The End of the Financial Year (EOFY) is fast approaching, and while your customers may be focused on closing their books and tying up loose ends, they must be aware and prepared for a surge in finance and tax-related scams. Unfortunately, while employees are distracted, this time of year presents a perfect opportunity for scammers to target unsuspecting individuals.
According to new research from Commonwealth Bank, 24% of Australians have previously experienced a scam related to EOFY or tax matters, and this year will be no different. Therefore, it's essential that your customers stay proactive in their efforts to protect themselves and prevent their sensitive data and credentials from falling into the wrong hands.
To assist you in supporting your customers, we’ve created a ‘Survival Guide’ with tips and strategies on how they can avoid getting stung by scams this EOFY.
Be wary of unsolicited emails, text messages and phone calls:
According to Scamwatch, so far in 2023, text messages, emails, and phone calls have been the method for delivering more than 83% of reported scams in Australia. Cybercriminals prefer to use these vectors because they’re typically low risk, allow for anonymity and remote operation, exploit social engineering tactics, and offer a quick financial gain with widespread access to potential targets.
As EOFY approaches, and in the following months, expect an influx of phishing texts, emails and calls impersonating government agencies, financial institutions, or tax authorities. Scammers exploit people's trust in these organisations, applying pressure and threatening legal consequences to prompt individuals to act hastily out of fear. Their primary goal is to trick victims into providing personal information or, more commonly, making payments. Although these scams occur year-round, they tend to escalate during this period.
In the past 12 months, our team at MailGuard has noticed a dramatic increase in email attacks where the scammer poses as myGov and claims that the recipient is owed a refund. However, the victim will have their personal information and credit card details stolen. The emails and the phishing pages they are directed to are often well-crafted, which sadly makes them all the more effective.
Here's an example of these emails:
(Source: MailGuard)
Similar to the email above, scammers will pose as myGov in SMS attacks and claim the recipient is owed or owes money, which will end in the same result.
(Source: Sky News)
Some key warning signs for scams are:
- Requests for personal information – Organisations like banks or the ATO won’t typically ask you for sensitive information like your name, address, mobile number, or credit card numbers.
- Poor grammar and spelling – Many scam emails and texts are littered with spelling mistakes, awkward phrasing, and grammatical errors. Yes, mistakes can happen, but for big organisations, they’re rare, so more than one or two should be an immediate red flag.
- Urgency and pressure tactics – Scammers often make the situation seem urgent to push you into providing information or making a payment without thinking it through. Common examples are saying your account will be locked in 24 hours or law enforcement will be called if you don’t make a payment.
- Unexpected refunds or payment demands – During EOFY, payment demands and refund offers will increase. Verify the legitimacy of the request independently with the organisation. And when it comes to refunds, if it seems too good to be true, it most likely is.
- Suspicious links and attachments – Scammers use links and attachments to spread phishing pages and malware, so if you’re not sure if the sender is genuine, don’t click. For emails, you can hover over links (without clicking) to see the URL's destination and make sure to verify the sender's identity before opening attachments.
- Unusual payment methods – If you’ve been asked to pay a bill through methods such as gift cards or Bitcoin, it’s a scam. Legitimate organisations will largely offer secure payment options, such as PayPal or BPAY.
- Unprofessional communication - If the message appears unprofessional, overly casual, or suspiciously generic (e.g., Dear customer), it may be a scam.
Verify the source:
It’s critical that you take the time to look at where a message or call is coming from and double-check to see if it’s coming from a legitimate source.
When it comes to email, always check the sender’s email address, not just the sender's name, as that can be easily manipulated. Keep an eye out for any variations in spelling or domain names, as scammers will often create and use similar ones to feign authenticity and deceive unsuspecting individuals. For example, they may use “@cbaa.com.au” instead of “@cba.com.au”.
For phone calls, don’t take what the person on the other end of the line says at face value. As soon as alarm bells start ringing, end the phone call. This may be easier said than done, as scammers often use persuasive tactics to keep you on the line, but you must end the call. One option to verify the source is entering the phone number into a free reverse phone number lookup service, like Reverse Australia, to check for any negative or positive reviews associated with the number. However, the absence of negative reviews doesn’t necessarily imply trustworthiness. Therefore, the best option is to visit the website of the organisation they claim to represent to find their legitimate contact number. You can then call that number to confirm if they truly need to speak to you.
