With the end of the financial year having just passed, many of us are preparing documents for submission in our tax returns. If you happen to be an accountant, it’s probably bonanza time, but for the rest of us, it’s quite stressful, because we’re wary of making mistakes.
Sadly, getting stressed is an excellent way to make mistakes all the more likely, because you loose sight of the bigger picture and instead focus on one small area. That’s undoubtedly the psychology behind a recent fake email that purported to be from the ATO offering refund information in the form of an attachment that had to be opened.
The email (http://www.mailguard.com.au/blog/ato-refund-notification-steals-passwords/) suggests that you’re eligible for a refund of $1141.20, a not inconsiderable sum, but that you have to open a zipped document in Microsoft Word to access it. It gives specific instructions on how to do so, and sits back and waits for you to act.
If you’ve been around computers for long enough, you probably know what happens next.
If you haven’t, the attachment is a fake, loaded down with malware that compromises your computer. The details regarding this particular bit of digital nastiness suggest it’s after passwords and other digital information, but similar scams have often targeted other areas of computers, including full-scale remote control facilities to then use your PC for initiating other attacks, including sending out more of the spammy emails. Cleaning up an infected PC can be time consuming and tricky business, and equally as bad can be cleaning up the information trail if you become the victim of identity theft and suddenly discover that you’ve taken out a new mortgage somewhere in Nigeria on a gold mine.
This kind of thing is nothing new; while malware attacks on PCs have become more sophisticated in the ways that they try to bypass security software over the years, there’s absolutely no doubt that the first line of attack — and often the most profitable from the malware author’s point of view — is the end user, especially if they’re panicked into acting without thinking.
It’s still wise to run anti-virus/anti-malware software across your computer at all times, but it’s the functional equivalent of a door lock. It’ll stop someone breaking in, but if you actively turn the key and open the door, it’s open season on your personal information and the power of your computer to illicit types from all over the world.
The basic sensible approach is to realise that large institutions, including the ATO and banks, won’t send out this kind of email at all. When in doubt, contact the relevant institution by phone or email — but never by return email or a phone number listed in the doubtful message — and check through. If it’s legit, they’ll let you know quickly, but the chances are high that they’ll tell you it’s a common scam.