Breaking: Don’t click high-risk ATO scam email

Posted by Jaclyn McRae on 20 February 2017 11:42:04 AEDT

A huge run of fake ATO emails is putting computers at risk.

Distributed in bulk just as most Australians arrived at work this morning, the malicious email has the potential to infect computer systems with anything from keylogging spyware to file-encrypting ransomware CryptoLocker.

Thousands of the email were distributed this morning – each with a unique link, making it hard for antivirus software to detect the bulk email as suspicious.

Purporting to come from the Australian Taxation Office, the message tells recipients their Business Activity Statement (BAS) is available to view.

The well-formatted email includes the Australian Government coat of arms image sourced from the ATO website. This is an effort by the scammers to add legitimacy to their scam email, in an attempt to bypass filtering software.

Don’t click high-risk ATO scam email.jpg

If clicked, the link triggers the automatic download of a malicious file housed on a compromised SharePoint site. The downloaded .zip file contains a malicious JavaScript file. This is used to download further malware such as CrytoLocker or CryptoWall ransomware, or spyware such as keyloggers.

While the sender address is ‘’, the message originates from a compromised SendGrid account – an increasingly frequent vehicle for malware attacks uncovered by MailGuard in recent months. Colorado-based SendGrid specialises in bulk email delivery.

None of 64 well-known antivirus providers were detecting the link as potentially dangerous this morning, according to analysis by virus scanning aggregation tool VirusTotal.

The danger of keyloggers

A keylogger is a type of spyware that can watch and record your keystrokes. It can see what you write in an email, what passwords you enter on a banking website, or any other information you provide online.

Trojans sit quietly in the background, taking actions not authorised by the user, such as modifying, stealing, copying or even deleting data.

What does ransomware do?

When ransomware files are executed by the email recipient or web user, the malware encrypts files on the local device and possibly the entire network. The user or business may then be held to ransom, with a Bitcoin fee usually demanded in return for a decryption key for the files.

The only other option is for the business to stay offline until previous backups have been recovered. Many users are left with no choice but to pay the ransom, which can be upwards of tens of thousands of dollars.

For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering solution to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network.

Want to hear more from MailGuard? Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates


^ Back to Top

Topics: ATO Cybersecurity cybercrime ATO BAS Fake ATO email BAS notification

Back to Blog


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all