Garreth Hanley:
This is With Interest, a business, finance, and accounting news podcast brought to you by CPA Australia.
Jenny Wong:
Welcome to With Interest. I'm Jenny Wong, and in today's show, we're diving into an important topic as we near tax time. It's all about scams. Every year, the tax season brings its fair share of risks. And this year with changes with the transition from myGovID to myID we want to help you stay informed.
Joining us today is Joda Walter, Assistant Commissioner, Cyber Governance at the ATO. Joda brings valuable insights into the current landscape of tax-related scams and practical advice on how to protect yourself. Welcome to With Interest Joda.
Joda Walter:
Hi and thank you for having me.
Jenny Wong:
Tax time often brings a surge in scam activity. What is the main thing scammers are after these days? And how are scammers typically contacting their targets?
Joda Walter:
It absolutely does. And it's an important topic right now. In the past, scammers were primarily seeking payments and financial transactions. However, we've seen a significant shift towards targeting personal information. This includes things like name, address, tax file number and even myGov sign in details. During tax time, we generally see an increase in reports of scams.
Scammers know Australians are focused on lodging their tax return and may be expecting refunds. This means they could be updating their personal information. Scammers take advantage of this and aim to trick the community.
Our data shows the majority of scams are being delivered via email. Scammers are developing extremely convincing emails that look almost identical to the real thing to get people to click on embedded links or attachments and hand over their personal information.
Once divulged, this information can be used to commit a range of identity theft activities, such as refund fraud or stealing a person's superannuation. It's crucial if you receive a message claiming to be from the ATO, that you stop what you're doing and take a few seconds to check it's really from us.
Jenny Wong:
Joda, what makes ATO impersonation scams so convincing. And what are some tactics and tricks scammers use to pressure victims into giving up their personal information?
Joda Walter:
A lot of it comes down to how real these scams look and sound. Scammers are getting really good at copying the tone, branding and little details you'd expect from a real ATO message.
They'll often spoof phone numbers or email addresses too, so at a glance it looks legitimate. Pressure tactics are a big part of how scammers attempt to trick their victims. They'll say things like, “Your tax file number has been suspended,” or “You’re owed a tax refund. Claim it now or it will expire.” It's all about creating a sense of urgency so that you don't stop and think.
Scammers also plan on you being distracted with the business of everyday life. They know if they can get you while you're juggling multiple things or feeling panicked, you're more likely to hand over your personal information without thinking too much about the interaction.
Jenny Wong:
Joda, have there been any scams that have really stood out recently?
Joda Walter:
Yes, unfortunately. I recently came across a particularly concerning scam involving myID, the Australian Government's digital identity app. It's an email scam where the subject line claims there's been a new sign in to your myID account. The email states that there's been a sign in attempt from a new device on a random but recent date and time. It then urges you to secure your account immediately by clicking on the link if you didn't recognise the sign in, which of course you wouldn't because it was completely made up.
This is a great example of the time pressure tactic I previously mentioned. If the individual had clicked on the link, they would have been directed to a fake myGov sign in page designed to steal their credentials.
What's especially alarming with this scam is that the email included real myID contact phone numbers, hot keys and contact names. This made it appear very legitimate. There are some clear signs that this example and others like it are actually a scam email.
Firstly, while the email might seem to come from myID, a closer look at the sender's actual email address reveals it's quite different from the official myID address, which is [email protected]
Secondly, myID, like the ATO, will never ask you to click on a hyperlink or scan a QR code to log into your myID or myGov account. This is a reminder of how sophisticated cybercriminals are and why it's crucial to stay vigilant, especially at tax time.
Jenny Wong:
Joda, can you tell us a bit more about myID and how that can help protect people?
Joda Walter:
myID is the Australian Government's digital identity app. It's a secure and convenient way for users to prove who they are when accessing participating government online services, both for personal use and business use. For example, you can use myID to access services including ATO online through myGov, online services for business and online services for agents.
A myID is unique to the user, and a personal email address should be used when setting it up. Depending on the identity strength required by the service, users can set up their myID to a basic, standard or strong identity strength. Under Australia's digital ID system, using a digital ID like myID to access government online services is optional and alternate methods are available for users who either cannot or choose not to use it.
Unlike most multi-factor authenticators, to set up a myID, you need to verify your identity. To establish the highest identity strength, you also need to complete a face verification check. This is like a selfie that is compared to your photo ID. It makes it hard for scammers to duplicate your myID or impersonate you. You can also enable push notifications, alerting you whenever your myID is used to login to an online service. This will allow you to quickly spot and respond to unauthorised access attempts. For example, just like the myID scam I mentioned earlier.
