Watch out – fake myGov tax refund email

What’s happened?

It’s tax time and the common scam email informing that you’re eligible for a tax refund is doing the rounds again!

Scammers have long used the promise of a tax refund to trick people into sharing their personal information or to download malware.

The email, which has the subject line ‘Important information regarding your account’, includes the myGov logo and claims to be from the myGov team. Instead, the email is a phishing scam designed to steal your personal and financial information.

The email asks you to click on a link to claim your refund. If you click the link a fake tax refund claim form will open in your browser.

Screenshot of myGov phishing scam designed to steal your personal and financial information

The form asks for your name and contact details, your myGov password and your credit card number.  After you supply this information and click the ‘Continue’ button, you’ll be automatically redirected to the myGov website. By then it’s too late and the scammer has your details.

Screenshot of the fake tax refund claim form

The scammers use this information to commit credit card fraud and identity theft.

If you receive an email like this one, do not click any links or open any attachments.

Remember: the ATO and myGov will NEVER send an email or SMS asking you to click on a link and provide login, personal or financial information, download a file or open an attachment.

How do I stay safe?

Know the status of your tax affairs. If you are aware of the details of any debts owed, refunds due and lodgments outstanding, you are less likely to fall victim to a scam.

Here are some simple steps you can take to avoid an email scam:

  • Be suspicious of messages offering you a tax refund in return for a fee, or ‘confirmation’ of your details.
  • Login to your official myGov account to check your status or contact your registered tax professional.
  • Do not click on links in emails or text messages claiming to be from myGov. myGov will never send you a text, email or attachment with hyperlinks or web addresses.
  • Don’t open messages if you don’t know the sender, or if you’re not expecting them.
  • Be suspicious of messages that aren’t addressed directly to you, or don’t use your correct name.
  • Login to your official myGov account by typing the web address into your browser, to check your inbox for any legitimate emails.
  • The messages you get in your official myGov Inbox are secure and it is safe to open links included in myGov Inbox messages.
  • If you’re ever unsure about the validity of a tax related message or phone call, contact the ATO Scam Hotline on 1800 008 540, or visit ato.gov.au/scams

If you are concerned that your personal information has been compromised and misused, you can contact Australia’s National Identity and Cyber Support Service, IDCare or use their free Cyber First Aid Kit.

If you have been a victim of a cybercrime such as fraud, report it to the Australian Cybercrime Online Reporting Network (ACORN).

For more information, please visit: www.staysmartonline.gov.au

Tips to stay safe online this tax time

Tax time is a prime time for cybercriminals to get their hands on your money and personal details! In 2017 the Australian Taxation Office received over 81,000 reports of scams, with $2.3 million reported lost and almost 10,000 people accidently sharing their personal information.

Here are some tips to help you stay one step ahead and keep safe online this tax time!

Keep your personal information private

Your personal information is valuable so stop and think before sharing it with anyone. Cybercriminals use all kinds of tricks to disguise their true identity and get you to hand over your personal information or money.

What to do:

  • Don’t give out your Tax File Number (TFN), date of birth or bank details unless you’ve checked the person you’re dealing with is who they say they are and they genuinely require these details.
  • You should always verify the identity of the person you’re dealing with through an independent source, such as a phone book or online search. Don’t ever use the contact details provided by the caller or in the message they sent to you.

Beware of ATO impersonation scams

Impersonating trusted agencies like the ATO is a common trick used by scammers. Be wary of emails, phone calls and text messages demanding payment for fake tax debts.

A scammer’s approach may sound legitimate, but remember, the ATO will never ask you to pay your tax debt into a non-ATO bank account, via pre-paid cards or with cryptocurrencies like Bitcoin.

If something doesn’t sound right, you can always check your myGov account, ask your registered tax professional, or call the ATO directly on 1800 008 540.

Read more about the latest ATO impersonation scams.

Create unique passwords

We have so many online accounts now and it’s hard to keep track of all our passwords! Many of us still use the same password for multiple accounts. The problem is that if a cybercriminal gets into one of your accounts, it can give them access to your other accounts.

