See if your information has been exposed in a data breach with our latest free tool Check Now
Cyber crime

End of financial year scams 2023: how to spot them

Niek Dekker
7 Min

The end of the financial year (EOFY) is an infamously busy time, to put it mildly. By May, most accounts payable (AP) teams are already bracing themselves for the whirlwind of tax returns, bookkeeping and completing pay runs.

Guess who else knows it’s a busy time? Scammers. That’s why they deliberately target AP teams during EOFY.

Scammers are aware of this flurry of admin duties, and they capitalise on feelings of urgency and chaos to trick beleaguered staff into making the wrong payments or giving the wrong information to the wrong people. Plus, stressed staff are more likely to skip important controls or overlook the red flags that can identify a scam. In 2023 alone, unsuspecting victims have been duped by scams to the tune of AUD$ 6.6 million, according to Scamwatch.

So, financial aficionados, it’s time to get ahead of the game. In this article, we’ll dissect common EOFY scams to help you keep your organisation safe.

What are the most common end-of-financial-year scams?

Cyber-criminals are always on the search for new technologies and tactics for outwitting your employees. But many are happy to follow a playbook if it’s proven to be successful in the past, which is why there are a few tried-and-true scam techniques that have been showing up during tax time of the last few years.

Here are some of the most common ones.

  1. Phishing scams. This type of social engineering scam involves an email or phone call in which scammers impersonate legitimate sources, like the Australian Taxation Office (ATO) or a financial institution, requesting personal or financial information. It’s important to remember that the ATO will never request sensitive information via email or phone, so be wary of any unsolicited requests. Explore other types of phishing attacks and real-world examples.
  2. Fake tax refund scams. Similar to phishing scams, AP teams may come across a smishing scam orchestrated by cyber-criminals disguised as government agencies like the Australian National Audit Office or MyGov. Scammers may contact your AP team claiming to be from the ATO, supplying receipts for refunds. Make sure to always verify the authenticity of any refund claims with the ATO directly.
  3. Business email compromise (BEC) attacks. BEC scams involve cyber-criminals accessing a company’s email system and impersonating staff such as the CEO or CFO, to request fraudulent financial transactions. Scammers are known to use effective psychological tricks to fulfil a BEC attack. For example, scammers will seek to deceive their victims into acting quickly creating urgency. AP staff need training to help them identify which emails are legitimate and which are suspicious. Find out how to spot a BEC attack.
  4. False invoice scams. Fraudulent invoices – also known as false billing scams – may be sent to businesses in an attempt to deceive staff into paying for goods or services they never received. In case your vendor’s email has been compromised, make sure to verify the request through a strong call-back procedure.

To protect yourself and your suppliers against these EOFY scams, it’s important to stay vigilant and adopt measures that minimise your risk. This includes basic security hygiene, such as multi-factor authentication and choosing strong passwords.

However, this isn’t just the jurisdiction of security or IT teams – after all, no matter how strong your cybersecurity might be, your financial controls will be the last line of defence if one of your suppliers suffers a security breach. Fortunately, there are a variety of ways that finance leaders can shore up their defences ahead of the financial year-end.

How to identify and prevent EOFY scams

Scammers are keen to exploit this reporting period by targeting individuals and businesses rushing to meet their tax obligations and close off time-sensitive tasks. But some common red flags can alert you to these scams – even during busy, hectic phases.

  1. Unusual requests for sensitive information
  2. Unsolicited emails, phone calls or text messages
  3. Enticing offers that sound too good to be true
  4. Incorrect email addresses
  5. Grammer and spelling mistakes
  6. Unknown senders or unverified vendors
  7. Blurry company or entity logos
  8. Suspicious links or attachments
  9. Urgent or threatening language
  10. Spoofed invoices or incorrect information about vendors

Let’s take a closer look at some of the most common red flags and how to prevent scams.

Unusual, out-of-nowhere requests or messages

Ever received a surprising request or message, one that’s out-of-step with normal processes? One that wasn’t preceded by, say, an in-person conversation with an executive explaining the situation? DANGER ZONE. These messages might turn out to be legitimate, but they should be presumed malicious until proven otherwise.

