$2M lost in tax scams: what finance leaders can do

Scammers getting craftier, ATO warns

This tax season, scammers are using more sophisticated tactics to deceive finance teams and accounts payable (AP) departments. They’re sending fake emails, SMS messages, and making phone calls that seem to come from legitimate sources like the Australian Taxation Office (ATO) or myGov. Scammers have reportedly been sending emails mimicking myGov communications, urging recipients to click links to “update your details.” These emails often use official logos and formatting to appear genuine, tricking people into revealing sensitive information such as tax file numbers or passwords.

Examples of ATO scams via SMS and email. Source: ATO

In light of these growing threats, Victorians have been warned to be extra cautious. The state has seen $2 million in reported losses from ATO-related scams, with 300 reports made to Victoria Police since June 30.

Detective Senior Sergeant John Cheyne from the Cybercrime Squad urges Australians to stay “hypervigilant” against scams appearing to be from the ATO or myGov. He advises, “Never click on a link sent to you that is purporting to be from the Australian Taxation Office or myGov; they will never ask you to access any online services via a link.”

Cheyne also suggests doing a bi-yearly health check of accounts. This includes checking your credit score and logging into your myGov account to ensure no unauthorised changes have been made throughout the year.

What finance leaders need to know

1. Scams are becoming more sophisticated: Scammers are constantly refining their methods to bypass traditional security measures. They now use convincing language, official logos, and email addresses that closely resemble legitimate domains. As these scams evolve, finance leaders must realise that basic security awareness training may no longer be enough.
2. Finance departments are prime targets: Accounts payable (AP) teams and other finance departments are often targeted due to their access to funds and sensitive financial data. These teams may receive phishing emails or calls designed to trick them into transferring money to fraudulent accounts. As noted in our previous analysis of end-of-financial-year scams, scammers are increasingly targeting finance teams to exploit their access to payment processes and financial data.
3. Exposure to significant risks: Beyond financial losses, falling victim to these scams can severely damage an organisation’s reputation and potentially lead to legal issues. CFOs must recognise their responsibility to protect stakeholders’ information and assets and ensure their teams are well-prepared.

What finance teams can do right now

To effectively combat these scams, finance leaders should consider these measures:

1. Enhance awareness training: Regularly update finance and AP teams on the latest scams using real-world examples. Show how these attacks occur, including tactics like spoofed emails or phone calls, and run phishing simulations to test their response. Our guide on the 7 steps to avoid EOFY scams offers practical advice on protecting your organisation during high-risk periods.
2. Implement multi-factor authentication (MFA): Ensure all financial systems require MFA, adding an extra layer of security. This step is crucial in preventing scammers from gaining unauthorised access to financial systems, even if they obtain user credentials.
3. Strengthen vendor verification processes: Establish strict procedures for verifying changes in vendor payment details. This could involve using a trusted third-party service or a manual process that includes direct communication with vendors to confirm any changes. Regularly review these processes to ensure they remain effective against new threats.
4. Monitor financial transactions closely: Set up real-time alerts for unusual or large transactions and implement daily reconciliations to quickly catch any discrepancies. Foster a culture where team members feel empowered to question