Tax season is here again, and with it the inevitable rise in scam attempts. For cyber criminals, this is the perfect time to exploit the confusion and urgency that often accompanies tax filings. cyber security expert Jacqueline Jayne shares how to keep your business secure.

Every year, as we get closer to EOFY, scammers dust off their well-worn playbook, updating it with new tricks to outsmart even the most tech-savvy individuals. The Australian Taxation Office (ATO) and myGov become prime targets for impersonation, with scammers seeking financial gain or to steal your personally identifiable information (PII), including your tax file number.

As a business owner, it’s crucial to regularly update your cybersecurity protocols and ensure that all employees are aware of the latest threats.

The 2022/23 financial year saw a dramatic increase in activity.

• The ATO reported 25,609 impersonation scams—a 25% rise from the previous year.
• Scammers have shifted their tactics, with email scams up by 179% and SMS scams surging by 414%.

Understanding their latest tactics, staying vigilant, knowing what to do – and what not to do – is everyone’s best defence for protecting their identity and hard-earned cash.

Your information and personally identifiable information (PII)

There are two distinct groups of information you need to be aware of:

• Basic Information: This includes your name, address, date of birth, email address, phone and mobile numbers, usernames, the front of your credit cards, work and work history, and everything you’ve posted on social media. Most of this information is available freely on the internet or has been provided to organisations in the past.
• Unique Identifiers: This information is unique to you and, when combined with your basic information, can be used to steal your identity, commit fraud, access your life online, steal money, and more. Unique identifiers include your tax file number, Medicare number, driver’s licence, passport details, passwords, and credit card details (especially the CVV/CVC on the back of the card).

Small businesses should regularly review and update your data privacy policies to ensure they are compliant with current regulations and best practices. Ensure that your business systems only store necessary personal information to minimise risk.

If you’re interested in finding out what information about you is already out there due to past and current data breaches, visit Have I Been Pwned.

Terminology you need to know

Understanding the technical – and yes somewhat wacky – terms that accompany common breach activities is fundamental to understanding the consequences of what can happen. Educate teams and employees on these terms to ensure they know how to identify and report suspicious activities.

• Phishing: This involves using email to engage with you, often by getting you to click on a link that takes you to a fake website, open an attachment that deploys malicious software, or respond with PII.
• Smishing: The SMS version of phishing.
• Vishing: The voice version of phishing. Often recorded messages or real people posing as ATO employees on the phone, intending to extract money for a fake fine or confirm and collect PII over the phone.
• Qishing: The QR code version of phishing. Scanning a QR code can take you to a fake website or even instantly begin downloading malicious software (malware) onto your device.
• CVV/CVC: The three-digit Card Verification Value or Card Verification Code found on the back of your credit cards. Be very careful where you use this and who has access to it.

The new face of scams in 2023/24

This year, scammers are leveraging generative AI to enhance both the quality and quantity of their phishing and smishing attempts. These tools allow them to create more convincing messages, making it harder to distinguish between genuine and fraudulent communications.

Phishing and Smishing Scams: These scams come in the form of emails or text messages, often bearing the ATO or myGov logos, and are designed to create a sense of urgency and trick you into clicking on malicious links. They might claim that your tax return has been “automatically processed” and urge you to update your card details to receive your refund.

Multi-Factor Authentication (MFA) and QR Code Scams: Another emerging threat is scammers sending emails that look official, asking you to scan a QR code to verify your identity or complete a security update. Once scanned, the code redirects you to a fake site to steal your information or even download malware onto your device.

By no means should any of these scams discourage you from implementing MFA for all business accounts to add an extra layer of security. Using legitimate MFA protocols and encouraging employees to use strong, unique passphrases, and changing them regularly, bolsters your cybersecurity.

Other top scams to watch out for

• myGov Email and SMS Impersonation: Scammers set up fake myGov websites and send phishing emails or smishing texts to trick you into sharing your myGov login details and other PII. A common phrase can be “You need to update your details to allow your Tax return to be processed”.
• Tax Refund SMS Scams: Urging you to click on a link to claim your refund, by telling you your refund has been “automatically processed” and asking you to update your card details – they steal your information.
• Social Media Impersonation: Scammers create fake ATO accounts on platforms like Facebook, Twitter, and Instagram, tricking you into engaging with them and sharing personal details.
• Fake Tax Debt: Scammers call or text, claiming you owe tax debt and demanding immediate payment, often tempered with threats of arrest. Payment is often requested via prepaid gift cards, credit cards, or even cryptocurrency like Bitcoin.
• Fake TFN/ABN Applications: Advertised on social media, and promising you help to get a TFN or ABN, the scams lure you to fraudulent websites to steal your PII for malicious purposes. Getting an ABN or TFN is a simple process that you can do yourself, just ensure you use the official website:
  • https://www.ato.gov.au/Individuals/Tax-file-number/Apply-for-a-TFN/
  • https://abr.business.gov.au/FAQ/ABNBasics
• Tax Lodgment Email Scam: The email urging you to lodge your tax return with a fake receipt number might come with an attachment, which, if opened, could compromise your personal data.
• Tax Evasion and Cryptocurrency Scams: Scammers send SMS messages pretending to be from the ATO, claiming you are a suspect in cryptocurrency tax evasion and directing you to click a link to resolve the issue. Yes, the link often leads to a fake website designed to steal your information.
• Tax File Number Suspension Scams: Scammers use automated voice messages to claim your TFN has been suspended and that there is a legal case against you. They ask for personal details and threaten you with arrest if you don’t comply.

