It has recently been reported, and we have observed among our clients, that incidents of internet and phone-based scam attempts are on the increase. For instance, the ATO advise that in September 2018 alone there were 8,859 ATO-related scam incidents reported, up from 4,366 the month before. Worryingly, they also say that in 46% of these cases the victim handed over personal information, with a reported $371,766 being paid to scammers impersonating the ATO for the month.
Such scams are becoming harder to spot, as the perpetrators are becoming increasingly sophisticated in their use of technology and guile. In many cases they will quite convincingly impersonate a friend or colleague, supplier or customer, trusted brand or government authority to con their targets.
For instance, the scammers may employ techniques such as –
- ‘Spoofing’ an email address to make it appear to be coming from a trusted contact or source
- Intercept and reply to emails without the intended recipient’s knowledge
- Misappropriate business letterhead to make their correspondence more convincing
- Use personal details they have obtained about the target to give the appearance of legitimacy
- Back up fraudulent emails with phone calls (for instance via a number listed in their emails)
Just a few types of scams to look out for are –
- Fake invoices
Emails containing links or attachments asking for payment of fake invoices or debts are quite prevalent, and increasingly, will appear to come from a supplier that the target actually uses on a regular basis. Unfortunately, it is very easy for hackers to make an email appear to come from a particular sender and the hackers have a variety of methods for obtaining email addresses.
- Payment redirection scams
These scams typically involve the fraudsters impersonating a supplier and directing accounts staff within a business to change the bank details used for invoice or other payments.
- ‘Whaling’ or CEO Fraud
These scams involve a hacker impersonating a staff member within an organisation, more often a senior manager or director, and directing an employee with banking authority (e.g. finance staff) to transfer funds to the scammer. As with the payment redirection scams, these are highly targeted and the scammers will often be well researched (by hacking emails and computer systems) to ensure they have enough information to maximise their chances of success .
- ATO & ASIC scams – see further information on these below.
The risks in terms of financial impact, business interruption and business reputation are significant – therefore it is important to be vigilant and know how to protect against these scams. Business owners should also be aware that often the scammers are actually looking to obtain sensitive data from customer or other databases in order to use these for fraudulent purposes, and there are new obligations for business under the Notifiable Data Breach laws which applied from February 2018 where this information is breached.
The ACCC maintain a small business specific section on their Scamwatch site which has some useful information for further reading: https://www.scamwatch.gov.au/get-help/protect-your-small-business
Some of the common ATO scams we see or hear about from clients are –
- Refund scam emails or SMS – claiming a refund is owed with a link to ‘claim’ the refund, often requesting credit card details (which the ATO would never use for refund processing).
- Fake ‘debt collection’ calls – alleging the individual has a debt to the ATO, sometimes involving the threat of arrest/imprisonment if payment is not made to scare the target into paying.
So what should you do if you receive an email or phone call claiming to be from the ATO and you are in doubt?
Firstly, don’t click any email links, open any attachments or respond in any way. If it’s a phone call, hang up and don’t provide any details to the caller. Then:
- Preferably, contact your trusted tax agent (BLG Business Advisers) so they can check on your tax position and follow up for you; or
- Phone the ATO via one of their publicly listed numbers (never one handed out by the potential scammer) and enquire.
Note also that the ATO also maintains a page with details of current known scams on their website – https://www.ato.gov.au/General/Online-services/Identity-security/Scam-alerts/
We often see fake ASIC emails circulating which request payment of renewal fees for companies or business names and contain attachments or links to fake invoices or malicious software.
If BLG are acting as the registered office and ASIC agent for your company, please contact us to check if you are unsure if you have amounts outstanding.
Again, ASIC also maintains a page with information on known scams on their website –
How to Protect Yourself & Your Business
- Educate yourself and your employees about scams and how to avoid them
- Ensure appropriate checks and controls are in place for banking, accounts payable and accounts receivable processing in the business
- Use common sense and always exercise caution in handing out personal, business or financial information
- Carefully inspect sender email addresses and hyperlinks within emails
- If in doubt, independently call to verify the authenticity of any email or request for payment
- Keep your accounting records up-to-date so you can understand your position (what you owe and what you are owed)
- Implement appropriate software protection (e.g. antivirus and email filtering) and IT policies for your business with the help of a suitably qualified Cyber-security expert.