At tax time, scammers trick people into providing personal and financial information by deploying sophisticated methods to steal myGov login details to access the tax refunds — all before victims even detect a problem. This year, the risk is heightened due to confusion over the global pandemic, and scammers are taking advantage of this by latching onto the government’s JobKeeper wage subsidy and early superannuation access scheme.
Scammers are constantly developing new ways to steal from the community and often capitalise from the most vulnerable. Australians must be hypervigilant to safeguard their online activity during this time, but luckily, there are several solutions and government resources available to help consumers combat these threats.
As the saying goes, “If it looks too good to be true, it probably is.” Phishing scams work by grabbing consumers’ attention with lucrative offers, eye-catching statements or urgent requests for action that lull users into a false sense of trust.
In fact, a recent study shows that “Password Check Required Immediately” and “Change of Password Required Immediately” are among the top three general email subject lines shown to be used in successful phishing attacks. These schemes grow even more diabolical at tax time.
Most phishing attacks, especially during tax time, are financially motivated. The primary goal is to receive funds from the victim directly, or to collect enough sensitive data such as login credentials or tax file numbers to commit identity theft and lodge a fraudulent claim.
Worst of all, victims of tax identity theft are often unaware of the fraud until they go to lodge the tax return themselves, and receive a response that someone already submitted a tax form using the same social security number and received their refund.
Taxpayers should familiarise themselves with suspicious email formats and delete messages that feature an unfamiliar email sender, irregular grammar or improper use of ATO terms. Users should be wary of clicking hyperlinks or opening attachments, especially in cases where an email looks questionable. Additionally, they should always keep their operating system and applications updated to the latest versions and update antivirus and security software.
Another easy way to keep track of these issues is by using a trusted email service that flags questionable emails; for example, Gmail displays an alert at the top of an email if the communication or sender appears untrusted. It is important to note that these services are not completely foolproof, although it offers more protection than nothing at all, as it is a constant cat and mouse game between the filters and the attackers.
The ATO asks all Australians to take preventative measures by using two-factor authentication (2FA), which makes accessing myGov accounts more secure by opting to receive a security code via SMS. Additionally, businesses now must use the myGovID mobile authenticator to access the ATO Business Portal to submit their activity statements and JobKeeper information.
This two-factor authentication process adds another layer of protection to prevent unauthorised parties from accessing an account.
External hardware authentication devices, called security keys, are the most secure form of 2FA, acting as a physical key to protect online accounts. While a password is something a user knows, the security key provides something you have, and without it you cannot access your account, successfully combating hackers.
To keep up with the ever-evolving threats, the Australia Cyber Security Centre and the Australian Signals Directorate have recommended that Australian organisations implement eight essential attack mitigation strategies as a baseline. The eight mitigation strategies are designed to minimise the potential impact of cyber-security incidents. These can be found here.
The best way for people to protect their information is by filing their taxes early, reducing the window of opportunity for hackers to submit a false return in its place.
Anyone who receives an ATO notification of a duplicate tax return should respond immediately. Additionally, it is important to contact the ATO if there is any suspicion that someone else has lodged a false return in their name. If this turns out to be true, they should report it to the police and the ACCC’s Scamwatch immediately.
The ATO also provides advice and information on how to spot a phishing scam and how to check whether a communication from the ATO is genuine. The ATO emphasises that they will never provide a hyperlink in an SMS or an email for the user to click.
Ultimately, individuals are empowered to play an active role in stopping phone and email phishing scams during tax time. Learning to recognise illegitimate emails and text messages, implementing personal solutions and taking advantage of government resources will help ensure a safe and successful end to what has been a challenging financial year.
Geoff Schomburgk, vice-president for Australia & New Zealand at Yubico