Fake Good Samaritan email delivers well-disguised malware

Posted by Jaclyn McRae on 07 July 2017 12:46:37 AEST

A sneaky new technique is being used to infect Australian computers with malware.

The fraudster behind the scam poses as a Good Samaritan, and pretends to do the victim a favour by forwarding a document intended for them, supposedly from the Australian Taxation Office.

The sender claims to have wrongfully received the victim’s tax information, and asks what they should do to rectify the problem. Here's one example:

Good Samaritan email scam MailGuard example1.jpg

But the ‘erroneously received’ document instead carries a nasty surprise: malware.

The messages, delivered this morning, aim to dupe recipients into letting down their guard by creating a false problem.

While the email itself is plain-text, it employs various tactics to help fool recipients.

  • It appeals to victims’ curiosity in an attempt to get them to click the link and invite malware onto their system
  • It uses a different sender name in each iteration, most likely to evade old-school antivirus filters
  • It correctly identifies the domain belonging to each recipient
  • It uses an original tact – “I am contacting you to solve this problem because I have never worked in your company” in a rarely-seen attempt to deceive.

More examples of the scam email:

Good Samaritan email scam MailGuard example2.jpgGood Samaritan email scam MailGuard example3.jpg

The scammers have also made efforts to ensure only Microsoft Windows users can download the Word document. Those using Macs or running Linux cannot download the file.

The malware payload takes the form of a Macro embedded in a document. Here's what it looks like to those who click the link:

Download screen.jpg

The ATO name is regularly used in scams targeting Australians. In February a large-scale distribution of fake Business Activity Statements included a link that triggered a malicious JavaScript file.

Advice from the ATO on reporting a scam

ATO’s website gives this guidance: “If you receive a suspicious email claiming to be from the ATO, do not click on any links, open attachments or respond to the sender. Forward the entire email to ReportEmailFraud@ato.gov.au without changing or adding any additional information and delete from your inbox and sent folder.”

How to identify a scam email

  • Only click links from trusted senders. Take a closer look at any link by hovering your mouse over and checking the destination in your browser. If it doesn’t match, it is not legitimate.
  • Never open an attachment (especially a .zip file or .exe file) unless you are expecting it. Files from unknown senders often contain malware or virus.
  • Check who is sending you email communication. Be aware that malware, phishing scams or spam may come from unrecognisable or odd email addresses, however legitimate email addresses can be forged easily.

For a few dollars per staff member per month, add MailGuard's cloud-based email and web security to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network.

Keep Informed with Weekly Updates


^ Back to Top

Topics: Malware email scam ATO scam Cybersecurity cybercrime Survivingcybercrime

Back to Blog


    Something Powerful

    Tell The Reader More

    The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


    • Bullets are great
    • For spelling out benefits and
    • Turning visitors into leads.

    Recent Posts

    Posts by Topic

    see all