Scammer time! Protecting accounting and tax data

Chris Sheedy By Chris Sheedy, CA Today

23 May 2019

Major financial institutions and regulatory bodies, including the Australian Taxation Office (ATO) and Australian Securities and Investments Commission (ASIC), are prioritising communications around scams affecting individuals and businesses as the level of threat in Australia increases.

It’s not just a threat. According to cyber security firm Sophos, in 2017 a whopping 45% of businesses in Australia fell victim to ransomware, which locks down a business’s computer systems until a ransom is paid. That same year, Australians lost $340 million to scammers, said the Australian Competition and Consumer Commission (ACCC).

The ATO reported 81,000 scams in 2017-18, which is not surprising given the ‘treasure trove of data’ that accountants and tax practitioners can hold.

The Tax Practitioners Board has recently taken extra security steps by requiring practitioners to complete a proof of identity process and guard against sophisticated scams.

How are the scams being carried out?

Interestingly, scams are now beginning to affect accountants and their clients as criminals put greater effort and manpower into their dishonest dealings.

One reported by the ATO involves two scammers working in unison; one impersonating the victim’s tax agent and the other impersonating an ATO officer, another government official, or somebody else from the tax agent’s practice.

They demand immediate payments and say a warrant is out for the individual’s arrest. Scamwatch said around 33,000 threat-based impersonation scams were reported in 2017.

A new, more targeted form of phishing, imaginatively titled ‘spear phishing’, involves highly customised and convincing emails.

Others mix platforms of contact: using phone, email and/or SMS, to create a sense of urgency. They send an email to the victim and ring them soon after, pretending to be from a regulator, or from the victim’s bank, asking them to click the link in the email.

That click launches convincing-looking phishing sites (built to steal information such as passwords and account numbers) or ransomware.

A new, more targeted form of phishing, imaginatively titled ‘spear phishing’, involves highly customised and convincing emails that look completely authentic (that’s right, the scammers have even mastered the fine art of spelling!).

Some, for example, are designed to look as if they come from your company’s IT department, or from somebody in the finance team.

Some use technology that makes it look as if the calls come from an ATO phone number.

The ‘bait’ for the spear phishing is so realistic that it often fools trained professionals. Scammers often employ artificial intelligence and social engineering to continue to improve their hit rate.

The ATO has reported increasing numbers of calls to members of the public from scammers pretending to be from the ATO and chasing tax debts. Some use technology that makes it look as if the calls come from an ATO phone number.

Other scammers contact their victims via SMS, saying a tax refund is waiting for them – the individual simply needs to click on a link and fill in their phone number and a PIN. Then the site asks for the victim’s tax file number and credit card number (for the refund), plus the card’s security code…

So how does an individual or business protect itself? Here are the top tips from the ATO, ASIC and the Australian Government’s Australian Cyber Security Centre, to share with clients.

Trust nobody

Don’t click links or open attachments in emails unless you are 100% sure of their authenticity. Any unexpected contact, or even expected contact, should be treated with suspicion. Always consider that the email you just received, the social media contact that just came through, or the person who just rang you, could be a scam. Verify identities through independent means, but never use the email, link or phone number they gave you.

If you have been scammed…

Get in touch with your bank immediately, said the Australian Cyber Security Centre’s Stay Smart Online team. They might be able to stop the transaction or close the account. Also contact, a not-for-profit national identity and cyber support service that helps reduce the harm done by the many forms of identity theft.

Socialise safely

Familiarise yourself with the security and privacy settings of social media platforms and set them to be as strong as possible, including high privacy settings and strong passwords. Don’t share dates of birth, addresses, holiday plans, information about daily routines or any other information you wouldn’t want criminals to know or could use against you.

Protect against ransomware

Regularly back up important files and keep offline copies. Use anti-virus software and keep it updated. Once again, never click on links or open attachments from anybody you don’t know. If you have paid a ransom, contact your bank to find out what should happen next.

Keep your clients informed

Tell clients that they must be just as vigilant, and that government and regulatory bodies, as well as banks and other organisations, would never threaten an individual over the phone, or demand immediate payment. Most importantly, tell them to contact you if they are concerned about suspicious activity. It is important that accountants are considered a part of the solution; an ally in the ever-increasing war against scammers.

About the author

Chris Sheedy is one of Australia’s busiest and most successful freelance writers. He has been published regularly in the Sydney Morning HeraldVirgin Australia VoyeurThe Australian MagazineGQIn The BlackCadillac, Management Today, Men’s Fitness and countless other big-brand publications. He is frequently commissioned to carry out copywriting and corporate writing projects for organisations, including banks, universities, television networks, restaurant chains and major charities, through his business The Hard Word.


  • Tax
  • Business
  • Australia

Previous Page