SMS attacks can be hard to verify since scammers frequently use a technique called SMS Spoofing that allows them to manipulate the sender information that’s displayed on your mobile. As a result, fraudulent messages can appear in the same thread as legitimate ones from trusted organisations. Therefore, it’s crucial to take extra caution when dealing with any text messages and look out for the warning signs. In text messages, URLs are often shortened due to character limits, and unfortunately, you can’t hover over the links to check their destination as you can in emails. Instead, you can enter shortened links into free URL expander websites like URLEX, which can reveal the true destination of the link.
Go directly to official websites/apps:
Generally, government services and banks have a policy of not asking you to log in via email. Instead, they will typically instruct you to visit their official website or use their dedicated mobile app to log in securely. However, it's important to apply this practice to any email you receive, regardless of the sender.
Always exercise caution and avoid clicking on login links or providing personal information directly through email. Instead, independently visit the official website or app of the organisation in question by typing the URL directly into your browser. This ensures that you are accessing legitimate platforms and reduces the risk of falling victim to phishing or other malicious attempts.
Protect your personal information:
You should always be cautious about sharing personal information, but at EOFY, when you’re caught up in filling out forms and completing tax returns, it’s vital that you don’t let your defences slip. Be wary of anyone asking you to disclose sensitive information, such as your name, address, mobile number, or credit card details. But one personal information requiring your utmost care is your Tax File Number (TFN).
Your TFN is unique to you and is used by the government for tax-related purposes. It’s critical that you protect it from falling into the wrong hands. If someone gains unauthorised access to your TFN, they could use it to open bank accounts, apply for loans or credit cards, and even lodge fraudulent tax returns in your name without your knowledge or consent.
Stories about the misuse of TFNs continue to appear, and the consequences seem only to worsen. In December, a Melbourne woman, Sue, came forward about her experience with a stolen TFN. Using her unique number, a cybercriminal created a new myGov account and linked it to Sue’s ATO account to lodge five refunds in her name totalling $25,000, to be paid to the fraudster's bank accounts. “Sue was told by an ATO officer this was not uncommon and was advised "there are lots of fraudulent myGov accounts accessing tax files".”
The repercussions of a stolen TFN can be long-lasting and detrimental. Another victim called into Melbourne Radio, 3AW’s morning show, recently to say that she had suffered from a cyberattack three years prior and was still “battling scammers and fraud” as a result. The victim had credit cards opened in her name, debt collectors chasing her, and last year, the hackers opened business accounts under the victim’s name, lodged two BAS statements, and proceeded to claim $47,000 from the Australian Tax Office through her myGov account.
According to the Office of the Australian Information Commissioner (OAIC), only certain individuals or organisations can ask you for your TFN, including:
- The ATO (Australian Taxation Office)
- Your employer (when starting a new job)
- Banks and other financial institutions (when opening a new account)
- The Department of Health and Human Services (Centrelink/Child Support/Medicare programs)
- Superannuation funds and retirement savings account providers
Additionally, when an authorised individual, organisation or agency asks you for your TFN, they must tell you:
- Why they are collecting it, including the name of the law or laws that allow them to collect your TFN and the reason they’re collecting it
- That it’s not an offence if you don’t give them your TFN, and
- What will happen if you don’t give them your TFN.
If anyone asks you for your TFN this EOFY, make sure to keep this in mind. But most importantly, know that you’re never obligated to provide a TFN, and it’s not an offence if you choose not to. Don’t be pressured into handing it over.
Stay updated on common scams:
One of the best ways to protect yourself at EOFY is by staying informed about emerging scams and phishing techniques. Government agencies and financial institutions often publish alerts and warnings about ongoing scams. For example, the ATO regularly updates their Scam Alerts page.
In addition to this, the MailGuard blog is typically updated each week with new scam attempts that our team intercepts. These “fast break” attacks are published the day they’re reported or intercepted, so it’s one of the most effective ways to stay informed and up to date on emerging scam trends.
It’s also important that you discuss and share your knowledge with friends, family and colleagues to help them stay protected.
Secure your devices and data:
With the increase in financial activities at EOFY, businesses and individuals must take extra measures to protect sensitive information, such as tax documents, banking details, and client records, from potential breaches or unauthorised access.
Make sure to keep your operating systems, applications, and security software up to date so that any vulnerabilities are patched. Use strong, unique passwords for all online accounts, and enable two-factor authentication wherever possible. Ensure that you’re using a third-party email solution to stop the influx of EOFY-related phishing attempts, malware, and other email-borne threats from landing in your inbox.
Protecting Businesses
Prevention is always better than a cure, and the best defence is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email makes email an extremely important vector for businesses to fortify.
No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a leading cloud email security solution like MailGuard.
Talk to us
MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
