Avoid Ransomware at Tax Time
Recently Sam a tax agent in Fitzroy received an email from a courier service she frequently used for urgent tax documents. This email while it resembled the courier service branding, was an impersonating email. Before she could realise, Sam clicked on the email link which leaked a virus locking her laptop and 3 other staff desktops.
The incident has put her business and data at serious risk.
Sam’s, external IT provider was able to recover her systems but the risk is still there.
This scam is called ransomware, as it denies access to files and systems until a ransom is paid. In Sam’s case she was able to avoid paying any ransom.
Protect your business online
- Be careful when downloading attachments or clicking links in emails, text messages or social media posts, even if they appear to be from someone you know. If you are in doubt, call the business. Find their contact details on their official website.
- Ensure your staff are educated about how to recognise scam and spam emails and fake websites.
- Educate clients to contact you if they identify unusual activity on their tax account, receive unexpected refunds into their bank accounts or receive suspicious contact about their tax.
- Report any client data loss to the Australian Taxation Office (ATO), especially TFN theft, any unexpected clients leaving your client list or any unusual activity or transactions.
If you have fallen victim to the ransomware scam, call an IT specialist for advice and assistance. Paying the ransom doesn’t always get you your data back.
Avoid the ‘Fake Tax Debt’ scam
Usually received over the phone, the Fake Tax Debt scam impersonates a tax professional. They trick the victim into sending personal information, such as tax file numbers, passport, driver’s licences or pay phony tax debts.
It seems SMBs are particularly vulnerable to this scam as staff are often stretched managing the day to day running of the business.
Mario is a homewares entrepreneur in Sydney who received an automated phone message. Known as a robocall, the message said “there was a warrant out for his arrest for an overdue tax debt”
It asked him to ‘press 1′ to ‘speak to a tax agent’. As a result of pressing 1, he was connected to an ATO impersonator who threatened him. Pay a $5,000 tax debt or they’ll be a warrant out for your arrest.
The scammer aware that Mario was sceptical asked him for his tax accountants phone number to verify. In error, Mario gave the ATO impersonator the number. The fraudster then conference called in a second scammer who impersonated his tax agent. Firstly, saying the tax debt had arisen because of a mistake on his account, Secondly, that he must pay the debt immediately, And, finally, they will reimburse him later.
Mario was told the only way the debt could be paid was with Google Play cards. So, he purchased the gift cards from his local supermarket, scratched off the panel and sent the photos to the scammers via WhatsApp.
Mario lost $5,000.
Watch out for invoice scams at tax time
Business email compromise are scams that trick an employee, customer or vendor into transferring money or sensitive information to the scammer. The scammers send emails and use websites that look legitimate, but a completely fake. The email scams alone, account for 63 per cent of all business losses reported to Scamwatch. The average loss is nearly $30,000!
A registered tax agent from Alice Springs, Rajiv received an email from People Co, a labour hire company. During the busy period of tax time June – October, Rajiv often employed extra staff through People Co, so it was normal to get emails. However, this one was different, while it bore a strong resemblance, it was in fact a fake.
The email sender, firstly, included an invoice for urgent payment, with the logo and branding of People Co, to make it look authentic. Secondly, said further identification information was required having been lost due to an email malfunction. And finally, the email included a link to a web form that Rajiv needed to complete urgently to pay the invoice and ensure his contractors were paid.
On receipt of the email Rajiv decided to take the time to check with People Co, who said payments were all up to date. He then subsequently checked the email to discover the People Co bank details were different from the usual BSB and account number on the invoice.
Rajiv saved his business $20,000 by taking the time to check.
Taking the time to check.
- Be wary of emails that are not expected. For instance, an invoice received from a supplier you haven’t dealt with in a while, invoice amount differences or bank detail changes.
- Teach your staff to look out for other red flags of invoice scam emails like:
- The supplier has provided new bank account details.
- Urgent payment is requested or you’re threatened with serious consequences if payment isn’t made.
- The sender is someone in a position of authority, particularly someone who wouldn’t normally send payment requests.
- The email address doesn’t exactly match the supplier’s company name. Double-check by looking at previous correspondence.
- Never give out your personal identifying information unless you are certain who you are dealing with. Contact organisations on an independently sourced number, not one provided to you.
- Keep your business information safe. Beware of anyone asking you to ‘confirm’ your details and don’t share you details unless you’ve checked the person you are dealing with is who they say they are.
- Always exercise caution when downloading attachments or clicking links in emails, text messages or social media posts, even if they appear to be from someone you know.
- Stay alert at all times! Remain one step ahead of cybercriminals and keep your personal information safe online by following these easy steps.
