Skip to the article content

This is is a test for red alert, with close icon. Should show only on one page.


The con is on(line): Stay safe from tax time scammers

As the saying goes, only two things in life are certain – death and taxes. And I’m sure that Benjamin Franklin would agree that tax time is, well… taxing. 

The end of financial year brings a dramatic increase in scams and identity theft as fraudsters claim to reunite customers with their hard earned funds.

In fact, despite not yet lodging my FY16 return, I’m already the recipient of an email boasting an unexpected refund – on the proviso I pay a small fee to cover processing costs, and provide my account details for the windfall.

What could possibly go wrong?

Be vigilant 

Alas, if it looks too good to be true, it probably is – when considering an estimated 1 million Australians have their identity stolen each year, at a cost of around $1 billion in total.

As more of our data migrates into the digital realm, so do the criminals – seeking new ways to commit old crimes.

Our failure to create strong passwords, nonchalance when publishing personal information on social media, and inattention while making financial transactions over insecure connections can land us in strife.

In 2015, more than 26,000 tax returns were delayed under suspicion that they were the work of identity fraudsters.

As the ATO remained staunchly adamant that their systems were not breached, it became clear that most cases involved data stolen externally.

As the story goes, crooks hack the payroll systems of unsuspecting companies, and harvest extensive personal details of employees – the same information required to lodge a bogus tax return with any refunds siphoned right into the pockets of the bad guys.

Something I bet you wouldn’t… depreciate. (Sorry.)

Alongside hacking, scammers often use a combination of methods to get their unauthorised hands on your personal info at tax time.

Tax refund scams typically involve the fraudster claiming you’ve overpaid your tax and are entitled to a refund, after you pay the ‘associated administrative costs’.

Similarly, tax owed scams demand you immediately repay an outstanding tax debt, via the purchase of a pre-paid debit card.

Phishing emails ‘fish’ for your information via an email or website that pretends to originate from the ATO.

Emails include a hyperlink (to steal your personal details) or attachment (to infect your computer with nasty software).

Often a leak of your information involves the compromise of an online site – the recent hack of LinkedIn was the latest in a long list of companies impacted by a data breach.

We’ve all been guilty of re-using usernames and passwords, so after a breach is publicised it’s easy for a hacker to try the stolen credentials across multiple sites, hoping for a match.

But it’s not just e-crime to blame. Australia’s 100 point identity check that uses different documents (each with a corresponding ‘points’ value) to verify your identity, can be compromised as new printing technology produces high quality counterfeit cards (an authentic looking Medicare card can reportedly set you back $350 and provide 30 points of ID).

Using falsified documents, it’s possible to assume the identity of someone else, or create an entirely new identity.

Tax refunds aside, the crooks can facilitate a wide range of offences: purchase of a property to house a drug lab, an untraceable mobile phone, or an aliased ticket for overseas travel, to name a few.

With the recent spike in identity theft, it appears that everyone is battening down their digital hatches.

Thanks to speaker recognition technology, the ATO will use your voiceprint as verification when you call or use the mobile app.

Voice biometrics are a more effective security solution than ye olde authentication methods (think PINs, passwords, and questions) so you can sleep easy (or should that be ‘speak’ easy) knowing the extra layer of security will help to defend your hard earned refund from the bad guys.

Account me out: Tips to keep it together at tax time 

  • Your tax file number (TFN) is used to identify you as an Australian taxpayer. To prevent others getting their hands on it, make sure it’s absent from any documents that you throw away. Immediately notify the ATO’s Client Identity Support Centre if you suspect your TFN has been compromised.
  • Remember the ATO will never request your personal or financial information over the phone, via SMS or by email. If you receive a call that you suspect is not legitimate, offer to call them back using the official number, and not one provided by the caller. If you think an email is suspicious, give the company a call to verify if it’s the real deal.
  • Don’t click on hyperlinks embedded in emails; type the address directly into your browser instead.
  • Be wary of attachments – would the ATO really be sending you a file regarding a surprise refund?
  • Be vigilant with the information you provide to companies when you sign up. Don’t hesitate to ask why the information is required, what the information will be used for, and what happens if you refuse. It certainly can’t hurt to be sure.
  • Shred absolutely everything that displays more than your name and home address before it hits the bin. Hard delete (Shift + Delete) old digital files and password-protect those remaining.
  • Be mindful about what you post on social media. Run a privacy health check on your Facebook account, and type your name into Google to see what information is in the public domain.
  • Run reputable anti-virus software on all internet enabled devices, including mobile phones and tablets.
  • Change your passwords regularly and use different passwords for different sites. Visit haveibeenpwned.com to check if your email address is on any of the breach lists (think LinkedIn, Target, and Adobe).
  • Keep an eye on your credit report as well as your monthly bank and credit card statements. If you see something suspect, immediately notify your provider.
  • Enable two factor authentication on your accounts where possible. You’ll receive a text message when someone tries to log on as you from an unexpected location, or when money is transferred to a new recipient.

Now if you’ll excuse me, I’m off to collect my refund ;)




You might also like