ATO CIO: Tax phishing sites are 'a fact of life'

As a fresh round of phishing spam targets Australian tax payers, the ATO's CIO has warned fake Web sites designed to steal Australian credit card and personal details are "a fact of life".

The latest phishing scam, detected by security company Trend Micro, aims to trick recipients into giving away their details by claiming a tax refund is awaiting them and directing them to a fake version of the ATO Web site.

While the spam message is poorly worded -- signed at the bottom "Regards, Australian Government" -- the fake site used to capture would-be victims' credit card details is almost identical to the authentic one.

The input fields ask for the intended victim's credit card number, expiration date and the CVV code -- the three-digit security code used to authenticate transactions where the cardholder is not present -- as well as secondary identifiers such as birth date, home address and mother's maiden name.

The ATO's CIO Bill Gibson told ZDNet.com.au that the ATO does not send e-mails to its clients regarding tax returns, but added that the problem of fake Web sites has become so common it is "a fact of life" for the tax office.

"We know of sites that masquerade as the ATO's Web site. We know of URLs that look or sound awfully like the ATO or the government and every time we are aware of one, we try to deal with it," said Gibson.

"We don't have control over domain naming standards but where someone is clearly putting up something that is fraudulent we pursue the matter with ISPs as aggressively as we can. For us, it's almost a fact of life that this is out there. It's something you need to be watching for and making sure your users are not affected by," he added.