As a fresh round of phishing spam targets Australian tax payers, the ATO's CIO has warned fake Web sites designed to steal Australian credit card and personal details are "a fact of life".
The latest phishing scam, detected by security company Trend Micro, aims to trick recipients into giving away their details by claiming a tax refund is awaiting them and directing them to a fake version of the ATO Web site.
While the spam message is poorly worded -- signed at the bottom "Regards, Australian Government" -- the fake site used to capture would-be victims' credit card details is almost identical to the authentic one.
Want to know more?
For all the latest news, analysis and opinion on security, click here
The input fields ask for the intended victim's credit card number, expiration date and the CVV code -- the three-digit security code used to authenticate transactions where the cardholder is not present -- as well as secondary identifiers such as birth date, home address and mother's maiden name.
The ATO's CIO Bill Gibson told ZDNet.com.au that the ATO does not send e-mails to its clients regarding tax returns, but added that the problem of fake Web sites has become so common it is "a fact of life" for the tax office.
Credit: Verna Sagum, TrendMicro Content Security Team
"We know of sites that masquerade as the ATO's Web site. We know of URLs that look or sound awfully like the ATO or the government and every time we are aware of one, we try to deal with it," said Gibson.
"We don't have control over domain naming standards but where someone is clearly putting up something that is fraudulent we pursue the matter with ISPs as aggressively as we can. For us, it's almost a fact of life that this is out there. It's something you need to be watching for and making sure your users are not affected by," he added.
No matter what technology solution is created to deal with scams, the scammers will always outhink them.
The only thing they can not out think is a person.
Education of people - even a basic rule - if you think it is suspicious - then is probably is - DELETE IT .
Scammers work on the lack of education of users to get them to part with information.
Its simple - if someone is asking you for information you would not want plastered over the front page of every newspaper in the world, every TV in the world and every computer in the world - then don't give it to them.
There wuill always be another way a genuine request will be able to be handles in person - through a trusted agent etc.
Its time we stopped barking at CIO's and Technology people and instead focussed on the educators in our society.