Alarmingly, this year has seen a rise in impersonation scams targeting individuals during tax time, a period when people are more likely to engage with financial and government agencies and official communication from the ATO. Scammers exploit this heightened activity by posing as ATO representatives, sending fraudulent emails and texts, or making phone calls to steal personal information and money from hardworking Australians.
Small and medium businesses are especially at risk because AI-powered scams are becoming more sophisticated and convincing making it harder to identify a scam attempt. This highlights the importance of staying alert this tax season. This article outlines the top four scams to be aware of this financial year (FY23–24) and provides tips on how to avoid falling victim to them.
myGov email impersonation scams
There has been a surge in phishing scams targeting myGov accounts, with scammers cleverly disguising creating fake ATO emails containing links that encourage people to click on a link that directs them to fake myGov sign-in pages designed to steal their username and password. This tactic is proving highly effective, with ATO-branded emails being the most commonly reported scam in February 2024. Over the past six months, a staggering 75 per cent of all email scams reported to the ATO involved a fake myGov login link. This highlights just how widespread and sophisticated these phishing attempts have become. The ultimate goal of these scams is to steal your myGov credentials.
Scammers are also exploiting other digital channels such as SMS messaging to get individuals to click on fake myGov sign-in pages designed to steal their usernames and passwords. Scammers use different phrases to trick people into opening these links. Some examples are:
- You are due to receive an ATO Direct refund
- You have a new message in your myGov inbox – click here to view
- You need to update your details to allow your Tax return to be processed
- We need to verify your incoming tax deposit
- ATO refund failed due to incorrect BSB/account number
- Your income statement is ready, click on the link to view
ATO social media impersonation account scams
This scam is popular on social media. These scams are impersonating both the ATO itself and ATO employees. The intent is to get you to interact with the pages, send messages, and ask questions with the end goal of tricking you into sharing personal information such as email addresses, phone numbers and bank account details.
The ATO does have an official presence on Facebook, Twitter and LinkedIn, all of which hold the blue tick of authentication. You can see in the two screenshots below that there is no blue tick for authentication, and the follower counts are very low.
How to spot a fake
- The ATO prioritises secure communication. It will never send email or social media links directing you to log in to myGov or other online services. Treat any such requests as scams.
- The ATO’s official accounts are on Facebook, Twitter and LinkedIn. However, it will never initiate contact through these channels. It also has no presence on Instagram, so any ATO message there is guaranteed to be a phish.
- Be wary of suspicious ATO accounts. Legitimate profiles typically boast tens of thousands of followers and have been active for years. Steer clear of any new or low-follower accounts claiming to be the ATO.
- The ATO won't send you an SMS or email with a link to log on to online services. These should be accessed directly by typing ato.gov.au or my.gov.au into your browser.
- While the ATO may use SMS or email to ask you to contact it, it will never ask you to return personal information through these channels.
By keeping these tips in mind, you can easily identify and avoid fake ATO social media scams. Remember, if you're unsure, it's always safer to contact the ATO directly through verified channels.
Multifactor authentication (MFA) phishing scams
This scam preys on the growing adoption of MFA. Scammers send emails claiming the ATO requires an "MFA update" for your account.
The image below is an example of what the scam may look like.
How to spot a fake
- The ATO will never ask you to update MFA via email, especially with a QR code, or a link to log in to online services. These codes typically lead to fake myGov login pages designed to steal your credentials.
- If you receive an email like this, do not scan the QR code, click on links, open attachments or download files. Forward the email to This email address is being protected from spambots. You need JavaScript enabled to view it., and then delete it.
Tax refund SMS scams
This scam increased in popularity in 2023 and is a continued concern for 2024. This is a smishing scam (malicious/fake SMS) designed to get you to click on the link. You are then taken to a fake website (that looks real) with a form for you to complete so you can get your money. Once again, scammers are looking for your personal information.
How to spot a fake
- The real ATO will never send an SMS with a link on it.
Tax lodgment email scam
You guessed it, this email scam shares fake information about your tax return lodgment date with a fake receipt number. Then the message is very manipulative as it tells you not to call them. Instead, the email suggests that you should check the attachment and ensure that all your information is correct.
If you do happen to click on the attachment, you will be taken to another screen that looks like an official Microsoft Sign-in (IT IS FAKE). This scam intends to collect your login details and password. Access to your Microsoft account has the potential for cyber criminals to access your personal device providing access to everything you have. Plus, if you happen to reuse your passwords, there is a high chance that cyber criminals will use these details to attempt to access other applications.
How to spot a fake
- The real ATO will never send you an email with a link on it or an attachment to open.
Stay vigilant and aware
Remember that scammers, also known as cyber criminals, will refer to their playbook throughout the year and re-use or update scams, especially if they were successful (most of them are). The challenge for you is to be aware of them all and remain vigilant and aware.
For all incoming communication from the ATO
- If you receive an email, SMS, or phone call that says it is from the ATO, STOP and take a breath.
- If it includes a link – IT IS A SCAM. Do not engage and report it.
- If it includes an attachment (usually in an email) – IT IS A SCAM. Do not engage and report it.
Remember
- The real ATO will never send you any links to click on.
- If the real ATO does contact you, they will only ever ask you to contact them directly via their official sites, such as https://www.ato.gov.au or https://my.gov.au/, to log into your account.
- Call the ATO on 1800 008 540 if you are unsure or want to clarify something.
Advice for business owners
- Communicate to your people, outlining precisely what to expect from your HR or Payroll Department at tax time.
- Provide precise details as to what they will receive and warn them that there is a very high chance cyber criminals will be targeting them at tax time.
- Step your people through relevant, engaging, and ongoing security awareness training and allow them to test their knowledge with simulated phishing and other social engineering tests.
- Share the tips below with your employees, customers, vendors and suppliers, as cyber security is everyone’s responsibility.
Advice for employees (and everyone else)
- Ask your HR Department or Payroll when and how you will receive your Group Certificate.
- Only deal with the ATO or MyGov via official channels https://my.gov.au/ or https://www.ato.gov.au
- The real ATO will never send links in emails or SMS
- The real ATO will never request personal details like bank account details via email, SMS or voice mail.
- The real ATO will never ask you to pay for anything with gift cards, credit cards or cryptocurrency (like Bitcoin).
Advice for tax professionals
Cyber criminals are actively looking to gain unlawful access to your client data as it is of great value to them. Take a moment to consider all the personal and sometimes business information you hold for each of your clients and the potential repercussions if you suffered a data breach.
They will even pose as a client sending you an email with a malicious attachment in the hope that you open it and grant them access to your system. Once inside, they can access your entire inbox and your client’s data. You need to be on the lookout for all suspicious emails and be vigilant at tax time.
Is that all? Sadly, no, there are more tax time and ATO-related scams to be found here: https://www.ato.gov.au/General/Online-services/Identity-security-and-scams/
If (or more likely when) you receive an ATO or myGov-related scam, take a screenshot and send it to this email This email address is being protected from spambots. You need JavaScript enabled to view it.. Feel free to share these hints and tips far and wide with everyone in your world who will be required to lodge a tax return, to help safeguard against scams this tax season.
By Dr Martin Kraemer, Security Awareness Advocate at KnowBe4
You are not authorised to post comments.
Comments will undergo moderation before they get published.