Suggested tax time resources for your business
Resources for you. Please adapt and use any of these resources for your audience or channel. These social media tiles can be used on Facebook, Facebook banner, or as a Website banner, similiar to the picture below.
Think before you click
- The ATO will never send you an email or text message with a hyperlink directing you to a log-on page for their online services.
- You can always verify the identity of the person you’re dealing with by checking the phone book or doing an online search. Don’t ever use the contact details provided by the caller or in the message they sent to you.
Scammers can be really convincing. If you receive a message claiming to be from the @atogovau, think twice before downloading attachments or clicking links in emails or text messages, even if they appear to come from someone you know.
More tips to avoid suspicious messages https://www.staysmartonline.gov.au/taxtime19
Never pay tax by iTunes cards, gift cards or Bitcoin
- The ATO will never ask you to pay your tax debt via iTunes, Google Play or other pre-paid cards or with cryptocurrencies like Bitcoin or into non-ATO bank account,
- Visit www.ato.gov.au/howtopay for advice on correct payment options for paying tax debts.
Stay alert for scammers this #TaxTime! Scammers often impersonate the @atogovau and demand payment for fake tax debts.
Remember, the ATO will never ask you to pay your tax debt with pre-paid cards or with cryptocurrencies like Bitcoin. For electronic payment of tax debts, the ATO accepts payment into an account held by the Reserve Bank of Australia only.
For more information about ATO payment options, visit http://www.ato.gov.au/General/Paying-the-ATO/How-to-pay/
More tips to protect yourself online a tax time: https://www.staysmartonline.gov.au/taxtime19
Be smart with social media
- Be careful about what personal information you share online and across social media. This information can be used by scammers when they contact you to make their approach seem more believable. They can also piece together personal details you reveal online to try and crack your passwords on important accounts, like your myGov account.
- Change the privacy settings on your social media accounts so only friends can see your details.
- Don’t share your Tax File Number (TFN) on social media.
Stay safe when using Wi-Fi to avoid a tax time scam
- Be careful about what you do online when you’re connected to a hotspot or free public Wi-Fi. While it’s OK to check the news or the weather when you’re connected to public Wi-Fi, don’t make financial transactions or do your tax return These networks are not secure. Can cybercriminals can intercept your information.
- When doing tax time transactions from home or your business, ensure that your private Wi-Fi network is secure with a strong password.
Keep your devices up-to-date
- When you’re alerted to a security update for your operating system or one of your apps— install it as soon as possible. These update are often about fixing weaknesses that cybercriminals use to gain access to your device.
- Run regular anti-virus scans to help you detect and remove malware (viruses) from your device.
- Remove any apps you don’t use any more to ensure your personal info isn’t being accessed by companies you don’t deal with anymore.
Keep your business info safe at tax time
- Cybercriminals can use information such as your AUSkey to commit tax fraud in your name. Beware of anyone asking you to ‘confirm’ your details. Don’t share your details before verifying the person.
- Business owners and tax professionals who have experienced a data breach or a breach of client records (e.g. loss of or unauthorised access of sensitive personal details) should report it to the ATO so protective measures can be placed on client accounts.
Cybercriminals may use business information such as your AUSkey to commit tax fraud in your name.
Beware of anyone asking you to ‘confirm’ your business details. And don’t share your details unless you’ve checked the person you’re dealing with is who they say they are.
Learn how to keep your business safe from scammers this #TaxTime https://www.staysmartonline.gov.au/taxtime19
Help others be cyber safe!
- Share ATO and Stay Smart Online scam warnings with family, friends, customers and colleagues to help keep them safe online.
- Report suspicious emails claiming to be from the ATO by forwarding the entire email to [email protected] and then delete the email. Do not click on any links, open attachments or download files.
- You can also report cyber security incidents to ReportCyber
Turn on the security code in your myGov account
- Impersonating the ATO or myGov is a common trick used by scammers – threatening people to pay fake tax debts or hand over personal details to receive a ‘refund’.
- Always manually type https://my.gov.au/ into your internet browser to log into your official myGov account to check your tax, lodge your return, and verify if you owe a debt or are due a refund. Do not click any links in emails or text messages, as these could be malicious links.
- Check your tax affairs at any time by calling the ATO on 13 28 61 or contacting your tax agent.
Always check your tax through ATO online services via myGov – and manually type the URL into your browser https://my.gov.au
Scammers often impersonate the @atogovau in emails, text messages, phone calls and over messaging services or social media. The best way to avoid falling victim is to ignore these approaches and only log into your myGov account to check if you owe a debt or are due a refund.
For more advice head to https://www.staysmartonline.gov.au/taxtime19