Australian Taxation Office scam preys on those still awaiting refunds

Filed Under: Data loss

An alert Naked Security reader reported yet another taxation scam this morning, this time against the Australian Taxation Office (ATO).

The personal income tax year in Australia ends on 30 June, and tax returns are generally due by the end of October. Refunds - at least for those with regular tax affairs and who have money owing - will typically have been processed and paid out by now.

That doesn't stop the scammers, of course. They operate either in blissful ignorance of their victims' tax years, or add a few weasel-words about "delays", as a sort of general-purpose excuse for what might otherwise seem like an untimely message.

To access your tax refund, please follow the steps below:

- download the Tax Refund Form attached to this email
- open it in a browser
- follow the instructions on your screen

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

This scam, like many others of this sort, tries to avoid inviting you to click on a link and enter your details. This is something Australian financial institutions regularly and repeatedly advise that they will not ask you to do.

Instead, you're invited to save an HTML attachment on your hard disk (i.e. to make a local copy of a web page) and to open it in your browser.

This produces a form which is submitted, if you complete it and click Continue, to a hacked server in the USA.

You might think that a web page which presents a form from one location (in this case, your hard disk) but submits the results to a completely different site would raise a warning, at least at an Internet Explorer security setting of "High". But it does not, presumably because this behaviour is considered unexceptional on legitimate sites.

In other words, you need to be on guard yourself. In this example:

  • Downloading and opening any sort of attachment from an unsolicited email is a Very Bad Idea.
  • Requesting a tax refund on the say-so of an unsolicited email is a Very Bad Idea.
  • Submitting your credit card details via an insecure (non-HTTPS) URL is a Very Bad Idea.
  • The ATO has an official domain name of, not

In other words, even if you're expecting a tax refund any day now, you should know better than to react to emails of this sort.

Remember: don't buy, don't try, don't reply. If you simply don't play the game, the scammers lose.


, , , , ,

You might like

2 Responses to Australian Taxation Office scam preys on those still awaiting refunds

  1. john · 1341 days ago

    i am from the uk and had just returned back from a year in Oz. When I saw the email I thought it was legit but laughed at how weird Australia is when the taxman actually gives you money back! lol what an idiot I am! luckily there was not much in my old australian account

  2. sharon · 1290 days ago

    i have recieved now 2 emails informing me i have a tax refund of approx $ 1000 am needed to pass on my credit card number to recieve the refund i got a gut feeling straight away i dont own a credit card and didnt believe the ATO operated in this manner with asking people for bank etc details but sadly i can see people giving out these details

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog