See if your information has been exposed in a data breach with our latest free tool Check Now
Cyber crime

7 steps to ensure EOFY scams don’t become EOFY losses

photo of niek dekker
Niek Dekker
7 Min

It’s that time of year again. Businesses across Australia are getting up to date with all their financial housekeeping before the end of the financial year (EOFY). The annual countdown to June 30 sees Accounts Payable (AP) teams under pressure to complete admin requirements before the end of the month. Suppliers want payments before the financial year ticks over and are sending last-minute invoices that need processing. Finance teams must complete annual financial statements and make sure all their numbers are accurate. EOFY sees your internal resources stretched to the limit.

Amid the rush, the chance of human error rises.

Simple mistakes, like clicking on a malicious link or opening a dangerous attachment, can easily occur. That’s why the ATO is warning that at this time of year fraudsters are out in force looking to take you to the cleaners using sophisticated EOFY scams!

Making sure your AP team are aware of the risks is half the job done! By acting with caution and always double checking invoices, there’s a strong chance you can avoid being scammed.

Here are 7 key measures your AP team can take to keep your organisation secure this EOFY:

1. Always use official ATO and myGov websites

Sophisticated scammers invest considerable time and effort creating fake ATO and myGov websites in an attempt to deceive unsuspecting victims. To the untrained eye, these fake websites look exactly like the real deal.

The key to ensuring that you are on a legitimate ATO or myGov website, is by checking the URL or web address. As both the ATO and myGov are official Australian Government websites, the URL will always end in ‘’

You should always manually type the web address into your browser, rather than clicking on links to these sites from emails or text messages. Such links may maliciously direct you to fake websites.

If you do end up on a fake website, scammers will attempt to get you to enter your login and password credentials. Once armed with this information, they can engage in corporate identity theft. Scammers may even try to intimidate you into paying fake tax debts by threatening your business with legal action.

By making sure you are on the legitimate ATO or myGov websites, you can avoid many of the most sophisticated tax scams.

2. Slow down when using email

Email remains one of the most common attack vectors for scammers. Especially at a time when AP teams are busy, it’s all too easy to click on a malicious link or open a dangerous attachment in an email.

Scammers are known to send emails that impersonate official ATO correspondence. Typically, such emails contain links to fake websites where you will be prompted to enter login and password credentials to either update your details, receive a tax refund or pay a tax debt. Alternatively, they may include attachments, which also require you to enter login and password credentials.

Once again, such tactics are most commonly used in corporate identity theft scams, or as a way to defraud your organisation.

That’s why it is essential to slow down and carefully check the sender’s email address and any links. Email spoofing can deceive you into thinking that the email address looks legitimate. However, to be certain, use your cursor to hover over the email address and any links within the email. Be careful not to click on any links! If the email address or links don’t show a ‘’ domain, assume it is malicious. Inform your IT team so they can isolate the email and block the domain at the server level.

In a recent email scam, people were sent fake correspondence from myGov. The email advised recipients that they needed to verify their identity and provided them a link to do so. However, neither the email address, nor the link in the body of the email, showed ‘’

Source: Deep States

3. Independently verify telephone numbers

Scammers are known to phone their victims due to its effectiveness as a fear tactic. Sometimes these are live telephone calls, but more often than not they are automated robocall messages. Pretending to be from the ATO, victims are usually threatened with severe legal repercussions if they do not visit a bogus website to update their corporate details or pay a fake tax debt.

In one recent case, victims were called and told they needed to urgently update their Tax File Number as it had been used in illegal activities. However, the ATO advises that they never project a number on caller ID and never send unsolicited pre-recorded messages to your phone.

If ever you receive such phone calls, never accept the information you’re being told at face value. Visit the official ATO website to obtain their phone number and call them back. That way you can know for sure if an attempt is being made to scam you.

In fact, your Accounts Payable team should always be independently verifying information provided to you from inbound calls. Best practice approaches include conducting call-backs using independently checked telephone numbers from multiple publicly available sources, including websites. Never solely rely on telephone numbers in emails or on invoices, as these are known to be vulnerable to manipulation by fraudsters.

4. Avoid SMS and Instant Messaging applications

In a world of rapid SMS and Instant Messaging applications, such as WhatsApp, scammers are realising that this provides a new opportunity to defraud victims. Scammers know that many victims tend to be less vigilant about clicking links on mobile devices. However, you can be defrauded just as easily through a mobile device as you can on a computer.

Typically, scammers send victims a message threatening legal repercussions if they do not immediately pay a fake outstanding tax debt. The message invariably contains a link to a malicious web page where the funds can be transferred. With such messages, spoofing the domain name to look like it is directing you to the legitimate ATO website is relatively easy – meaning you need to be extra vigilant!


In recent times, scammers have been known to urge payment through cryptocurrencies or pre-paid debit cards, such as gift cards. The ATO advises that it never requests payments through such means.

You should be just as careful with links on mobile devices as you are with links on computers. When in doubt, do not click. Instead, you should visit the official ATO website and contact them on the official phone number for assistance.

5. Secure your corporate information

One of the most effective ways you can help ensure your organisation is not scammed this End of financial year is by having appropriate security controls around your confidential information. In particular, you need to make sure your Tax File Number (TFN) and myGovID are secure.

If scammers gain access to these details, they can engage in corporate identity theft and defraud you. Such crimes are not only financially crippling to your business, they can result in long-term damage to your corporate reputation.

One of the most important initiatives you can take to secure your corporate TFN and myGovID is through implementing Multi-Factor Authentication. The ATO has implemented a feature in myGov that allows you to configure a security code that is sent to your mobile device when logging in. This provides a crucial extra layer of security, making it harder for hackers to access your accounts, even if they know your password.

To set up your security code, sign in to your myGov account and turn it on in ‘Account settings’.

Importantly, never divulge confidential corporate information, including your TFN and myGovID, unless you are certain it is an authorised representative of the ATO. When in doubt, visit the official ATO website and call them using the contact details listed there.

6. Use official payment portals

Scammers may try to persuade you to pay tax debts via cryptocurrencies or pre-paid debit cards. You should never do this!

When it comes to settling your organisation’s tax obligations, make sure you always pay via the official ATO web portal, or via electronic funds transfer (EFT) using the legitimate ATO bank details.

Make sure you always manually type the ATO website into a browser, and never trust links embedded in invoices, emails, SMS or Instant Messaging communications. This way you can be sure you are accessing the legitimate payment portal or obtaining the legitimate EFT payment details.

7. Use digital tools to combat digital fraud

The latest generation of scammers are using a range of digital tools to carry out digital fraud. We can see the way they are manipulating emails, SMS and Instant Messaging applications, as well as conducting automated robocall attacks.

Manual controls are no match against sophisticated digital fraud. To win this war, you need to arm your team with the right digital tools.

When your organisation joins eftsure, you will be able to process payments to the ATO with certainty. Our fraudtech platform will automatically verify that the bank details you are using match those used by other organisations when transferring funds to the ATO. This all takes place within real-time, so you can have peace of mind that you’re not being scammed.


To learn more about the benefits of eftsure and securing your EFT payments, click on the banner above or contact us today.

Related articles

Cyber crime

Where does cybercrime come from?

Where does cybercrime originate? A private investigator, along with a world-first study into cybercrime origins, reveals who is behind common types of cyber attacks.

Read more

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.