Garreth Hanley:
This is With Interest, a business, finance, and accounting news podcast brought to you by CPA Australia.
Hello and welcome back to With Interest's Tax Time Series. I'm Garreth Hanley. In today's episode, we're talking with Joda Walter about tax time scams and cyber security. Joda is the Assistant Commissioner of Cyber Governance at the ATO, and he'll be running us through the ATO's cyber safety tips for the millions of Australians and their tax agents who are about to get their 2024 tax returns. Ready. Welcome to With Interest, Joda.
Joda Walter:
Hi, Garreth, and thanks for having me today.
Garreth Hanley:
That's good to have you with us, Joda.
Joda, it seems like every year at tax time, cyber criminals and scammers use a mix of tried-and-tested and new tricks to target Australian taxpayers. So, is this year any different?
Joda Walter:
I wish I could say yes, but the answer is no. ATO impersonation scams remain a risk to Australians, and as you've mentioned, tax time provides scammers with a prime opportunity to target the community. Scammers love tax time. As for many people, it's the one time a year where they may expect to hear from the ATO.
What we often see around this time of year is scammers trying to catch people off guard as many Australians go about doing their tax returns and they're expecting refunds or have activity occurring on their tax accounts. In the lead-up to tax time, we'll continue to proactively monitor all scammer techniques to inform our scam disruption activities. This also drives our community awareness and education approach on how to identify, report, and respond to ATO impersonation scams.
Garreth Hanley:
So, Joda, you are constantly monitoring these scams, and I'm wondering what scams are you seeing this year and what steps can taxpayers and their agents take to protect themselves at tax time.
Joda Walter:
It's a really great question. ATO-branded email scams containing links to fake myGov web pages are some of the most commonly reported scams we're receiving from the community at the moment. These phishing emails attempt to manipulate recipients into clicking links by using phrases people would expect to see in ATO correspondence at tax time. Phrases such as, "Please update your details to release your refund" or, "You have a message in your myGov inbox” are common.
These links direct people to fake myGov sign-in portals that are designed to steal client credentials and gain access to their account. Once the scammer has access, they can commit tax fraud by lodging false tax returns and changing bank details so that any payments are redirected to the scammer's account. It's worthwhile noting that these myGov web pages look like the real deal. They use the right colours, have the same webpage layout, and some even direct users to the real myGov homepage once they submit their details, anyone can get caught out.
Our tips for the community and the advice for tax agents that they should share with their clients is STOP - don’t share personal information such as your myGov tax file number or bank account details with anyone unless you trust the person and they genuinely require your details. THINK - ask yourself, "Could the message or call be fake?". PROTECT - act quickly if something feels wrong.
Call the ATO on 1-800-008-540 if you have disclosed any personal information.
The ATO is running an awareness campaign this month, which is focused on protecting your personal information. The campaign demonstrates how scammers work to complete your identity puzzle with pieces of your personal information. Once they complete the puzzle, they can commit identity theft and tax fraud. The campaign and other really great resources on keeping your information safe can be found at ato.gov.au/protectyourself.
Garreth Hanley:
Joda, you just touched on some of these dodgy text messages and emails that people get that might demand payments, and we've heard about these messages that ask people to get in touch with the ATO, and it does seem like the messages are getting more convincing too.
I've really got a couple of questions about these messages. Firstly, is there an easy way to spot the difference between a legitimate email or text message and one that's fake? And secondly, what should people do if they get one of these messages that claims to be from the ATO?
Joda Walter:
Distinguishing between legitimate and scam interactions is becoming increasingly difficult for the community to spot. The ATO always maintains a consistent tone and style in their communications. If an email or message contains grammatical errors, unusual language, or requests for sensitive information, it may be a sign of a scam. The ATO has recently moved away from using links in SMS messages to make it easier for the community to spot real messages from the fake ones.
We also don't use QR codes in our text messages. As for emails, the easiest way to differentiate between a scam email and a legitimate one from the ATO is to look at the sender's email address. Oftentimes, scammers send emails where the display name appears as Australian Taxation Office, but email addresses might be Gmail or Yahoo. Scammers often send emails from unusual email addresses or create email addresses to look similar to our official email address, but with subtle differences like using a number, adding extra letters, or even removing a letter.
