As we enter tax season, authorities are already warning Australians are to be on high alert for tax scams. Cybercriminals are amping up their scam activity, with a predicted 400% increase of scams during EOFY.
Alarmingly, this year has seen a rise in impersonsation scams targeting individuals during tax time, a period when people are more likely to engage with financial and government agencies and official communication from the Australian Tax Office (ATO). Scammers exploit this heightened activity by posing as ATO representatives, sending fraudulent emails, texts, or making phone calls to steal personal information and money from hard-working Australians.
Small and medium businesses are especially at risk because AI-powered scams are becoming more sophisticated and convincing making it harder to identify a scam attempt. This highlights the importance of staying alert this tax season. This article outlines the top four scams to be aware of this financial year (FY23/24) and provide tips on how to avoid falling victim to them.
Impersonation Scams On The Rise
1. myGov Email Impersonation Scams
There has been a surge in phishing scams targeting myGov accounts, with scammers cleverly disguising creating fake ATO emails containing links that encourage people to click on a link that directs them to fake myGov sign in pages designed to steal their username and password. This tactic is proving highly effective, with ATO-branded emails being the most commonly reported scam in February 2024. Over the past six months, a staggering 75% of all email scams reported to the ATO involved a fake myGov login link. This highlights just how widespread and sophisticated these phishing attempts have become. The ultimate goal of these scams is to steal your myGov credentials. The following images are examples of the format this scam can take.
Scammers are also exploiting other digital channels such as SMS messaging to get individuals to click on fake myGov sign in pages designed to steal their username and password. Scammers use different phrases to trick people into opening these links. Some examples are:
- ‘You are due to receive an ATO Direct refund’
- ‘You have a new message in your myGov inbox – click here to view”
- ‘You need to update your details to allow your Tax return to be processed’
- ‘We need to verify your incoming tax deposit’
- ‘ATO Refund failed due to incorrect BSB/Account number’
- ‘Your income statement is ready, click on the link to view’
- ATO Social Media Impersonation Accounts Scams
This scam is popular on social media (Facebook, Twitter, Instagram, TikTok etc.). These scams are impersonating both the ATO itself and ATO employees. The intent is to get you to interact with the pages, send messages, and ask questions with the end goal of tricking you into sharing personal information such as email addresses, phone numbers and bank account details.
The ATO does have an official presence on Facebook, Twitter and LinkedIn, all of which hold the blue tik of authentication. You can see in the two screenshots below that there is no blue tick for authentication, and the follower counts are very low.
How to spot a fake
- The ATO prioritises secure communication. They’ll never send email or social media links directing you to log in to myGov or other online services. Treat any such requests as scams. – The ATO’s official accounts are on Facebook, Twitter and LinkedIn. However, they’ll never initiate contact through these channels. They also have no presence on Instagram, so any ATO message there’s guaranteed to be a phish.
- Be wary of suspicious ATO accounts. Legitimate profiles typically boast tens of thousands of followers and have been active for years. Steer clear of any new or low-follower accounts claiming to be the ATO.
- The ATO won’t send you an SMS or email with a link to log on to online services. They should be accessed directly by typing ato.gov.au or my.gov.au into your browser.
- While the ATO may use SMS or email to ask you to contact them, they will never ask you to return personal information through these channels.
By keeping these tips in mind, you can easily identify and avoid fake ATO social media scams. Remember, if you’re unsure, it’s always safer to contact the ATO directly through verified channels.
2. Multifactor Authentication (MFA) Phishing Scams
This scam preys on the growing adoption of MFA. Scammers send emails claiming the ATO requires an “MFA update” for your account.
How to spot a fake
- The ATO will never ask you to update MFA via email, especially with a QR code, or a link to log in to online services. These codes typically lead to fake myGov login pages designed to steal your credentials.
- If you receive an email like this, do not scan the QR code, click on links, open attachments or download files. Forward the email to reportscams@ato.gov.au, and then delete it.
3. Tax Refund SMS Scams
This scam increased in popularity in 2023 and is a continued concern for 2024. This is a smishing scam (malicious/fake SMS) designed to get you to click on the link. You are then taken to a fake website (that looks real) with a form for you to complete so you can get your money. Once again, scammers are looking for your personal information.
How to spot a fake
- The real ATO will never send an SMS with a link on it.
4. Tax Lodgement email scam
You guessed it, this email scam shares fake information about your tax return lodgment date with a fake receipt number. Then the message is very manipulative as it tells you not to call them. Instead, the email suggests that it is better for you to check the attachment and ensure that all your information is correct.
If you do happen to click on the attachment, you will be taken to another screen that looks like an official Microsoft Sign-in (IT IS FAKE). The intent of this scam is to collect your login details and
password. Access to your Microsoft account has the potential for cybercriminals to access your personal device providing access to everything you have. Plus, if you happen to reuse your passwords, there is a high chance that cybercriminals will use these details to attempt to access other applications.
How to spot a fake
- The real ATO will never send you an email with a link on it or an attachment to open.