Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

Home    About    New Articles    RSS Feed    Subscriptions    Contact
Bookmark and Share

ATO Tax Refund Malware Emails

Email purporting to be from the Australian Taxation Office (ATO) claims that the recipient is eligible for a tax refund and should open an attached .zip file containing a Microsoft Word document for further details.

Keyboard with Tax Refund Button

© Illia Uriadnikov

Brief Analysis
The message is not from the ATO and the tax refund claims are untrue. The attached .zip file contains a trojan that can steal personal and financial information from the infected computer. Be wary of any unsolicited email from your tax office that claims you can receive a refund by opening an attachment or clicking a link. This is a very common scammer ploy.

Bookmark and Share

Australian Taxation Office


After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 0676.14 AUD.

For more details please follow the steps bellow :

- Right-click the link on the attachment name, and select Save Link As, Save Target As or a similar option provided.
- Select the location into which you want to download the file and choose Save.
- Open the file Microsoft Word file to view the details.

Myra English,
Tax Refund Department
Australian Taxation Office

Attachment Names:
ato_tax_(email address).zip contains ATO_TAX_(number).exe

Detailed Analysis

This message, which claims to be from the Australian Taxation Office (ATO), informs recipients that they are eligible for a tax refund. To learn more about the unexpected windfall, recipients are instructed to open an attached file to review a Microsoft Word document.

However, the email is not from the ATO and the attachment contains a file significantly more sinister than a Microsoft Word document. Of course, there is no tax refund. The promise of a refund is just the bait used to entice people into opening the attachment without due care.

Those who fall for the ruse and proceed to unzip the attachment will be presented with a .exe file. If they then click the .exe file, they will install a trojan on their computer. Once installed, this trojan can download other malware programs, collect personal and financial information from the infected computer and send the stolen information to the criminals operating the malware attack.

Criminals regularly use fake tax refund emails as a means of stealing personal and financial information. Many versions are direct phishing scams that try to trick users into filling in bogus forms, ostensibly to allow processing of the tax refund. Typically, these scam emails ask for banking and credit card details along with other personal information.

The version discussed here takes a different tack by tricking people into installing malware. However, like the direct phishing versions, the attack is designed to allow criminals to steal personal and financial information that they may subsequently use to commit bank and credit card fraud and steal the identities of victims.

Be wary of any unsolicited email purporting to be from the tax office in your country that claims that you can get an unexpected refund by opening an attached file or clicking a link. Your tax office will not ask you to provide sensitive personal information in this manner.

Bookmark and Share

Last updated: August 8, 2013
First published: August 8, 2013
By Brett M. Christensen
About Hoax-Slayer

IRS Tax Refund Phishing Scam
Australian Tax Refund Scam Email

Go to Mobile Version