Watch out for EOFY Scams this Tax Season

As the end of the financial year (EOFY) approaches, it's crucial for businesses in Australia to evaluate and update their cyber security measures. This period often brings an increase in cyber-attacks, as criminals take advantage of the frenzy of activity to target vulnerable people and businesses. to help protect your business, we've compiled an EOFY and tax time cyber security checklist that mid to large company IT, admin, and cyber security staff can follow to close out the financial year securely.  Read on for our exclusive tax time and EOFY scam resources that you can download and share with staff, friends and family.

What you can do proactively

Review your security policies and procedures

‍Begin by thoroughly examining your company's security policies and procedures. This includes reviewing password policies, access control measures, and remote work protocols. Ensure your policies are up-to-date and comply with the latest government regulations, such as the Online Safety Act and Privacy Act. Additionally, consider conducting regular security awareness training for all employees to reinforce best practices and help them recognise potential threats. 

Around this time of year, you may be the target of email, smishing and vishing scams purportedly from the ATO. These could be telling you that you have outstanding tax returns, a large sum of a refund or a filing error. It’s important to know that the ATO doesn’t communicate in this way, and to safely ignore them, and even phone calls from someone trying to social engineer you into paying a debt or releasing information about your business.

‍

Conduct a comprehensive risk assessment

‍Carrying out a risk assessment is essential in identifying potential vulnerabilities within your company's IT infrastructure. This process should involve evaluating your network security, application security, and endpoint security to identify any weak points. Once identified, prioritise addressing these issues based on their potential impact. Furthermore, consider engaging a third-party consultant or conducting a penetration test to obtain an unbiased assessment of your security posture. 

Update and patch software and hardware

‍One of the most effective ways to prevent cyber-attacks is to keep your software and hardware updated. Regularly check for updates and patches for all devices connected to your network, including servers, workstations, and mobile devices. This also includes ensuring your antivirus and anti-malware software are up-to-date, as well as installing the latest security updates for your operating system and applications. 

Implement multi-factor authentication (MFA) and encryption

‍MFA supplies an additional layer of security to help prevent unauthorised access to your company's sensitive data. Implement MFA for all user accounts, particularly those with administrative privileges. In addition, encrypt your data both at rest and in transit to protect it from being intercepted or accessed by unauthorised parties. This includes employing encryption solutions for email communications, file storage, and remote access. 

Current threats and scams

AI voice scams are getting realistic

With the rise of generative AI, scammers are now using realistic voice cloning to impersonate ATO or IRD officials in phone calls - These have been around a while now, but criminals are moving away from the clearly pre-recorded warnings in place of something more realistic and live. These calls may sound convincing, but they’re designed to pressure you into urgent payments or handing over sensitive information. It’s a chilling example of how social engineering and emerging tech are being combined to create scams that feel real.

Superannuation account breaches

In 2025, breaches of Australian superannuation accounts highlighted just how critical it is to protect our financial assets. If you haven’t already, ensure multi-factor authentication (MFA) is enabled on any financial or super-related accounts. Strong, unique passwords and regularly checking account activity are also essential to staying ahead of fraud.

Business Email Compromise (BEC) tactics

EOFY is a prime time for Business Email Compromise (BEC) attacks, where cyber criminals gain access to email accounts or spoof trusted contacts to trick staff into transferring funds or sharing login credentials. These scams often start with a single harvested password, reminding us how vital it is to stay alert and apply strong email security hygiene across the board.

IBM's X-Force Threat report in 2024 highlighted that valid credentials from compromised accounts using BEC, were easily available on the dark web and were on par with traditional phishing as initial access.

Implementing these EOFY cyber security measures will help safeguard your business from potential threats and ensure compliance with government regulations. It's important to remember that cyber security is an ongoing process, and keeping your organisation secure requires consistent vigilance and adaptation to the ever-evolving cyber landscape. By supporting a proactive approach to security, you can mitigate risks and protect your company's assets. 

Contact us today for a free demo of our learning platform and see how our human risk management program, and phishing simulations can help your staff recognise the signs of phishing and be cyber security champions.

‍