SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Cyber threats surge during Australia's EOFY tax season

Tue, 25th Jun 2024

As the end of the financial year (EOFY) approaches in Australia, organisations and individuals find themselves preoccupied with tax returns, financial statements, and compliance reports. This busy period also brings with it a heightened risk of cyber threats, creating a favourable environment for scammers and cybercriminals.

Analysts have noted an uptick in seasonal cyber activities during the EOFY period, exploiting the chaos and urgency associated with tax-related activities. The most common threats include phishing scams, ransomware, business email compromise (BEC), and identity theft.

Phishing scams often see cybercriminals impersonating the Australian Taxation Office (ATO) or tax agents. These fraudulent emails or messages are designed to trick recipients into divulging personal and financial information. With official logos and convincing language, these phishing emails can appear legitimate and often include spoofed websites.

Ransomware attacks pose a significant threat to organisations, with cyber criminals encrypting data and demanding a ransom for its release. During the EOFY period, organisations and tax agents, preoccupied with tax preparations, may be more likely to pay the ransom to access critical financial documents promptly.

Business Email Compromise (BEC) involves attackers gaining access to a company's email system and posing as a high-level executive. They may then instruct employees to transfer funds or provide sensitive information, often under the guise of urgent EOFY transactions. Standard checks of the sender's email address may not be sufficient, highlighting the importance of reading each email carefully and verifying requests via phone or face-to-face communication.

Identity theft is another significant concern, with cybercriminals targeting personal information collected for tax purposes. Obtaining details like tax file numbers, emails, addresses, or access to MyGov can enable fraudsters to file false tax returns and claim refunds fraudulently.

Karina Mansfield from Phriendly Phishing says, "To protect against these threats, organisations and communities are advised to critically assess their information-sharing procedures, storage practices, and access controls. Practical steps for protection include enhancing email security, using strong passphrases and multi-factor authentication (MFA), and keeping software up to date."

Enhancing email security can include implementing advanced email filtering and triage systems to detect and block phishing attempts and malicious attachments. Employees should be educated on recognising suspicious emails and scanning for key indicators like the sender, content, action, and management practices.

It is crucial to use strong, unique passwords or passphrases for all accounts, especially those with access to sensitive financial information. Implementing MFA adds an extra security layer, making it harder for cybercriminals to gain access.

Regular software updates are essential, as cyber criminals often exploit vulnerabilities in outdated software. Keeping all operating systems and applications up to date with the latest security patches can prevent such exploitations.

It is recommended that critical data be regularly backed up to a secure location using the 3-2-1 rule. In the event of a ransomware attack, having recent backups can enable organisations to restore their systems with minimal downtime.

Security and phishing awareness training should be conducted regularly to educate employees about the latest threats and best practices. It is also beneficial to encourage a culture of security, where employees feel comfortable reporting suspicious activities or using a verify-first approach.

Access controls should be reviewed to limit access to sensitive information based on employees' roles and responsibilities. Employing the principle of least privilege ensures only those who need access to specific data have it.

Personal information used for tax purposes should be protected by secure storage and sharing only with trusted entities. Physical documents containing sensitive information should be shredded before disposal.

Promoting community awareness about common EOFY scams can be achieved through newsletters, social media, and local campaigns. By understanding common threats and implementing some basic safeguards, organisations and communities can protect themselves from falling victim to these scams.

The EOFY period in Australia is a prime time for cybercriminals looking to exploit the urgency surrounding tax-related activities. Staying vigilant, educating teams, and prioritising cyber security can ensure a smooth and secure end to the financial year.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X