The ACSC said the best defence against email scams was training and awareness for employees, including how to identify scams or phishing attempts.

“Ensure your staff knows to always be cautious of emails with requests for money, especially if urgent or overdue, bank account changes and attachments, especially from unknown or suspicious email addresses,” the ACSC said.

“You can also incorporate, update and regularly repeat cyber security training and awareness among your employees to protect your business from cybercriminals and remain vigilant and informed.

“While it is one thing to have built up your defences to protect your information, it is best to remain on the lookout for evolving cyber threats and trends which could impact you at any time.”


Train your staff to be the frontline of your defence against cyber attacks with plans starting from $10/month

Found this useful?

Subscribe to our newsletter and receive the best business tips and articles straight to your inbox.

Thank you for signing up to our newsletter. You're one step closer to receiving more insightful information to help better your business.

We take your privacy seriously and by subscribing to our newsletter you agree to the terms of our Privacy Policy available below.