Fake It ‘Til You Make It: How to tell if a cyberthreat is real or fake

By Ashley Wearne, General Manager, Australia and New Zealand, Sophos

America’s founding father, Benjamin Franklin, once said, “In this world nothing can be said to be certain, except death and taxes.” This is still true, only in today’s context, there is one more thing that is certain – tax scams.

As Australia’s tax time commences, it will come as no surprise that criminals are on the hunt – looking to exploit individuals and put organisations at risk.

What do tax-time scams look like?

Phishing is a classic tax time scam as it continues to be hugely successful. According to a report released by the Australian Consumer and Competition Commission in May 2018, Australians made more than 200,000 scam reports in 2017. The top methods of contact used by scammers include the phone (noted in 40 per cent of the total of reports), followed by email, texting or social media (noted in 42 per cent of reports).

Despite increased efforts by companies and governments to build and raise awareness around tax time scams, 30 per cent of phishing emails are still opened and recipients are 6 times more likely to click on a phishing email than a genuine marketing email.

In Australia, 87 per cent of Australian businesses have confirmed that their users received phishing emails within the past 12 months, while 65 per cent of Australian business declared that they have been affected by ransomware attacks within the same period of time. All these figures show that scams during tax time is a lucrative business.

Here’s an example of a mass phishing attack involving a Netflix scam aiming at getting users to reveal their data, credentials, and money. 

Source: Sophos

However, as individuals become more vigilant in spotting phish scams, mass phishing attacks are also getting smarter. The following website is the perfect example of an Australian Securities and Investments Commission (ASIC) scam email that includes a renewal letter link and a hyperlink that spells out the URL. This is a convincing way to deceive users because revealing the URL may establish certain level of trust by recipients. 

Source: Sophos

Such scams have definitely captured the attention of ASIC and they have displayed a major warning about this scam on their own website.

Australia’s MyGov accounts have been targeted as well. The two images below look similar, with both using identical looking logos, sent to an undisclosed list of recipients, and included similar call-to-actions. However, upon closer inspection, the image on the right is hosted on a compromised WordPress domain. 


Source: Sophos
Source: Sophos

Another common phishing attack during tax time is spearphishing. This is done by using spoof emails to persuade people within an organisation to reveal sensitive information or credentials. It is known to be targeted at an individual or a specific group (i.e. a department) within an organisation by using spoofed (look-a-like) email addresses that impersonated trusted sources and senior executives within the company. 

Source: Sophos

Individuals need to stay vigilant in order to not fall victim to scams, especially at this time of year. What’s more, organisations need to empower their staff with the training and tools to keep themselves safe, when connecting at home or in the office. Whether you’re a big business, a small business or a consumer, These are just examples of how some of the smartest people in the world are trying to get your money, and your data.

With that, here are some tips on how to sidestep potential tax scams when you prepare your tax return:

  • Pick proper passwords. Even though strong passwords do not help if one is phished, it makes it harder for cyberthieves to guess their way into your accounts and retrieve your personal details.
  • Use two-factor authentication. This way, even if your password has been cracked once, scammers cannot use it to log into your email account.
  • Stop clicking. Avoid opening any suspicious or surprise emails, or clicking on web links claiming to be from the official Income Tax Department.

When in doubt, always contact the tax department by telephone from the number published on their official website.

More from Ashley:

An interesting Interview with Ashley Wearne on IoT Risk Management here.

Tags sophoscyber threatstax scams

Show Comments