The ATO has a comprehensive guide with images of all these scams on their Scam Alert page. They also have some great resources around protecting your identity online and otherwise.

Both are worth checking out regularly – even outside of tax time – to stay ahead of the game.

The human element

Not surprisingly, to make their schemes more effective the cyber criminals and scammers use psychology, and exploit our human emotions; namely fear, urgency, and trust.

They know that during tax season, people are particularly vulnerable because they’re dealing with complex financial information, stressors and tight deadlines.

Scammers are betting that you’ll panic when you receive a message saying your tax return is delayed or that you owe money to the ATO, hoping you’ll respond without thinking.

But here’s the thing: the ATO will never ask for personal information via email or SMS, and they certainly won’t send links or attachments. They always direct you to log in through their official websites.

If you receive a suspicious message, take a step back and think it through. If you are really unsure, contact the ATO directly using the phone number on their official website to verify the message.

Training and education

Training and education are critical components of an effective cybersecurity strategy, especially during tax season. Here are some additional steps SMEs can take to bolster their defences:

• Conduct Regular Security Awareness Training: Regularly train employees on the latest security threats and best practices.
• Simulated Phishing Tests: Periodically conduct simulated phishing attacks to test employees’ awareness and response. This helps identify vulnerabilities and provides practical training on how to handle suspicious communications.
• Update Cybersecurity Policies: Ensure your cybersecurity policies are up to date and reflect the latest threats, review them regularly and make them accessible to everyone. .
• Encourage a Culture of Vigilance: Foster a workplace culture that prioritises cybersecurity. Recognize and reward proactive behaviour in identifying potential threats.
• Utilise Strong Password Practices: Educate employees about the importance of strong, unique passwords and passphrases for all business accounts. Encourage the use of password managers to securely store and manage passwords.
• Implement Multi-Factor Authentication (MFA): Require MFA for access to sensitive systems and data.
• Secure All Devices: Ensure that all devices used for business purposes are secured with the latest security updates and patches.
• Regularly Review Access Controls: Periodically review who has access to sensitive information and systems. Ensure that access is limited to only those who need it.
• Develop a Response Plan: Have a clear incident response plan in place in case of a security breach. Make sure all employees know their roles and responsibilities in the event of a cyber incident.

Tailored tips for everyone

For Individuals: Always pause and verify any unsolicited communication from the ATO or myGov. The real ATO will never ask for your personal information via email or SMS. If in doubt, contact the ATO directly using official contact details.

If you’re engaging with a new tax agent, you can make sure they are legit by checking with the Tax Practitioners Board.

For Business Owners and Employers: Communicate clearly with your employees about what to expect from HR or payroll during tax time, and how that legitimate communication will look. Implement security awareness training, simulated phishing tests to keep your team sharp, and other aspects of the education and training mentioned above.

For Tax Professionals: Be extra vigilant with incoming communications. Cybercriminals target your client data, and a breach could have severe repercussions. Educate your clients about potential scams and encourage them to verify any suspicious messages.

What not to do

Use common sense, and remember that if something looks dodgy or suspicious – it probably is.

• Do not click on links or attachments in unsolicited messages.
• Do not provide personal details over email, SMS, or phone unless you are certain of the recipient’s identity.
• Never make payments via gift cards, cryptocurrency, or other unusual methods at the request of an unsolicited message.

When you are confronted with any doubt: ignore, block and delete where possible.

Reporting scams

If you encounter a scam, report it immediately. Call the ATO at 1800 008 540 or forward scam emails to [email protected] . Take a screenshot of scam messages and email them to the same address. By reporting scams, you help protect others and contribute to broader efforts to combat these threats.

Information on all the latest scams with news and alerts can be found at Scamwatch.

Tax season scams are an annual nightmare, but with the right information and some street smarts, we can protect ourselves and our communities.

Share this guide with family, friends, and colleagues to spread awareness – and understand that we all have a role in keeping our data safe at home, at play and in the workplace. Visit the E-Safety Commissioner website for more excellent information for everyone to stay safe online.

Let’s keep those cybercriminals at bay and make this tax season as stress-free as possible. And remember: stay alert, stay informed, and stay safe.

Check out our  Ultimate Guide to Tax Time Scams

Want more? Get our newsletter delivered straight to your inbox! Follow Kochie’s Business Builders on Facebook, Twitter, Instagram, and LinkedIn.