What to do:

  • Secure your myGov account with a strong password that’s easy for you to remember but hard for others to guess.
  • Use two-factor authentication, like a code sent to your mobile phone. To set up your myGov security code, sign in to your account and turn it on in ‘Account settings’.
  • Use a unique password for every account you create online. You can use a password manager to help you securely store your passwords.
  • Don’t share your passwords with anyone, not even your partner, your parents, or your children.

Watch out for tax refund scams

Know the status of your tax affairs. If you are aware of the details of any debts owed, refunds due and lodgements outstanding, you are less likely to fall victim to a scam.

What to do:

  • Look out for messages offering you a tax refund in return for a fee.
  • Login to your official myGov account to check your status or contact your registered tax professional.
  • If you’re ever unsure about whether any message is really from the ATO, call the ATO Scam Hotline on 1800 008 540, or visit ato.gov.au/scams.

Get savvy about Wi-Fi hotspots

Be careful about what you do online when you’re connected to a hotpsot or free WiFi. So while it’s ok to check the news or the weather, avoid doing tax time transactions when you’re connected to public Wi-Fi. These networks are unsecured and it’s possible that others can see what you’re doing when you use them.

Read more about how to stay safe when using public WiFi.

Be smart with social media

We’re so used to sharing our personal information online that we don’t really think about where it’s going. This window into your life not only lets your friends and family know what you’re up to, it also gives cybercriminals information to steal your identity or hack into your online accounts.

What to do:

  • Change your privacy settings so only friends can see your details.
  • Don’t share your Tax File Number (TFN) on social media.
  • Think before you post! Once information is online it’s almost impossible to remove.

Read more on socialising online including steps you can take if you think you’ve been scammed and how to protect yourself from these threats online.

Think before you click

Scammers are becoming more sophisticated so it might be hard to tell if a message is really from the ATO or a scam! These deceptive messages can be sent via email, SMS, instant messaging or social media platforms.  They often contain a link to a fake website and you’re encouraged to enter your personal details.

What to do:

  • Avoid downloading attachments or clicking links in emails or text messages even if they appear to come from someone you know.
  • If you’re not sure, contact the ATO on 1800 008 540 to check if they have sent the message.

Keep your devices up to date

When you’re alerted to a security update for your operating system or one of your apps, don’t ignore it — install it as soon as possible. These updates aren’t just about adding new features. They’re also about fixing weaknesses that cybercriminals use to gain access to your device.

What to do:

  • Install updates on your device and apps when new versions become available.
  • Run regular anti-virus scans to help you detect and remove malware (viruses) from your device.
  • Remove any apps you don’t use anymore.

For more information, please visit: www.staysmartonline.gov.au

Beware of fake Medicare email

What’s happened?

Scammers have set up a clone of the myGov website to trick you into sharing your login and bank account details.

The scam starts with a phishing email that looks like it is from Medicare, asking you to update your Electronic Funds Transfer (EFT) details, so you can start receiving payments for Medicare benefits and claims.

Screenshot of the phishing email that looks like it is from Medicare

If you click on the link in the email you are taken a replica of the real myGov website. You’ll note the URL includes ‘.net’ instead of ‘.gov.au’, which is an indication the website is not a legitimate Australian Government domain!

Screenshot of the replica of the real myGov website

If you input your login details you are directed to also enter your secret security question and answer, before you’re taken to the fake Medicare website to input your bank account details.

Screenshot of the fake Medicare website

These emails and web pages feature myGov and Medicare design and branding, making them appear legitimate.

Remember, clicking on the link and sharing your details gives these scammers access to your personal information, which they then use to steal your money and identity!

How do I stay safe?

Email continues to be a popular method for criminals hoping to trick you into handing over your money or personal information.

There are some simple steps you can take to avoid an email scam:

  • Do not click on links in emails or text messages claiming to be from myGov or Medicare. myGov will never send you a text, email or attachment with hyperlinks or web addresses.
  • Don’t open messages if you don’t know the sender, or if you’re not expecting them.
  • Be suspicious of messages that aren’t addressed directly to you, or don’t use your correct name.
  • Login to your official myGov account by typing the web address into your browser, to check your inbox for any legitimate emails from Medicare.
  • You can also contact the organisation separately to check if they have sent the message.

