“The end of financial year is the number one time of year for cyber criminals to strike. Scammers know that in the lead-up to the end of financial year, businesses are moving money around, paying bills and getting their affairs in order, and they do whatever they can to take advantage of that,” Cosi De Angelis, ANZ general manager of transaction banking for business and private bank, said.

And while scammers can be quite sophisticated in their approaches, often some of the most important ways to stay safe are also the simplest.

“Updating and maintaining a secure password is a business owner’s first line of defence, and a simple, easy action business owners can take to remain a step ahead,” De Angelis said.

According to ANZ, the three most common passwords used by Australians are a long way from secure, but are nonetheless used by tens of thousands: “admin”, “password”, and “123456”.

“While it isn’t always convenient to come up with a new password, it is crucial to helping keep your business safe. The best passwords are long, unique and unpredictable,” De Angelis said.

Changing your password, however, is just the tip of the security iceberg, and there is much more that can be done to stay safe over the EOFY period. Adrian Covich, vice president of systems engineering for cyber security firm Proofpoint in the APJ region, recently told Cyber Daily he was observing a sharp increase in “sophisticated email scams targeting Australians” at tax time.

“Cyber criminals are taking advantage of this busy time by impersonating trusted entities like the Australian Taxation Office (ATO), myGov, and even internal HR departments to create a sense of urgency and legitimacy and pressure individuals into making mistakes they otherwise wouldn’t,” Covich said.

“Our research has identified over 100 distinct scam campaigns globally using these tax-themed lures. These attacks include delivering a range of malicious payloads via remote access software as their tool of choice. Once a victim is tricked into installing it, the attacker can gain quiet, persistent control over their system to steal credentials, financial data, and sensitive personal information.”

A perfect example, according to Covich, is a campaign Proofpoint observed in April, where the scammer circulated a phishing email that appeared to originate from myGov.

“A link in the email led to a fake login page designed to harvest the user’s credentials and even their two-factor authentication codes,” Covich said.

“A successful attack can provide the criminal with a treasure trove of personal and financial information, highlighting just how critical it is for both individuals and organisations to remain vigilant.”

Here are Covich’s top five tips to avoid being scammed this tax season:

• Be wary of unsolicited messages: The ATO will never ask for personal or financial information via email, SMS, or social media, or direct you to click links.
• Verify unexpected calls: Genuine ATO calls appear as “No Caller ID”, and if in doubt, hang up and call the agency directly using its official number.
• Watch for pressure tactics: Scammers often create a false sense of urgency to trick people into acting without thinking.
• Ignore social media requests: The ATO will never use social media to request personal information, documents, or payments.
• Keep staff alert: Organisations should remind employees about EOFY scam risks and reinforce security awareness training.