14 DAY TRIAL // Australia's taxation agency, the Australian Tax Office (ATO), warns of a phishing campaign, which has been in circulation since the beginning of June. The tax refund-themed email scam directs taxpayers to a phishing page that is a convincing looking replica of the office's website.
The fraudulent messages inform unsuspecting people that they are eligible for a tax return. "After the last annual calculation of your fiscal activity, we have determined that you are eligible to receive a tax refund of AUD 452," one such e-mail reads. They go on to instruct them to "submit the tax refund and allow us 2-5 business days in order to process it."
Clicking on the included link opens a clone of ATO's website with a rogue form. Rik Ferguson, solutions architect at antivirus vendor Trend Micro explains that his form is "designed to harvest personal and credit card details enough to commit card-not-present fraud or to create an inventory of 'fullz' (personal details such as name, address, postcode, etc.) and credit card details for sale on the underground economy."
"The Tax Office never sends emails asking people to provide personal information including credit card details," Australia's Tax Commissioner Michael D’Ascenzo advises. "People should always be wary of unsolicited emails claiming to be from the Tax Office. As an extra precaution we recommend you type Internet addresses directly into your Internet browser rather than clicking on links embedded in emails," he adds.
Additionally, security researchers recommend always verifying such claims over the phone with the involved institutions, banks, service providers, or government agencies. Rik Ferguson has released some rather worrying stats. According to him, the site had "200,000 hits in the four months to June, with the majority of those occurring over these first 18 days of June."
Tax return-based phishing campaigns have become fairly common for the past few years and taxation agencies in multiple countries have been victims of such scams. Back in January, we reported about a similar scheme targeting the Canada Revenue Agency. The US Internal Revenue Service (IRS) also made the subject of phishing attacks in the past.