That’s because an unsolicited email or phone call is one of the most common signs of a tax scam. In the example below, we see a scammer attempting a CEO scam through a phishing email.


The email above looks legitimate, and the use of a senior executive’s name adds a dash of authority. The cyber-criminals are hoping the recipient will action the request quickly, without verifying the request.

It’s best practice to confirm the company email address, along with verifying the recipient through a call-back. If you suspect that you’ve received a suspicious email, then report the scam to the Australian Cyber Security Centre (ACSC) or Scamwatch. It’s best practice to never click on any suspicious email link or attachment.

Offers that are too good to be true

Another warning sign is an offer that seems too good to be true. Scammers may offer to help you claim a large tax deduction, offer a refund that is much larger than expected or promise to reduce your tax bill to an unrealistic amount. These offers may be presented in a way that seems official, but they are usually fraudulent.


The screenshot above is another example of a MyGov scam attempt, urging the recipient to click on the malicious link highlighted above. These malicious links try to achieve two outcomes. One is to have malware downloaded on your device undetected, compromising your security settings. The second is asking the user to enter their login details to reveal personal details such as their full name, bank account details, CVV number, address or phone number.

If you receive an email, phone call or offer that seems suspicious during the EOFY period, be sure to investigate further before providing any personal information or funds. Check the sender or caller’s credentials, look for spelling errors or unusual language, and verify the offer with the ATO or the appropriate stakeholder before taking any further action.

Mistakes in language or contact details

Whether it’s a typo, a wonky email address or supplier details that don’t look quite right, little flaws can indicate a big risk. You should always double-check senders’ email addresses (scammers are hoping you won’t notice that your CEO is messaging you from “” instead of their usual email) – but, since email inboxes can be hacked and addresses can be spoofed, remember that a legitimate-looking email address isn’t sufficient proof of authenticity.

Scammers aren’t famous for their elegant, error-free prose, so keep an eye out for grammatical mistakes or turns-of-phrase that don’t sound natural. However, remember that generative AI tools like ChatGPT are helping even the laziest of fraudsters churn out legitimate-sounding text. Again, this is just one red flag to watch – flawless writing in an email or SMS won’t guarantee its legitimacy.

Urgent or threatening messages

This one is tough because EOFY tasks really do tend to be time-sensitive. Because of scammers looking to capitalise on this reality, receiving urgent requests should be a reason to slow down, not to rush through usual control processes.

Fraudsters are getting better at imitating the polite language of most corporate environments, but sometimes threatening language still shows up in EOFY scams. Colleagues are more likely to ask things like “What’s a realistic timeframe for this?” or “Do you think finishing this by Friday COB is feasible?” Your mileage may vary, but be on high alert if a message threatens severe consequences for not actioning a request right away.

How to mitigate the risk of EOFY scams

As that time of year approaches, one of the most effective ways to protect your organisation is fostering a strong security culture. This includes raising awareness about EOFY-specific risks, identifying EOFY scams and educating employees on how to differentiate between genuine and suspicious messages. Ideally, training is interactive and doesn’t just happen once a year – training modules need to happen routinely to reinforce messages and update staff on new scam tactics.

The State of the Phish report highlights that 45% of Australian organisations offer in-person training, the highest percentage among surveyed countries in the Asia-Pacific region. To maintain strong security amid evolving cyber-crime tactics, CFOs should look to continuously update and improve security training.

Further, CFOs play a crucial role in creating an environment of openness and transparency regarding potential data breaches. By encouraging staff to report any potential risks, organisations can cultivate a culture that motivates employees to be more proactive in identifying and reporting suspicious emails. Staff should never feel shy to raise their hand and ask if a message is legitimate, or to promptly inform someone if they think they’ve clicked on something dodgy.

Learn more in our comprehensive guide on defending against EOFY scams.

See how to protect your team this EOFY
Ready to learn more?

Our discussion with Peter Price, CEO of Crime Stoppers in NSW, will dive into cyber-crime, how organised crime groups target CFOs, and what to do to protect your organisation during busy periods.

Related articles

Cyber crime

Where does cybercrime come from?

Where does cybercrime originate? A private investigator, along with a world-first study into cybercrime origins, reveals who is behind common types of cyber attacks.

Read more

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.