For scammers, the months leading up to tax season are when they prepare for a lucrative time of year — building their campaigns and honing their tactics to be able to steal sensitive personal data and dupe unsuspecting individuals into filing fraudulent tax returns.
The first half of the year provides the perfect backdrop for nefarious actors to deploy phishing attacks, which are a highly effective tactic for stealing credentials and data. They prey on the fact that, during tax time, people are operating on a tight deadline and are conscious of the legal ramifications of making a mistake.
In the first two months of last year, it was reported more than 600 Australians fell victim to tax-related scams, with the 18-to-24-year-old demographic the most affected. To put the damage into numbers, two people in this age group lost a combined $50,000.
This year, scammers have already made headway on their tax-related harvest. The ATO has reported a rise in phishing attempts related to cryptocurrency tax evasion and offers of tax file numbers (TFNs). These scammers are becoming increasingly crafty in their attempts to trick Australians into handing over their credentials.
Attacks that use social engineering, which is a tactic where the threat actor builds a fake persona to convince the victim to trust them, have become so pervasive that the Australian Taxation Office (ATO) has a whole page dedicated to the warning signs of tax-related scams.
Mobile devices are the most common place for scammers to target tax-payers, due to the devices’ entwinement with our work and personal lives. People have inherent trust in these devices, and the messages received on them are therefore less scrutinised.
The smaller screens and simplified interfaces also make it more difficult to spot the tell-tale signs of a phishing attack. For instance, fake URLs often end with a string of nonsensical characters that are not visible on a phone screen.
This is significant because mobile-related scams are escalating across Australia.
In 2021, Scamwatch reported an 89% increase in phone-based scams across Australia compared with 2020. These scams accounted for more than $63.6 million (31%) of financial losses between January and September 2021.
This poses a threat not just to the employee, but the employer. The work from anywhere era has brought with it a proliferation of personal devices connecting remotely to the network — and with staff working anytime and anywhere, increasingly IT teams find it hard to maintain visibility over the perimeter, when the perimeter is now so vast.
Furthermore, it’s now no longer as easy to turn to colleagues to verify a suspicious message, making remote workers more vulnerable to responding to an ‘urgent’ request sent by scammers.
Since mobile devices are often used for both work and personal reasons, an attacker could target an individual with malware through personal apps, but end up gaining access to corporate data. While this might not have been their original intention, it shows how challenging it is to keep corporate data separate from personal threats on devices that are used for both purposes.
The first line of defense against tax-related scams is education and awareness about the tactics criminals employ.
Most commonly, tax-related phishing attacks involve scammers either calling people with a pre-recorded message or sending a text pretending to be an employee of myGov, Centrelink or the ATO.
What follows is an attempt to extract personal information. The ‘caller’ might say you have an outstanding debt or might offer a tax time refund or bonus.
Quite often these messages will be laced with a threat, whether it’s asking you to press ‘1’ to avoid arrest or to click a link to reverse a ban on your TFN.
The tactics will always have a sense of urgency, with the intention to make you feel like you need to act immediately to avoid the consequences. Scammers will also implore you to stay on the line until the action they’re asking you to undertake is completed.
Any form of communication that creates a time-sensitive situation should be a red flag. People should approach these messages with extreme caution or go straight to their IT and security teams to validate them.
Requests for unusual payment methods, such as via Western Union, cryptocurrency, or via iTunes, Google Play, STEAM or other vouchers, are also indicators of a tax scam.
The ATO will never call from a mobile number, only a private number, and will never use robotic messaging services to call taxpayers. They’ll also never send a text with a link.
Beyond education and awareness, organisations need to employ formal measures as a safety net for human error, particularly under hybrid work models, where geographically-dispersed workplaces result in a lack of visibility.
Although many organisations still send tax forms to employees through physical mail, everything is going digital. Regardless of how tax documents are sent, security teams should protect staff across all endpoints to ensure they don’t fall victim to a phishing attack or download a malicious attachment that could compromise the organisation’s entire security posture.
Security practitioners should know whether they have proper security solutions in place. Even if they have phishing protection for email, they need to ensure their users are protected on their mobile devices regardless of where they work or what channel the phishing attacks come from.
Tax time is approaching, and nefarious cyber-criminals are no doubt assured by the fact that phone scams are proving more effective than ever, and that tax time historically engenders weakness in victims’ defences. Times of financial activity are historically high-activity periods for criminals, and vigilance needs to be amplified lest the employer and employee alike suffer the consequences.