As a rule, people should always be wary of unexpected requests for personal or financial information, especially if they claim to be urgent or time-sensitive. The ATO will never ask for passwords, account numbers, or other sensitive data by email, SMS, or unsolicited phone calls. If you've done these checks but you're still unsure, you should always verify if the contact is legitimate by calling 1-800-008-540 and speaking with one of our trained staff or visiting the verify or report scan page on the official ATO website, which will be linked in the show notes. If there's ever any doubt, it's always best to play it safe and avoid responding until you confirm the authenticity of the correspondence.
Garreth Hanley:
Not clicking on links is a great place to start. There's always that sense of urgency in these scams, and it's a busy time of year, and sometimes when people are tired or they've got a lot on, they might just click without thinking, so I think that 1-800 number is probably a good place to start if anybody gets anything that they're unsure of.
Jacqueline Blondell:
If you're enjoying this podcast, you should check out our in-depth business and finance show, INTHEBLACK. Search for INTHEBLACK on your favourite podcast app today. Now, back to With Interest.
Garreth Hanley:
Joda, I'd like to have a quick chat about social media. It sounds like impersonator accounts and scammers were quite common on social media at tax time last year. Are fake social media accounts still an issue? And if they are, what do people need to be aware of?
Joda Walter:
The answer is yes. There's still an issue. We're seeing a number of social media accounts impersonating both the ATO and myGov brands. These appear to be mainly on Facebook and X, but we're monitoring activity across other social media platforms too.
The reality is, scammers target individuals and businesses of all sizes, and they do often impersonate ATO employees and officials.
If you've had an interaction on social media with an account claiming to be the ATO and you're not sure it's really us, you should look for the official ATO logo, name, and profile verification, such as the blue tick on Facebook or grey tick on X, and check the number of followers they have. If it's quite small, it's usually a sign of a scam account.
Some other key things to remember when interacting with us on social media is that the ATO will never discuss your personal ATO account on any social media platform, engage with the community via private messaging or outside of official social media pages, or ask for personal information such as a TFN bank details over social media.
If anyone thinks an interaction on social media or any platform from the ATO is not genuine, they should not engage with it. Instead, we recommend taking a screenshot of the account and emailing it to [email protected], and then blocking the account through the platform's reporting function.
Garreth Hanley:
Thanks, Joda. Let's have a bit of a chat about tax agents. Now, we know tax agents have specific responsibilities when it comes to client information, and that includes personal and financial information as well as tax file numbers. From the ATO's perspective, how can tax agents best manage their cybersecurity and privacy risks?
Joda Walter:
It's no secret that tax professionals hold a significant amount of personal information on their clients, and this could be seen as a treasure trove for cybercriminals. Cybercriminals can steal your business and your client's details in a variety of ways, from exploiting a vulnerability in outdated software to gain access to your business accounts to sending emails with malicious attachments that can encrypt client files or client records.
This is known as a ransomware attack. Strong security practices can help protect business, staff, and client information from cyberattacks. This includes protecting your information by limiting who can access sensitive information to only those who have a need for it in their role and by regularly backing up your data to an external location or a separate location, protecting your systems by using multi-factor authentication and creating strong passphrases and changing them frequently, turning on automatic software-updates and using antivirus software, and protecting your myGov ID by never sharing, signing credentials, and enrolling in a strong identity strength.
We have lots of practical security advice for tax professionals and businesses on the ATO website. I would also highly recommend visiting the Australian Cyber Security Centre website. They have a great online resource, and it guides and helps businesses of all sizes protect against common cyber threats. A fantastic resource of theirs is called the Essential Eight. These are the eight most effective cyber strategies that, when implemented together, make it much harder for cybercriminals to compromise your systems.
Garreth Hanley:
Thanks, Joda. There's some really great information there, and just to remind listeners, we will leave links to everything we've mentioned in this show in the show notes. Thanks for joining us today, Joda.
Joda Walter:
Thank you. Thanks for having me. It's a pleasure to be here.
Garreth Hanley:
This brings our tax time podcast series to a close. If you are interested in knowing more about what we've covered today or in the past three episodes, our show notes contain links to further information, including the ATO website and if you're looking for advice, always speak to a registered tax agent. If you like what you've heard today, you can subscribe to With Interest on your favourite podcast app.
I'm Garreth Hanley, and from all of us here at CPA Australia, thanks for listening.
You've been listening to With Interest, a CPA Australia podcast. If you've enjoyed this episode, help others discover With Interest by leaving us a review and sharing this episode with colleagues, clients, or anyone else interested in the latest finance, business, and accounting news. To find out more about our other podcasts and CPA Australia, check the show notes for this episode, and we hope you can join us again for another episode of With Interest.