If you are concerned that your personal information has been compromised and misused, you can contact Australia’s National Identity and Cyber Support Service, IDCare or use their free Cyber First Aid Kit.

If you have been a victim of a cybercrime such as fraud, report it to the Australian Cybercrime Online Reporting Network (ACORN).

For more information, please visit: www.staysmartonline.gov.au

Ticketmaster Data Breach

What’s happened?

On Saturday, June 23, 2018, Ticketmaster UK identified malicious software on their network.

Early reports indicate a compromise of sensitive personal information within Ticketmaster’s database.

Does it affect me?

Ticketmaster has notified by email, Australian customers who may have been affected.

All notified customers are being asked to reset their password before they next log into their account.

How do I stay safe?

There are a few simple steps you can take to help keep your information safe:

  • Change your password on any accounts where you may have used the same email and password combination.
  • Monitor your accounts for unusual activity.
  • Use a strong password and don’t reuse the same password on other websites.
  • Use two-factor authentication so your account is protected by a second layer of security.
  • Use a password manager to keep stock of all your passwords and login details.

If you are concerned that your personal information has been compromised and misused, you can contact Australia’s National Identity and Cyber Support Service, IDCare or use their free Cyber First Aid Kit.

If you have been a victim of a cybercrime such as fraud, report it to the Australian Cybercrime Online Reporting Network (ACORN).

For more information, please visit: www.staysmartonline.gov.au

Online recruitment security incident impacts multiple organisations

Whats happened?

PageUp, a HR company that provides an online platform for staff recruitment for many Australian organisations including businesses and government agencies, has reported a security incident on its computer network.

At this stage, investigations are continuing into what data, if any, may have been compromised.

PageUp is working with the Australian Cyber Security Centre to investigate the incident.

Does it affect me?

PageUp is a service provider for many Australian organisations including Coles, Telstra, NAB, the ABC and Medibank.

If you have created an account to apply for a job via their online recruitment platform, PageUp recommend you change your password on those accounts as a precautionary measure.

If you have used the same username and password combination on other accounts, we recommend you change the password on those as well.

How do I stay safe?

There are a few simple steps you can take to help keep your account safe:

  • Change your password on any online recruitment systems and on other accounts where you may have used the same email and password combination.
  • Monitor your accounts for any unusual activity.
  • Use a strong password and don’t reuse the same password on other websites.
  • Use two-factor authentication so your account is protected by a second layer of security.
  • Use a password manager to keep stock of all your passwords and login details.

If you are concerned about how your personal information could be used or identity theft, you can contact Australia’s National Identity and Cyber Support Service, IDCare or use their free Cyber First Aid Kit.

If you have been a victim of a cybercrime such as fraud, report it to the Australian Cybercrime Online Reporting Network (ACORN).

For more information, please visit: www.staysmartonline.gov.au

ACCC releases 2017 Targeting Scams report

The Australian Competition and Consumer Commission (ACCC) has released its annual Targeting Scams report, as part of Scams Awareness Week.

The report reveals that in 2017 Australians lost $340 million to scammers, a $40 million increase compared to 2016 and the largest reported loss since the ACCC began reporting on scam activity.

Investment scams topped the losses at $64 million, an increase of more than 8 per cent. Dating and romance scams caused the second greatest losses at $42 million.

ACCC Deputy Chair Delia Rickard said, “It’s very worrying that Australians are losing such extraordinary amounts to scammers.”

“Some scams are becoming very sophisticated and hard to spot. Scammers use modern technology like social media to contact and deceive their victims. In the past few years, reports indicate scammers are using aggressive techniques both over the phone and online.”

For example, scammers pretend to be from government agencies or well-known service providers and threaten people with fines, prison time or loss of benefits if they don’t do what the scammer is asking.

Scamwatch received almost 33,000 reports of these threat-based impersonation scams in 2017. Over $4.7 million was reported lost and more than 2,800 people gave their personal information to these scammers.

