Cybersharks circle as Aussie tax year ends - so here's some advice for us all

Filed Under: Data loss, Malware, Privacy

The Australian tax year is rushing to a close: it ends on 30 June 2011.

It's an important (and nerve-wrenching) time of the year for many of us, so it's no surprise to see that spammers and scammers are once again using it as bait to lure innocent taxpayers to official-looking but fraudulent websites.

But don't assume that fake websites will be obvious because of poor spelling, unprofessional layout or brand inaccuracies.

There's very little that the Australian Taxation Office (ATO), or any other website, can do to prevent criminals from creating near-perfect-looking clones of its main pages.

Your browser needs to be able to download all the components of a web page to render it - CSS for layout, HTML for the material and JavaScript for the Web 2.0 "magic smoke". The crooks can pirate this content and use it to create a close replica of the real thing.

The site name will be wrong, and so will the SSL certificates used for secure pages, assuming the crooks bother with SSL at all. Visually, however, cloned sites can easily be made very convincing.

(When Barack Obama was still not quite President of the USA, fraudsters cloned his blog almost exactly. They even updated the fake site every time an official post was added to the real one. So it was Obama's blog, content-wise, except that the criminals kept a fake article, always with the most recent timestamp, right at the top. That post triggered a fake security alert.)

So here's some advice for our Aussie readers at tax time. But please read on even if you're not in Australia, or you're not worried about your tax affairs. The advice is valid worldwide, year-long.

* Ignore all clickable links to important official sites such as the ATO. There's no choice of taxation offices, so there's only one URL to remember, and it's easy: ATO dot GOV dot AU. Type it in to your browser's address bar every time, by hand. You'll never click a dodgy link by mistake, and you will always make yourself stop and think about where you're about to go, and why.

* Make sure you have removed any malware, that your security software is active and up-to-date, and that you've applied all the latest patches for your operating system and software. If your computer is infected, even typing in ATO dot GOV dot AU directly or ensuring you have the ATO's official eTax software is not enough. The bad guys may be able to watch everything you do, including logging everything you type into your electronic tax return.

* Take a traditional, trust-based approach to selecting a taxation advisor. Watch out for fantastic-sounding online ads and emails offering taxation advice over the internet. Consider taking recommendations from your real-world friends - don't rely just on social networking 'friends'. This also means you're more likely to keep your taxation business close to home. That's good for your local economy, too.

Thanks for listening. Until next time, stay secure!

Footnote. The shark-fin imagery above comes from the ATO's website. It's in the latest official ATO newsletter, which has advice to help you avoid tax scams and fraud. I urge you to read it - but I deliberately didn't make the image into a link. That will give you a chance to practise the first item of advice above.

, , , , , , , ,

You might like

One Response to Cybersharks circle as Aussie tax year ends - so here's some advice for us all

  1. That's leaving people at risk of falling victim to typo-squatters. Type it in once, double-check it, then bookmark it and always use your own bookmark. Sometimes an exploit might change a bookmark but it's a lot less likely than a typo.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog