Tax Scams in Australia 2026 — How the ATO Is Being Impersonated to Steal From Australians

The Australian Taxation Office is one of the most impersonated organisations in Australia by scammers, because virtually every Australian adult interacts with the ATO and many are expecting either a tax refund or the possibility of a tax debt. The combination of financial anxiety and government authority makes ATO impersonation extremely effective.

The Tax Refund Phishing Email

You receive an email claiming to be from the ATO advising that you are owed a tax refund and providing a link to claim it. The email looks exactly like genuine ATO communications — correct logos, formatting, and authentic-seeming footer text. The link takes you to a fake myGov page that harvests your credentials or collects your bank details "to process the refund." The ATO does not email you to advise of a refund — you can check your refund status by logging directly into myGov yourself.

The Tax Debt Phone Scam

A caller claims to be from the ATO and says you have an outstanding tax debt that will result in legal action, arrest, or suspension of your TFN unless you pay immediately. Payment is demanded by gift card, Bitcoin, or urgent bank transfer. The caller may know your name, your ABN, or other details obtained from public registries or previous data breaches. The ATO will send correspondence by mail or through your myGov inbox about genuine tax debts — they do not threaten immediate arrest over the phone, and they will never demand payment by gift card or cryptocurrency.

The ATO Credential Theft Attack

A more sophisticated attack specifically targets tax agents and business owners by stealing myGov or ATO Business Portal credentials. Once logged in, attackers change bank account details to redirect tax refunds, submit fraudulent returns on behalf of clients, or access sensitive financial information. This is why ATO portal access must have MFA enabled — credential theft alone is not sufficient to access the portal if MFA is properly configured.

How to Verify a Genuine ATO Contact

The ATO communicates primarily through myGov messages (log in yourself at my.gov.au to check), by postal letter, and occasionally by phone for specific purposes — but never to demand immediate payment. If you receive a call claiming to be from the ATO and are unsure, hang up and call the ATO directly on 13 28 61. Do not use any number provided by the caller. A genuine ATO officer will not be offended by this — they will be pleased you are taking the correct precaution.

Protecting Your Business

Enable MFA on your ATO Business Portal and myGov accounts. Use a unique, strong password for these accounts. Never click links in emails claiming to be from the ATO. And train all finance and administrative staff on ATO impersonation scams — because they are the most likely recipients of fake ATO communications targeting your business. IntrusionX can help secure your business's government portal access — contact us for a free assessment.

BAS and Tax Time — The Highest Risk Period

Phishing attacks exploiting the ATO increase significantly around BAS due dates (January, April, July, and October) and personal tax return season (July to October). Criminals know that Australians are interacting with the ATO at these times and are more likely to respond to ATO-themed communications. Be extra vigilant about ATO-themed emails and SMS messages during these periods. If you receive an unexpected ATO communication during these times, go directly to myGov to check your account rather than clicking any link.

Protecting Your Accountant and Tax Agent

If you use an accountant or registered tax agent, be aware that attackers sometimes impersonate your accountant to gain access to your financial information. Any unexpected contact from your accountant requesting your ATO credentials, myGov login, or bank details — particularly by email — should be verified by calling your accountant directly on their known number. Genuine accountants will understand and appreciate your caution. Also ensure that your accountant has proper security controls in place — MFA on their ATO portal access, secure document exchange rather than unencrypted email — as their security directly affects your exposure. IntrusionX works with Melbourne accountants and their clients to implement appropriate security controls — contact us for a free consultation.