Tax Season Phishing Scams: How to Protect Your Team in FY2025-26
June 1, 2021
Tax season is peak season for scammers. Every year, the volume of ATO impersonation attacks climbs as criminals target people who are already expecting emails, processing receipts, and lodging returns.
This year, the numbers are striking. In the first four months of 2025, phishing scams cost Australians $13.7 million in reported losses, up from $4.6 million in the same period of 2024. That is nearly triple in twelve months. Over the same period, the ATO recorded a 300% increase in impersonation email scams compared to the previous year.
These scams are well-timed and convincingly built. A message that arrives during a busy lodgement period, with the right subject line and logo, does not need to be perfect. It just needs to be good enough.
Here is what is targeting Australian teams right now, and what you can do about it.
What tax phishing scams look like in FY2025-26
Tactics have evolved well beyond the basic email scams of a few years ago. The most active threats this tax season include:
ATO impersonation emails
Scammers send emails that closely mimic official ATO communications. Subject lines include phrases like “Urgent new notification in your account inbox”, “New Tax Lodgement”, and “notice of assessment”. These emails send recipients to a fake myGov login page designed to harvest credentials.
One variant currently active impersonates DocuSign. The email tells the recipient they have an outstanding tax-related document to sign, then redirects them to a fake myGov page. The scam works because many recipients use DocuSign legitimately and lower their guard when they see a familiar format.
2fa bypass attacks
More sophisticated campaigns now target two-factor authentication. After capturing a myGov login on a fake site, scammers immediately prompt the victim for their SMS verification code. This gives them real-time access to the genuine account, including tax records, personal details, and the ability to redirect a refund to a scammer-controlled bank account.

An email simulation template for your learners.
Phone and SMS scams
Voice calls and text messages impersonating the ATO continue to run throughout tax season. Common pressure tactics include claims that a Tax File Number has been suspended, threats of legal action, and demands for immediate payment via cryptocurrency or pre-paid debit cards.
One important change: the ATO no longer includes hyperlinks in outbound unsolicited SMS messages. Any text claiming to be from the ATO that contains a clickable link should be treated as a scam.
AI-generated and social media impersonation
Scammers are using AI to produce more polished, grammatically convincing messages. Fake ATO social media profiles are also on the rise. The real ATO will never discuss your personal account through social media or private messages, regardless of the platform.
How to spot a tax phishing scam
Train your team to watch for these patterns:
- Urgency and threats. The ATO does not demand immediate payment, threaten arrest, or instruct anyone to transfer funds to a holding account.
- Links in unsolicited messages. The ATO does not include links in unsolicited SMS. A text from the ATO with a link is a scam.
- Requests for personal information. The ATO will never ask for passwords, TFN, credit card details, or banking information via email or SMS.
- Unusual payment methods. The ATO does not accept payment via cryptocurrency, gift cards, or pre-paid debit cards.
- Suspicious sender addresses. Check carefully. Scammers often use addresses that closely mimic official domains with subtle changes, a missing letter, a number swapped in, or a different suffix.
What to do if you receive a suspicious message
- Do not click any links or open attachments.
- Go directly to ato.gov.au or my.gov.au by typing the URL into your browser.
- Call the ATO directly on 1800 008 540 using the number listed on the official site if you are unsure whether a message is genuine.
- If you have already entered credentials or personal details, contact the ATO immediately and consider placing a fraud alert on your accounts.
Protecting your business this tax season
Individual vigilance helps. The most reliable protection comes from making sure your whole team knows what to look for before a scam arrives, not after.
At a minimum, make sure your team:
- Knows the ATO will never send unsolicited emails or SMS messages containing links
- Has multi-factor authentication (MFA) been enabled across all work accounts, especially email and accounting platforms
- Knows how to report a suspicious message without feeling embarrassed
- Can recognise the red flags in current scam formats, not just the obvious ones from a few years ago
The difficulty is that these messages look genuine. They are designed to. Telling staff to “be careful” is no longer enough. Your team needs regular, realistic practice identifying threats in context.
That is what phishing simulation training is built for. The Phriendly Phishing platform runs automated, localised simulations that reflect the actual threats circulating in Australia right now, including tax season scenarios. When someone clicks on a simulated phishing email, they receive immediate, constructive feedback. The focus is on building confidence, not catching people out.
Simulations work best when paired with ongoing security awareness training that reinforces the right behaviours over time. Together, they form the foundation of a cyber resilient culture where people know what to do when something looks off.
Get your Tax Time Awareness Toolkit
Phriendly Phishing’s Tax Time Awareness Toolkit gives your team practical resources for this tax season. Inside, you will find an article, an eBook, a summary of what the ATO will never do, and an interactive Spot the Scam game designed to build real recognition skills.
Download the toolkit at insight.phriendlyphishing.com/tax-time-scams-awareness-toolkit-26.
To see how phishing simulation training and security awareness training can support your organisation year-round, get in touch with our team.
Sources
The following sources are cited inline within the article:
- ACCC, National Anti-Scam Centre media release, June 2025 (phishing loss figures, early 2025 vs 2024)
- ATO Scam Alerts page (300% increase in impersonation emails; DocuSign scam, Oct 2025)
- ATO Scam Data page (monthly impersonation report counts)
- ATO Latest Scam Updates (ATO removal of hyperlinks from outbound SMS)
Internal Links
Internal links are placed naturally in body copy:
- Phishing simulation training (anchor: “phishing simulation training”, in “Protecting your business” section)
- Security awareness training (anchor: “security awareness training”, in “Protecting your business” section)
- Cyber resilient culture (anchor: “cyber resilient culture”, in “Protecting your business” section)
- Get in touch with our team (CTA, in closing paragraph)
- Tax Time Awareness Toolkit (primary CTA)