The Australian Taxation Office (ATO) is once again the subject of a phishing email scam.
MailGuard has intercepted a phishing email purporting to be from the government agency. This scam email forms part of yet another variation of the ATO scam distributed by cybercriminals over many years. Titled “Tax Refund Notification”, the email appears to be an automatically generated message and uses a display name of “Noreply”. However, the actual sender email address doesn’t use a domain belonging to ATO – a red flag pointing to the email’s illegitimacy. Instead, the email comes from a Gmail account.
The email body is presented largely in plaintext, and is addressed to the “Taxpayer”. It informs recipients that they are “eligible to receive a tax refund of 219.47 AUD”. A link is provided for recipients to access their refund, along with a warning that the process of tax refund claim could be delayed due to “submitting invalid records or applying after the deadline”.
Here’s what the email looks like:
Unsuspecting recipients who click on the link to access their tax refund are led to a login page. This page is designed to look like one belonging to myGov, the government services portal servicing millions of Australians accessing benefits such as Medicare, JobSeeker and JobKeeper. Users are directed to use their “email account to sign in to myGov”. The Australian Government’s logo is also present in the header of the page. However, the domain used in the page’s URL doesn’t belong to either myGov or ATO. The page is actually hosted on Backblaze, a cloud storage and data backup company. Here’s what the page looks like:
This is actually a phishing page. Once users “log into” their accounts, the attacker harvests their email address and passwords for later use, and the user is met with an error saying that the credentials were invalid.
Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.
This is a particularly sinister scam as cybercriminals are attempting to exploit vulnerable Australians, many of whom are suffering economic hardship as a result of the economic uncertainty caused by COVID-19. Scammers are well-aware that many users and businesses are in desperate need of economic assistance. By falsely claiming that users are eligible for a tax refund, the cybercriminals behind the attack are cruelly capitalising on those unfortunate circumstances. In addition, with more than 18.7 million active accounts, there’s a high chance the recipients of the phishing email have a myGov account, increasing the likelihood of the scam being successful. Anyone falling victim to this scam will be vulnerable to having all of these government accounts compromised and their identity stolen which can lead to serious repercussions.
Here are some ways this email scam has attempted to exploit users:
- The use of an official government service to inspire false trust; and the repeated mention of the “Australian Taxation Office” in the email body boosts its credibility,
- Inclusion of branding elements like myGov’s logo and colour palette to make the phishing page appear authentic, and
- With false urgency; a subject line like “Tax Refund Notification” and an email body about an eligible refund creates a sense of curiosity and excitement. The email’s warning about potential delays in claiming the tax refund if users miss the deadline further motivates users to act immediately without checking on the email’s authenticity.
Despite these techniques, eagle-eyed recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly, and that it contains several formatting errors.
ATO, myGov and other Australian government agencies are regularly the subject of email fraud and scams, due to their large user base and the trust invested in their identity. MailGuard frequently intercepts phishing emails impersonating local brands & government agencies, like this one spoofing myGov. Towards the end of last year, the ATO also issued an alert warning locals of a phishing email scam involving JobKeeper and backing business investment claims.
Advice from the ATO on reporting a scam
ATO’s website gives this guidance: “If you receive a suspicious email claiming to be from the ATO, do not click on any links, open attachments or respond to the sender. Forward the entire email to ReportEmailFraud@ato.gov.au without changing or adding any additional information and delete from your inbox and sent folder.”
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.