Jenny Wong:
Joda, while lots of people self-lodge their tax return, many still prefer to rely on the services of a tax agent. What is the best way for agents to help their clients protect themselves?
Joda Walter:
The best thing agents can do is to be proactive in educating their clients and talking to them about what genuine ATO communication looks like versus what might be a scam. You should encourage your clients to never click on links or respond to messages that they weren't expecting. If your client’s get something that feels a bit off, remind them it's always safer to call your office directly or contact the ATO through official ATO channels.
Remind clients if they receive any interaction claiming to be from the ATO that they need to take a second to double check it’s legitimate. This simple action will stop a lot of scams in their tracks. Our top tips for the community, and the advice tax agents could share with their clients to stop, check and protect includes Stop. Pause and don't share personal information such as your myGov, tax file number or bank account details with anyone unless you trust the person and they have a genuine need for your details.
Check. Take a sec to check. Ask yourself, “Could the message or call be fake? Is it really the ATO contacting you?” Protect. Act quickly if something feels wrong or you've noticed suspicious activity on your ATO account. Phone the ATO on 1800 008 540 if you have disclosed any personal information.
It’s just as important for tax agents to protect their systems and information as they hold valuable client data, making them prime targets for cyber criminals.
Cyber criminals can exploit outdated software or send malicious emails to steal business and client information. Strong security practices are essential to safeguarding your business, staff and client information. Some good practices include protecting information — limit access to sensitive data, and regularly backup your data to an external location.
Protecting systems — use multi-factor authentication, automatic software updates, antivirus software and strong pass phrases that combine four simple but random words with spaces in between like crystal, onion, clay, pretzel, for example. This is stronger than your average shorter password.
And protecting myID — never share sign in credentials. Instead, enrol in the strongest level of identity strength you can. The ATO and the Australian Cyber Security Centre offer practical security advice on their websites. I recommend searching for the Australian Cyber Security Centre's "Essential 8" strategies on cyber.gov.au. These strategies are particularly useful for protecting against cyber threats.
Jenny Wong:
Joda, what’s the safest way to check if a message from the ATO is legit?
Joda Walter:
The golden rule is if you're unsure, don't check the legitimacy of an interaction by using the links or contact details in the message itself. Instead, go straight to the ATO's official website or use the contact information you already know is real.
Some other key things to know are, scammers use links to steal information or to install malware. The ATO never sends unsolicited emails or SMS with QR codes or links requesting that taxpayers login to online services.
Be cautious of unexpected requests for personal or financial information, especially if they seem urgent. The ATO won’t ask for that. Always log in to your myGov account directly through your browser to check for tax-related messages. If there's no message, it's likely a scam.
The ATO maintains a consistent tone and style. Emails with grammatical errors, unusual language, or requests for sensitive information are scams. Check the sender’s email address. Scammers often used as display names like Australian Taxation Office, but with random or similar looking email addresses. I know I keep mentioning it, but taking a few seconds to check the subtle differences can be the difference between spotting and avoiding or falling victim to a scam.
If you're still unsure, I recommend picking up the phone and calling the ATO to check. It's better to take the time to check than to have years of financial and emotional strain trying to recover your identity from cyber criminals.
Jenny Wong:
What should someone do if they think they've been scammed? And what's one message you would want people to remember from this podcast?
Joda Walter:
The first thing is don't panic, but act quickly. Unfortunately, these things do happen. Call the ATO on 1800 008 540 if you have disclosed any personal information. Contact your bank straight away if you've given out any financial information.
The main thing I want people to remember is it's never embarrassing to be cautious. Scammers are professionals at what they do. Trust your gut, double check everything and if something doesn't feel right, ask for help.
Jenny Wong:
It's clear that understanding these scams is crucial for everyone during tax time, and we need to remain extra vigilant, Joda. Thank you so much for sharing these insights with us. There's so much more to cover on cyber security, but we really appreciate your expertise and time here today.
Joda Walter:
Thank you. You're welcome.
Jenny Wong:
And thank you for listening to With Interest. Don't forget to check the show notes and for links and resources from CPA Australia and the ATO’s recommendations on protecting yourself against scams. If you enjoyed this show, please share it with your friends and colleagues and hit the subscribe button so you don't miss future episodes. Until next time, thanks for listening.
Garreth Hanley:
You've been listening to with Interest, a CPA Australia podcast. If you've enjoyed this episode, help others discover with interest by leaving us a review and sharing this episode with colleagues, clients, or anyone else interested in the latest finance, business and accounting news.
To find out more about our other podcasts and CPA Australia, check the show notes for this episode. And we hope you can join us again for another episode of With Interest.