This Scams Awareness Week, we’re urging people to stop and check ‘Is this for real?’ when they’re contacted by scammers who pretend to be from well-known government organisations or businesses.

How do I protect myself?

  • When dealing with unexpected contact from government agencies or trusted businesses—whether by phone, email or through social media—always consider the possibility that it may be a scam.
  • Don’t be pressured by a threatening caller. Hang up, then check whether their story is real. You can verify the identity of the contact through an independent source, such as a phone book or online search. Don’t use the contact details provided by the caller or in the message they sent to you.

What if I’ve been scammed?

If you’ve lost money or given personal information to a scammer, there are steps you can take straight away to limit the damage and protect yourself from further loss:

  • If you’ve sent money or shared your banking or credit card details, contact your bank immediately. They may be able to stop or reverse a transaction, or close your account.
  • If you realise you’ve accidently given your personal information to a scammer, visit IDCARE, Australia’s not-for-profit national identity and cyber support service. IDCARE can support you through the process and develop a specific response plan to your situation.
  • As scammers are often based overseas, it is extremely difficult to track them down or take action against them. So take the time to warn your friends and family about these scams.

For more information, please visit: www.staysmartonline.gov.au

9 tips to safeguard your family’s smartphones

Smartphones have revolutionised parenting. Now we can text our kids to check if they’re home from school, finished the movie, or ask them to hang out the washing!

Cybercriminals can also love them just as much as you do!

If a hacker gains access to your phone, they can see your private information, location, email, photos, social media, and bank accounts.

Maybe you have good security setup on your own phone, but what about the other three or four smartphones under your roof? How secure are your kids’ phones and what can you do to plug any security gaps?

Tips to safeguard your family’s smartphones

  1. Question your security and ask how safe is my smartphone? What are the cyber security gaps? Look at everyone’s password strength, social profiles and privacy settings, web browsing security, and app settings.
  2. Use two-factor authentication for your email, social media and bank accounts.
  3. Make your passwords hard to guess. The longer your password, the stronger it is! Use a password that is made up of at least four words, including at least 12 letters. For example ‘horsecupstarshoe’. Make it easy for you to remember.
  4. Don’t trust online apps. Where you download apps from and how you use them plays a critical role in keeping your mobile phone secure. Malicious apps will try to steal personal information from your phone and could expose your device and data to malware. Only install apps from official stores such as Apple’s App Store or Google Play for Android phones or tablets. To change the access an app has to your information, go to your settings. On Android: Go to Apps and Notifications, choose App Permissions and make changes. On iOS: Go to your settings, select Privacy, and make changes to app permissions accordingly.
  5. Track your phone. Make sure your device is password and fingerprint protected in case you lose it. Take a few minutes to enable phone tracking. For Android, download the app Find My Device and for Apple use Find My iPhone.
  6. Bank and shop via your smartphone with care! Log out and lock accounts when you’re not using them and avoid using auto-login features. Think about using a password manager app that forces you to re-enter a master password each time you want to access an account. Disable keychain and auto-fill in your browser; go to Settings and turn each option to OFF. Also, avoid using public Wi-Fi to access sensitive accounts.
  7. Turn off Bluetooth. Make sure to switch Bluetooth off if you’re not using it. When it’s on, it’s constantly looking for open connections. Hackers work quickly through open Bluetooth connections, and often victims don’t even know there’s been a breach.
  8. Keep your anti-virus and operating software up-to-date, and make sure you have all your information safely backed up.
  9. Always question any calls, texts or emails you get asking for your details. These messages may look like they come from a real organisation, but they might contain links to a fake website that asks you to enter your credit card details.

For more information, please visit: www.staysmartonline.gov.au

Change your Twitter password

What’s happened?

As a precaution, Twitter is urging more than 330 million users to change their password after a glitch left log-in details exposed in the company’s internal computer system.

When you set a password for your account, Twitter uses technology that masks it, so no one can see your password.

