Home Malware ATO “Right to Obtain a Refund” Malware Emails

ATO “Right to Obtain a Refund” Malware Emails

by Brett M. Christensen

Outline:
Emails purporting to be from the Australian Taxation Office (ATO) claim that you have the right to obtain a refund or reimbursement and should therefore click a link to download more information.




Brief Analysis:
The emails are not from the ATO and the promised refund does not exist. It is a criminal ruse designed to trick you into visiting a fraudulent website and downloading malware.

Example:
IMPORTANT NOTICE Australian Taxation Office – 20/10/2016

After the last estimation of your fiscal actions has been found that you have the right to obtain a refund of 2335.85 AUD.Please follow the link below to download the deal information: [link removed]

Liam Wesley,
Tax Refund Department
Australian Taxation Office

Example:
SIGNIFICANT NOTIFICATION Australian Taxation Office – 20/10/2016

After the last estimation of your financial activity has been found that you have the right to obtain a reimbursement of 7272.48 AUD.Please follow the link below to download the operation information: [link removed]

James Wesley,
Tax Refund Department
Australian Taxation Office





Detailed Analysis:
According to a series of emails that claim to be from the Australian Taxation Office (ATO), you have the right to obtain a refund or reimbursement for several thousand dollars. The emails include a link  that supposedly downloads a document with more information about your unexpected refund.

Clicking the link opens a fake ATO “download center” webpage (see screenshot below) that prompts you to download what it claims is a PDF containing a declaration form.

However, the supposed PDF is in fact a .zip file that harbours a malicious .scr file. If you click the .scr file, it can install malware on your computer.

Details, such as the amount of the supposed refund and the name of the supposed ATO staff member listed in the signature may vary in different versions of the emails. Some versions claim to be from the “Australian Taxation Bureau” rather than the ATO.

The “tax refund” ruse has been used repeatedly in both phishing and malware attacks. The ATO will never send you an unsolicited email that claims that you must click a link or opened an attached file to process a refund.

If you receive one of these emails, do not click any links or open any attachments that it contains.

A screenshot of the bogus website:

Fake ATO website harbours malware




Last updated: October 21, 2016
First published: October 21, 2016
By Brett M. Christensen
About Hoax-Slayer

References
ATO ‘Tax Refund Notification’ Phishing Scam Email
ATO ‘ Tax Agent Report’ Malware Email
ATO Tax Refund Malware Emails




Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,
Hoax-Slayer