Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
It’s that time of year again. Businesses across Australia are getting up to date with all their financial housekeeping before the end of the financial year (EOFY).
The annual countdown to June 30 sees Accounts Payable (AP) teams under pressure to complete admin requirements before the end of the month.
Suppliers want payments before the financial year ticks over and are sending last-minute invoices that need processing. Finance teams must complete annual financial statements and ensure all their numbers are accurate. EOFY sees your internal resources stretched to the limit.
Amid the rush, the chance of human error rises.
Simple mistakes, like clicking on a malicious link or opening a dangerous attachment, can easily occur and lead to tax scams. That’s why the ATO is warning that at this time of year, fraudsters are out in force looking to take you to the cleaners using sophisticated EOFY tax scams!
Making sure your AP team are aware of the signs of tax scams is half the job done! By acting with caution and always double-checking invoices, there’s a strong chance you can avoid ATO fraud.
Here are 7 key measures your AP team can take to keep your organisation safe from tax scams this EOFY:
Sophisticated scammers invest considerable time and effort creating fake ATO and myGov websites in an attempt to deceive unsuspecting victims. To the untrained eye, these tax scam websites look exactly like the real deal.
The key to ensuring that you are on a legitimate ATO or myGov website is by checking the URL or web address. As both the ATO and myGov are official Australian Government websites, the URL will always end in ‘.gov.au.’
You should always manually type the web address into your browser, rather than clicking on links to these sites from emails or text messages. Such links may maliciously direct you to fake websites.
If you do end up on a fake website, scammers will attempt to get you to enter your login and password credentials. Once armed with this information, they can engage in corporate identity theft. Scammers may even try to intimidate you into paying fake tax debts by threatening your business with legal action.
By making sure you are on the legitimate ATO or myGov websites, you can avoid many of the most sophisticated tax scams.
Email remains one of the most common attack vectors for scammers. Especially at a time when AP teams are busy, it’s all too easy to click on a malicious link or open a dangerous attachment in an email.
Scammers are known to send emails that impersonate official ATO correspondence.
Typically, such emails contain links to fake websites where you will be prompted to enter login and password credentials to either update your details, receive a tax refund, or pay a tax debt. Alternatively, they may include attachments, which also require you to enter login and password credentials.
Once again, such tactics are most commonly used in corporate identity theft tax scams or as a way to defraud your organisation.
That’s why it is essential to slow down and carefully check the sender’s email address and any links. Email spoofing can deceive you into thinking that the email address looks legitimate. However, to be certain, use your cursor to hover over the email address and any links within the email. Be careful not to click on any links! If an email address or link doesn’t show a ‘.gov.au’ domain, assume it is malicious. Inform your IT team so they can isolate the email and block the domain at the server level.
In a recent tax scam email, people were sent fake correspondence from myGov. The email advised recipients that they needed to verify their identity and provided them with a link to do so. However, neither the email address nor the link in the body of the email showed ‘.gov.au.’
Source: NASC Scamwatch
Scammers are known to phone their victims due to its effectiveness as a fear tactic. Sometimes these are live telephone calls, but more often than not, they are automated robocall messages. Pretending to be from the ATO, victims are usually threatened with severe legal repercussions if they do not visit a bogus website to update their corporate details or pay a fake tax debt.
In one recent tax scam, victims were called and told they needed to urgently update their Tax File Number as it had been used in illegal activities. However, the ATO advises that they never project a number on caller ID and never send unsolicited pre-recorded messages to your phone.
If you ever receive such phone calls, never accept the information you’re being told at face value. Visit the official ATO website to obtain their phone number and call them back. That way, you can know for sure if an attempt is being made to scam you.
In fact, your Accounts Payable team should always be independently verifying information provided to you from inbound calls. Best practice approaches include conducting call-backs using independently checked telephone numbers from multiple publicly available sources, including websites. Never solely rely on telephone numbers in emails or on invoices, as these are known to be vulnerable to manipulation by fraudsters.
In a world of rapid SMS and Instant Messaging applications, such as WhatsApp, scammers are realising that this provides a new opportunity to defraud victims. Scammers know that many victims tend to be less vigilant about clicking links on mobile devices. However, you can be fall for a tax scam just as easily on a mobile device as you can on a computer.
Typically, scammers send victims a message threatening legal repercussions if they do not immediately pay a fake outstanding tax debt. The message invariably contains a link to a malicious web page where the funds can be transferred. With such messages, spoofing the domain name to look like it is directing you to the legitimate ATO website is relatively easy – meaning you need to be extra vigilant!
Source: Courier Mail
In recent times, scammers have been known to urge payment through cryptocurrencies or pre-paid debit cards, such as gift cards. The ATO advises that it never requests payments through such means.
You should be just as careful with links on mobile devices as you are with links on computers. When in doubt, do not click. Instead, you should visit the official ATO website and contact them on the official phone number for assistance with potential tax scams.
One of the most effective ways you can help ensure your organisation doesn’t fall victim to a tax scam this end of financial year is by having appropriate security controls around your confidential information. In particular, you need to make sure your Tax File Number (TFN) and myGovID are secure.
If scammers gain access to these details, they can engage in corporate identity theft and defraud you. Such crimes are not only financially crippling to your business, they can also result in long-term damage to your corporate reputation.
One of the most important initiatives you can take to secure your corporate TFN and myGovID is through implementing Multi-Factor Authentication. The ATO has implemented a feature in myGov that allows you to configure a security code that is sent to your mobile device when logging in. This provides a crucial extra layer of security, making it harder for hackers to access your accounts, even if they know your password.
To set up your security code, sign in to your myGov account and turn it on in ‘Account settings’.
Importantly, never divulge confidential corporate information, including your TFN and myGovID, unless you are certain it is an authorised representative of the ATO. When in doubt, visit the official ATO website and call them using the contact details listed there.
Scammers may try to persuade you to pay tax debts via cryptocurrencies or pre-paid debit cards. You should never do this!
When it comes to settling your organisation’s tax obligations, make sure you always pay via the official ATO web portal or electronic funds transfer (EFT) using legitimate ATO bank details.
Make sure you always manually type the ATO website into a browser, and never trust links embedded in invoices, emails, SMS or Instant Messaging communications. This way, you can be sure you are accessing the legitimate payment portal or obtaining the legitimate EFT payment details.
The latest generation of scammers is using a range of digital tools to carry out tax scams. We can see the way they are manipulating emails, SMS and Instant Messaging applications, as well as conducting automated robocall attacks.
Manual controls are no match against sophisticated digital fraud. To win this war, you need to arm your team with the right digital tools.
When your organisation joins Eftsure, you will be able to process payments to the ATO with certainty. Our fraudtech platform will automatically verify that the bank details you are using match those used by other organisations when transferring funds to the ATO. This all takes place in real-time, so you can have peace of mind that you’re not being scammed.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.