The company recently identified a bug that stored unmasked passwords in an internal log. Twitter found this error itself, removed the passwords and is now looking at how it can prevent this from happening again.

Twitter has advised it has fixed the bug, and has no reason to believe the passwords left Twitter’s systems or were misused by anyone.

Does it affect me?

If you have a Twitter account we recommend you change your password on that account, and on all accounts where you’ve used the same password. You can change your Twitter password anytime by going to the password settings page.

How do I stay safe?

There are a few simple steps you can take to help keep your account safe:

  • Change your password on Twitter and on any other accounts where you may have used the same password.
  • Use a strong password and don’t reuse the same password on other websites.
  • Use two-factor authentication so your account is protected by a second layer of security.
  • Use a password manager to keep stock of all your passwords and login details.

For more information, please visit: www.staysmartonline.gov.au

Common Cyber Myths

Just like urban myths, cyber myths exist that sound so real they could also be true.

Believing these myths may expose you to cybercriminals.

Myth #1: Anti-virus software and firewalls are 100% effective.

Truth: Anti-virus software and firewalls* are important for protecting your information. However, neither is guaranteed to protect you from an attack. Combining these technologies with good security habits is the best way to reduce your risk.

*Most operating systems include a built-in firewall feature that you should turn on.

Myth #2: I never have to update the software installed on my computer.

Truth: Software companies release updated versions of their software to address problems or fix weaknesses. Hackers and malicious programs or viruses can find weaknesses and will exploit that software to access your computer, smartphone or tablet. To keep your device secure, you should install any software update as soon as possible. Some software even offers the option for automatic updates.

Myth #3: I have nothing important on my computer, so I won’t be hacked.

Truth: Your opinion about what is important might be different to a criminal’s idea. If you have personal or financial data on your computer, hackers can collect it and use it for their own financial gain. Even if you don’t store that kind of information on your computer, a hacker may be able to gain control of your computer and use your data in attacks against other people.

Myth #4: Cybercriminals only target people with money.

Truth: Anyone can become a victim of identity theft. Attackers look for the biggest reward for the least amount of effort and if your information happens to be in a compromised database, it could be collected and used for malicious purposes. It is important to only share your personal details with people and organisations you trust.

Myth #5: A strong password will solve all my security issues.

Truth: Strong passwords are the first line of defence to protect your information from cybercriminals, but they can still be compromised. You should support your strong password with other measures such as two-factor authentication. If strong passwords are too complicated to remember, you can install a password manager on your computer, smartphone or tablet. It will generate and remember secure passwords for you and some password managers will sync across your devices.

Remember: Be diligent about protecting yourself online, so you don’t become the victim of a cyberattack.

For more information, please visit: www.staysmartonline.gov.au

Making cyber security a priority for your small business

Numerous small businesses feel helpless in the face of cyber security threats or don’t consider that they are at risk at all.

Making cyber security a priority for your business is important to protect your livelihood. Many small businesses find it hard to recover after a cyber security incident and are often left devastated. A few simple steps can make a huge difference and protect your business into the future.

Be intentional

Good cyber security doesn’t happen by accident. It’s important to be intentional and consistent in your approach. Here are some simple things you can do:

  • Ensure you have antivirus software.
  • Always install security updates.
  • Develop a policy about the use of personal devices on your network, and make sure you and your staff understand the associated risks.
  • Set a back-up schedule to regularly back up all your data.
  • Use strong passwords on all your accounts and encourage your staff to do the same.

Be proactive

Don’t assume your staff are cyber safe.Work with them to help them practice safe online behavior while at work. Here’s what you can do:

  • Educate your staff on click safety, how to identify scams and appropriate care and storage of customer information.
  • Discuss current risks, such as scams and ransomware and how you can stay safe.
  • Have an incident response plan – what will you do if you experience an incident?

Be aware

Staying aware of cyber security issues and risks is a great way to protect your business.

  • Practice safe browsing habits and be on the lookout for malicious links and scams.

Making cyber security a priority for your small business is easy, and taking a few simple steps will make you feel more comfortable, knowing your business is safer!

For more information, please visit: www.staysmartonline.gov.au