The annual ritual of tax-time involves sorting through mountains of receipts, complex spreadsheet calculations and filing endless forms. It’s a pain nobody enjoys, especially if the Australian Taxation Office (ATO) or Inland Revenue Department - Te Tari Taake New Zealand (IRD) determines it’s you who owes them money. And if that isn’t enough, we now have reports of tax phishing scams, so scammers can claim their pound of flesh too!

With emails flying back and forth between you and your tax advisor, scammers know your guard is down. While you hurriedly check attachments, click on links and submit confidential information, it’s the ideal time to target you with a tax season phishing scam.

In this blog we’ll explore some of the most common tax time scams you’re likely to face and how to avoid phishing scams this tax season.

What are tax phishing scams?

As with all phishing scams, tax phishing scams involve cyber criminals trying to deceive you into revealing private information about yourself. Alternatively, they may attempt to persuade you to transfer funds to them.

In many cases, cyber criminals will seek to trick you into providing login and password credentials to online banking portals, email accounts, or other applications containing confidential information. Once they’ve gained access to such systems, the path is then wide open for them to engage in a range of malicious activities, from financial crimes to identity theft.

Another common type of attack we see at tax time is the use of phishing tactics to trick you into installing malware. This can lead to devastating data breaches or ransomware attacks.

What makes tax phishing scams so effective is their timing. For many, this is the busiest time of year. Scammers know there’s a high probability that busy people will fail to identify a tax phishing scam at this time of year. You need effective strategies in place to avoid tax phishing scams.

Some common tax phishing scams you need to be on the lookout for include:

Email tax scams

Criminals are known to favour ATO/IRD phishing scams by sending out fraudulent emails purporting to be from the tax office. Usually, these emails direct the recipient to a bogus website. To the untrained eye these websites look totally authentic, even going as far as spoofing the legitimate website’s domain or URL. Once on the fake website, victims are urged to submit login and password credentials, paving the way for identity theft or fraud.

In one recent Australian example, people were sent links via email to a fake myGov login page. Once they submitted their myGov credentials, the criminals could access the victim’s genuine myGov portal. This allowed them to compromise victims’ personal information, including passport and driver’s license details, in order to engage in identity theft and even change bank details to their own so that the victim's tax refund was deposited to the scammers account.

Common email scams include threating legal action for fake tax debts. The victim is urged to pay via a fake webpage using cryptocurrencies or pre-paid debit cards. Alternatively, victims are tempted with an email advising them they have a refund. They are advised to enter their confidential information to receive the payment, but in fact are defrauded.

An email simulation template for your learners.

Phone tax scams

Phone scams at tax time can be particularly effective as they instil fear into potential victims. Scammers are known to phone people, either with live calls or robocalls, pretending to be from the ATO/IRD. They then attempt deceive them into divulging confidential information or paying fictitious fines and debts. Victims are warned that they will face severe legal repercussions if they refuse to follow instructions.

In a recent case, victims were phoned and told their Tax File Number (TFN) was being suspended due to illegal activity. In these Tax File Number scams, victims were instructed that in order to restore their TFN and avoid legal action, they would need to immediately pay a fine, or transfer all their funds to a holding account.

SMS / text tax scams

Reports of SMS scams are also on the rise. Victims are sent messages purporting to be regarding their tax return. Typically, such scams seek to deceive people into clicking a link in the text message that takes them to a bogus webpage on their mobile devices.

Like phone scams, these text messages seek to instil fear in people. Victims are warned that they have an outstanding tax debt which must be paid urgently to avoid legal repercussions. In recent cases, scammers have urged payment via cryptocurrency or pre-paid debit cards. Unlike credit cards, the victims have no recourse to recover the funds when using such payment methods.

Tips for avoiding tax phishing scams

1. Be hypervigilant of texts, phone calls, and emails

When it comes to texts, phone calls and emails, the best advice is act with caution!

Make sure you carefully check the email address of the sender. Place your curser over the email address, without clicking it, to see if it sent from the genuine domain name. Do the same with any links contained within the email. If in doubt – do not click anything!

When it comes to dubious phone calls or text messages, never divulge confidential information or login and password credentials. If in doubt, type the ATO/IRD website into a browser (do not click links to the website) and call the official phone number listed there.

2. Use trusted email services

Email phishing scams remain the most common method scammers use to launch attacks. It’s essential that your email systems have security measures built-in, such as spam filters. These will help identify malicious emails and move them to a spam or junk folder.

3. Take advantage of Multi-Factor Authentication (MFA)

Few security measures offer as much protection as Multi-Factor Authentication. Through using both a password and another factor, such as a one-time-passcode that is sent to your mobile device, you can stop most unauthorised access attempts. The myGov/myIR app and websites have enabled MFA, giving you greater confidence that you can stay secure.

4. Don’t believe the scare tactics

While owing tax or getting a bill might be scary, the staff do not engage in the sorts of scare tactics that are reportedly being used by scammers. You would be involved in ongoing discussions with officials before commencing any legal actions, and they never tell people to transfer all their funds to holding accounts.

5. Follow official payment recommendations

Any government revenue service has secure means for paying any tax debts. Such payments should always be made through official portals, such as myGov/myIR, or via the payment instructions on official ATO/IRD communications. Payments should never be made via cryptocurrencies or pre-paid debit cards.

6. Review  resources

The official ATO website ( and IRD website ( contains all the essential information you need to know. If you have any tax questions, reach out to them directly using the contact details listed on the official website.


Even though this is a busy time of year, it’s always worth acting with caution, especially when receiving communications that are related to your tax circumstances. Never click links or open attachments that purport to be from the ATO or IRD. Any official portals and contact details can be accessed directly from the respective websites.

With so many attempted phishing scams at this time of year, now is the time to carefully consider engaging expert assistance to ensure you and your team have the awareness needed to prevent phishing scams.

Phriendly Phishing is trusted by companies across Australia and New Zealand to enable their staff to understand phishing tactics and how to avoid them.

Contact Phriendly Phishing today for a demonstration of our unique training platform.