Fraudsters can exploit our reliance on a single device for so much data.
Tax-time scammers ‘getting more sophisticated’
Tax-time scammers are getting very sophisticated and our increasing reliance on a single device leaves us vulnerable, said one cyber security expert.
Stephen Kho of security software operation Avast said one example flagged by the ATO last week was typical of tax time fraud. It involved fake emails that purported to offer tax return lodgement receipts and asked recipients to sign attached documents.
“The attachment takes you to a fake Microsoft login page designed to steal your password,” the Tax Office said in its alert.
He said other scams involving tax file numbers and ABN applications were also common.
“The sophistication is these days across all channels – your Whatsapp, your Instagram, your Twitter, your Facebook Messenger, and also voice recordings where they give you info and make it sound really frightening and urgent,” Mr Kho said.
Although people were becoming wise to scammer techniques and the themes were familiar, digital convergence made us vulnerable.
“What they’re taking advantage of is that we’re increasingly – especially since the pandemic – operating on one device,” Mr Kho said.
“For example, on my phone I’ve got my personal email, personal WhatsApp, work email, work Slack and work Messenger and everything’s converged to one device.
“So when messages come across sometimes you lose track of where it’s come from, especially if you’re really busy multi-tasking and you’re switching between different apps.
“They’re still getting people, especially in a generation that’s less savvy.
“My mum’s 82, she’s got a smartphone and it’s just frightening because she’ll get things that she totally believes on Facebook – that the tax department is saying this – she says Facebook has pretty much gospel.”
He said it was cheap for scammers to send out thousands of messages through SMS, WhatsApp and so on, and they only needed a small success rate.
They also played to online themes, such as the Ukrainian war, flood relief donations, tax time and Christmas, and they were constantly coming up with new methods.
“It’s never going [to] disappear – whether it’s crypto scam, the next disaster, the next pandemic, the next charity event. There are always people that are willing to help or and are not switched on, so they get sucked in,” Mr Kho said.
Business employers sometimes succumbed to fake urgency or emotional pressure.
“We’re seeing a lot of those business-type scams where there’ll be emails coming into the finance office to say, ‘Hey, pay this invoice now’ seemingly from your CEO,” Mr Kho said.
He said businesses needed to rigorously follow their authorisation processes.
“So if you need two levels of approval, even if the CEO is shouting into your ear at 8 o'clock on a Friday night, you need to follow those procedures to make sure,” Mr Kho said.
“We see a lot of businesses falling into this by social engineering pressures to pay fake invoices.”
Even two-factor authentication could be scammed if malware got into your phone, where it can intercept messages. But special two-factor authentication systems, such as Google Authenticator, made it much harder to fake.
“But in general, enabling a second factor authentication, whether that’s tied to a separate email or to an authenticator software on your phone – raises the bar and makes it much harder to access your account and scam you,” Mr Kho said.
They were also getting more sophisticated with different fraudsters working in pairs.
“One party will call pretending to be the payment accountant for example, and they’ll say, ‘Call this number to verify it’s me’,” Mr Kho said.
“They’re actually hosting that number and pretending to be some authority to validate it.
“Or with crypto, they actually host a fake website and then call you to have customer support – really making the whole scam more sophisticated. Instead of just sending you a link they’ll have a quite an elaborate scheme.
“Some people could have many thousands in their crypto wallet then they can spend five minutes in a scam …”
Comments powered by CComment