Craig McDonald 24 June 2019 10:34:31 AEST 10 MIN READ

Do you know who’s really set to get the best return this EOFY?

The End of the Financial Year (EOFY) is upon us; a time for ensuring your accounting systems aren’t a mess, and a time to spend up to make the most of tax breaks for your business.  

But do you know who might be able to reap the biggest benefits out of this season?

It’s scammers. 

Over the past month, my team at MailGuard has intercepted several email scams involving well-known financial institutions such as ANZWestpacBankWest and NAB. With the EOFY period upon us, I thought it would be timely to write a piece on the importance of being cyber- savvy during this period and answer a few frequently asked questions that are particularly relevant this season. Feel free to share these with your teams to boost your company’s cyber resilience levels.  

Why is this period so well-loved by cybercriminals? 

 It’s pretty simple psychology, actually. If you’re going to try and trick someone, it’s best to do it when they’re the most distracted and/or busiest.  

And in all likelihood, EOFY is a period where being cyber-savvy is probably pretty low on your staff’s list of priorities. The season can typically be characterised as a plethora of invoices, bills, payroll and finance related documents as suppliers, customers and accountants reconcile their numbers and file their tax returns. And as a consequence, most companies end up in a flutter of stress and panic to get relevant financials finalised and paperwork sorted according to the Australian Tax Office (ATO)’s requirements. Amid stringent deadlines and the responsibility to manage huge amounts of financial data, would you be really surprised if Hannah, for example, doesn’t blink an eye when she receives an order to immediately transfer huge amounts of cash via a fairly innocent email supposedly from her boss?  

 Accounting, finance, marketing and legal professionals are, in fact, particularly vulnerable at this time of the year because of the high volume of transactions and client business they undertake. Global cybercrime networks know that those individuals are the custodians of valuable financial credentials and sensitive employee data. Plus, they are regularly downloading attached invoices and clicking through to links, so they’re a vulnerable and attractive target. It’s pretty common to find supplier e-invoices, or tax refund notifications purporting to be from the ATO arriving in inboxes with attachments in the form of malicious links or malware-ridden payloads. 

 Essentially, cybercriminals use a special type of psychological warfare during this period to trick users - specifically targeting time-bound professionals who are expectedly dealing with a large volume of financial data.  

Is money the only motivator? 

Business Email Compromise continues to be the biggest money-maker for cybercriminals, with reported $1.3 billion in losses through money transfers (or gift card transfers) to thieves, according to the FBI’s 2018 Internet Crime Report

However, it’s important to keep in mind that cybercriminals’ motivations may not solely or simply be a money grab, either. If that’s all that you’re on the lookout for, or educating staff about, then you’re overlooking plenty of other potentially disastrous motivations. 

Cybercriminals may be after employee credentials, to access your systems, or to access external systems your company uses, which will result in a data breach. Their motivations may be to deliver a payload to your company systems that holds them to ransom, in the case of ransomware, or inject viruses or malware to run havoc on your systems and cause your company a headache. 

What types of finance-related scams should you be on the lookout for at tax time? 

Every year I see tax-time scams become more sophisticated. Here’s a look at some of the ones we’ve encountered so far: 

ATO scams 

With deadlines for filing tax returns nearing, it’s not surprising to receive notifications from the Australian Taxation Office (ATO). And this is what cybercriminals take advantage of. The government agency’s branding and logo are often mimicked via email notifications masquerading as tax errors, returns, documents etc. 

For email scams, the sender can look like it may be from a legitimate ATO email (e.g., however, this is not a real ATO email address. Following links can have disastrous consequences. 

Here are a few examples of ATO scams my team at MailGuard has intercepted in the past: 

Spear phishing from “your accountants” or offering accountancy services 

If an attacker knows who you use as an accountant, then they can write up an email that looks like it’s from the guy you usually use - and you can be tricked into handing over details to your attacker, clicking on a malicious link or file, or transferring money for their services which you would usually use at this time of year. 

There may even be cold call type emails from companies offering discounted accountancy services to help out at tax time. 

Always verify email addresses to see that they’re from who they say they are, visit real websites, call real numbers, and be wary of cold callers in any circumstances. 

Invoices for goods or services 

Since EOFY can be a time when businesses go on a bit of a spending spree, the accounts department can become overloaded with invoices to settle. 

This makes it prime time for cybercriminals to add in the old fake invoices for goods or services that nobody actually ordered. 

This might be for items like computer equipment or office supplies, software products, or training service providers. 

It’s important to check all invoices to see that they are legitimate. Companies do this by only shopping from a list of verified suppliers, ensuring all invoices are forwarded at the time of purchase, etc. 



Note: For an in-depth look on the types of scams that occur in the EOFY period, please download our newly-released exclusive report titled ‘5 types of email scams to be wary of this EOFY’   

How can businesses stop tax-time scams in their tracks? 

Education is key 

A well-educated team is one of the most powerful security assets a company can have.  

Starting with senior management, instigate a company-wide security education program making team members aware of cybercrime threats that proliferate during the EOFY period. Run a meeting about the dangers of cybercrime at EOFY and distribute content like this to raise awareness. It’s important that every single person who uses the company’s systems knows what threats to look out for. Educating a workforce about cybercrime and hacking is what engenders a cybersecurity culture in a company. 

Training staff on how to spot malicious emails is particularly important since everyone in the company has active email inboxes, everyone is in the firing line. We have to give people the understanding of the threat that could be hidden in what seem like innocent emails so they can play their part in keeping the business secure. 

Teams should also be encouraged to contact known companies, organisations, and associated contacts through their legitimate websites, known emails, or calling them themselves. While it can seem overly cautious to call back or type in a website rather than click on a link, it can save a lot of pain in the long run. 

And this includes contacting their own managers or bosses themselves. Business owners should let their staff know it’s okay to ask questions, no matter how awkward they may be. For instance, if someone is purporting to be a senior executive and they’re asking for a transfer or transaction, pick up the phone and ask those people directly if they requested it. However uncomfortable it may be to ask that question, it’s better to have an awkward conversation today rather than to not have a job tomorrow. Just ask Hannah.  

Ensure your email security is up to scratch  

I highly recommend companies take a strategic, multi-layered approach when it comes to cybersecurity. It’s sometimes referred to as a ‘defence in depth’ approach, designed to defend a system against attacks using several different methods and solutions, in the event that if one fails, the others will stop the threat. 

Putting this in the context of email security, you may already have native security from your email hosting provider, like Google or Microsoft, but it’s key to remember that no one vendor can stop all attacks. Since we know that 9 out of 10 attacks start with an email, it’s also prudent to employ an additional layer of cloud email security with email security specialists such as MailGuard.  

What are you doing within your teams to remain cyber secure this EOFY season? Write to me below. 

Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.


You can download my e-book for free, here.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal. 

... ... ...

Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.