Recently, our Security Operations Centre identified a phishing scam where consumers were being sent emails purporting to be the Australian Taxation Office (ATO) and offering the recipient a tax refund.

Below is information about the scam itself and some tips on how to avoid being a victim of similar scams.

How the taxation phishing scam works

The email pretends to be from the ATO and offers a tax refund. The recipient is asked to click a link which supposedly takes the consumer to the ATO website and provides them with a list of bank logos for those banks participating in the E-tax refund. The consumer is then asked to click the logo for their bank and is then presented with a form to fill out. The website itself is a fake ATO site and the form steals credit card details. This type of phishing scam is not technically new, and neither is the concept of imitating a taxation office. The United States IRS is targeted for online phishing on a regular basis, equally other taxation offices in other jurisdictions as well. The emails go to great lengths to convince recipients that it is genuine – they even contain a replica of the ATO’s logo and a link to what appears to be the ATO website (see our blog article “Using referral logs to detect attacks”). Consumers are asked to provide details such as their name, email details, date of birth, address and banking details in order to search for any tax refunds. The email may also direct consumers to a phony Taxation Office website which asks for personal information and credit card details.

Figure 1: ATO Phishing Website


Figure 2: Bankwest Login Phishing Page


Figure 3: The successful message that is displayed once the end user has been phished – The user does not receive any refund and their credentials are sent off to the hacker responsible for the phishing site 

Why is tax phishing successful?

This type of phishing scam is very effective for the cyber criminals, as it preys on people’s misunderstanding of how tax refunds work. Most people will jump at the chance to be given money, even if it sounds too good to be true, and this is exactly what the criminals want.

This phishing scam also targets multiple banks in one attack, the phishing scam is set up this way to try and target as many users as possible whilst only setting up one phishing attack, it allows the hackers to get a bigger return on investment for themselves.

When do these types of attacks usually happen?

From detailed analysis, it appears that these types of attacks are seasonal and only occur around “Tax Time”. People are more susceptible at this time, as they might be expecting a refund from the Taxation Office and will click links without investigating them first.

How can you identify the scam?

Identifying any phishing scam is virtually the same. You should:

  • Look out for poor spelling and grammar in the original email: this is usually a hint that it has been created by an overseas hacker
  • Be suspicious if the email is not addressed to you personally (for example, if it just says, “Dear Sir/Madame”, it is unlikely to be from a Government sector)
  • Were you expecting a Tax Refund? If not, isn’t it odd that you are being told you are getting one?
  • Look in the address bar at the top of your web browser. Some browsers, like Firefox, have a feature where the actual domain is listed in bold in the address bar, which can then alert you to the fact that you are not on the website you thought you were
  • Phishing sites often use lots of sub-folders or sub-domains to throw users off

How to avoid being scammed

The best way to avoid being the victim of a scam is to use only official channels to contact an organisation. NEVER click links in emails or call phone numbers provided if you are in any way suspicious of the email content. Always manually go to the official website or obtain the phone number through other means (like phone directories or Google searches).

FraudWatch International reports all of these sites through to popular browsers such as Internet Explorer, Mozilla Firefox, Safari, Google Chrome etc. This means that when other end users are directed through to these sites they will receive a warning saying that this is likely a phishing attack and to proceed with heavy caution. If you do see one of these messages when visiting a page, it is very likely that it is a scam and it is advised that you never provide any personal details.