It’s the end of the financial year in Australia, which means that millions of Australians are lodging returns. In fact, at the end of last month, the ATO announced that 15.2 million individual tax return lodgements had been received for 2023, a 4% increase on the previous year.
But ATO Assistant Commissioner Rob Thomson is encouraging people not to rush. In an interview with ABC News, he says “There is a much higher chance that your return will be missing important information if you lodge in early July."
And there’s another reason not to rush, and that’s the plethora of opportunistic scams that are landing in inboxes, trying to trick you into divulging sensitive personal information and credentials. Like the one below, with a subject line reading ‘Your Tax Return is Available’. The display name, ‘My Gov Notification/Messages’, has been carefully crafted to impersonate a legitimate notification via the Australian Government services portal, MyGov, but the email is actually being sent from a compromised account registered to an Ohio based ISP.
The email includes a link to a ‘Notice of Assessment Letter’, and clicking the blue ‘View Letter’ button directs people to the first phishing page which is a close forgery of an actual MyGov sign-in page. It starts by asking for your username or email, and password.
The scammers are attempting to access your MyGov services via the legitimate portal, so the next page requests the SMS verification code that was sent to your mobile number.
Once you’re signed in, the scammers ask you to enter your account information, including your full name, date of birth, address, tax file number, the date of issue from your notice of assessment, reference number and bank account details – BSB and Account Number.
After populating your account information, a second SMS message is sent to verify your identity.
Once entered, a success page pops up informing victims that their account has been successfully linked to the ATO.
The Australian Taxation Office (ATO) offers the following advice for people wanting to verify that a message is really from them:
'Scams trick you into paying money or giving out your personal information.
Scammers often pretend to be from trusted organisations like the ATO.
We will sometimes contact you by phone, email, SMS and post. If you're not sure whether it's really us, do not reply. You should phone us on 1800 008 540 to check.’
And to report an email scam that’s impersonating the ATO, their advice is as follows:
‘If you've received a scam email or SMS, do not click on any links, open any attachments or download any files. We will never send an unsolicited SMS that contains a hyperlink.
If you did pay money or provide sensitive personal identifying information to the scammer, phone us on 1800 008 540 to report it.
You should also:
- make an official report to your local police
- contact your bank or financial institution if you provided your credit card or bank details to the scammer
- contact the bank you made the payment to and lodge a fraud report.
If you did not pay money or provide sensitive personal identifying information to the scammer, you should still report the scam to us. You can either:
- forward the entire email to ReportScams@ato.gov.au
- take a screenshot of the SMS and email it to ReportScams@ato.gov.au
Delete the email (from your inbox, sent, and deleted items) or SMS after reporting it to us.’
MailGuard advises all recipients of this email to delete it immediately without clicking on any links. Providing your personal details can result in your sensitive information being used for criminal activity and may have a severe negative impact on your business and its financial well-being.
MailGuard urges users not to click links or open attachments within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English or omits personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from, and/or
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
Many businesses turn to MailGuard after an incident or a near miss, often as a result of an email similar to the one shown above. If unwanted emails are a problem for your business, don’t wait until it’s too late.
Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One email is all that it takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.