ATO impersonation attacks are up 300%. New scams bypass two-factor authentication. And healthcare businesses face double the risk. Here’s your complete guide to staying safe this tax season.
Tax time has always attracted scammers. The combination of money, urgency, and people expecting contact from government agencies creates perfect conditions for fraud.
But what we’re seeing in 2026 is different. The attacks are smarter. The fake websites look identical to the real thing. And for the first time, we’re encountering scams that can bypass two-factor authentication — the very security measure we’ve been recommending for years.
Whether you’re a GP managing patient records, an accountant handling client finances, or a small business owner preparing your BAS, this guide will show you exactly what to watch for — and how to protect yourself.
The Alarming Statistics Behind Tax Season Scams
The numbers paint a sobering picture:
- 300% increase in ATO impersonation emails compared to the same period last year
- $13.7 million lost to phishing scams in just the first four months of 2025 — nearly triple the $4.6 million lost in early 2024
- $280 million in total scam losses reported by Australians in 2025
- 26% increase in losses despite fewer reports — meaning scams are becoming more effective
- Healthcare remains the #1 targeted sector — 20% of all data breaches, with ransomware incidents doubling year-on-year
- 95% success rate for attackers targeting healthcare organisations — compared to 52% across all sectors
The pattern is clear: fewer scams are reaching people, but the ones that do are far more sophisticated and far more damaging.
Five Reasons Scammers Love Tax Season
1. Everyone Expects Contact from the ATO
During tax time, it’s completely normal to receive emails about tax matters. This expectation becomes a vulnerability. When we’re expecting something, our guard drops. That ‘urgent notification’ doesn’t seem suspicious when you’re already thinking about lodgements and refunds.
2. Urgency Creates Mistakes
Scammers know that urgency bypasses rational thinking. Messages about ‘immediate action required’ or ‘avoid penalties’ trigger our fight-or-flight response. We click first and think later. CPA Australia has specifically warned about scam emails sent overnight, designed to catch you off-guard first thing in the morning — before you’ve had your coffee and your defences are up.
3. Financial Stress Lowers Defences
The promise of a refund or the threat of a tax debt creates emotional responses. When money is involved, people make decisions they wouldn’t otherwise make. Scammers exploit this relentlessly.
4. Document Sharing Creates Opportunities
Tax time involves sharing sensitive documents — payslips, financial statements, TFNs, Medicare numbers. Every document shared is an opportunity for interception. Unsecured email attachments, fake accountant emails requesting document resends, compromised file-sharing links — all are common attack vectors.
5. Small Businesses Are Stretched Thin
Tax compliance takes time and attention. When business owners are focused on gathering receipts and reconciling accounts, they’re less likely to carefully verify every email. Scammers count on this divided attention.
The New Scam Tactics You Need to Know
The 2FA Bypass Attack
This is the most concerning development of 2026. Intercepted by Australian cybersecurity company MailGuard, this attack works in multiple stages:
- You receive an email that looks exactly like it’s from the ATO, with subject lines like “Urgent new notification in your account inbox”
- The link takes you to a fake myGov login page — virtually indistinguishable from the real one
- You enter your username and password
- The fake site asks for your SMS verification code — and you enter it, thinking you’re being security-conscious
- The scammers now have everything: your credentials AND your 2FA code
- They then request your driver’s licence, date of birth, and credit card details
The critical insight: Two-factor authentication only protects you when you’re on the real website. If you’ve been tricked onto a fake site, entering your code hands it directly to criminals.
The DocuSign Impersonation
Identified in late 2025, this scam sends emails that look like legitimate DocuSign requests. The document is named ‘Declaration and Final Release’ with tax-related subject lines like ‘notice of assessment.’ Recipients who use DocuSign regularly are particularly vulnerable because the format looks familiar. Clicking ‘Review Document’ leads to a fake myGov login.
The Cryptocurrency Refund Scam
Flagged by the ATO in February 2026, this scam claims your taxable income has been ‘recalculated’ and you’re entitled to compensation. Victims are asked to reply with payslips, TFN, driver’s licence, and Medicare details. The cryptocurrency angle adds false legitimacy to what is pure identity theft.
Fake Social Media Support
Scammers create fake ATO accounts on Facebook, Twitter, TikTok, and Instagram. They monitor official ATO posts and reply to people’s questions, offering to ‘help’ via direct message. The ATO will never discuss your personal account on social media, including private messages.
What the ATO Will NEVER Do
Commit this list to memory:
- Threaten immediate arrest or legal action
- Demand payment via gift cards, cryptocurrency, or wire transfer
- Send unsolicited SMS messages containing hyperlinks
- Ask for personal information via email, SMS, or social media
- Request your myGov password or login credentials
- Discuss your personal tax affairs via social media DMs
- Send emails with attachments requiring immediate action
Special Considerations for Healthcare Providers
If you run a medical practice, allied health clinic, or any healthcare business, you face a unique combination of threats during tax season.
Healthcare records are particularly valuable because they contain Medicare numbers, TFNs, complete personal identification, sensitive health information, and payment details — all in one place. As one security analyst noted: “Unlike financial data, which has a limited shelf life because it’s relatively easy to change, leaked medical records are permanent and hold long-term value.”
Extra precautions for healthcare:
- Brief reception staff specifically on ATO scam tactics
- Use encrypted channels for all tax document sharing
- Verify any payment detail changes by phone
- Ensure patient TFNs are stored securely and separately
- Test your backups — ransomware is rampant in healthcare
Your Tax Season Security Action Plan
Establish Verification Procedures
Why: Trust but verify — especially when money or sensitive data is involved.
How:
- Never click links in tax-related emails — always type ato.gov.au or my.gov.au directly
- Verify unexpected contact by calling 1800 008 540
- Check sender email addresses carefully — look for subtle misspellings
- If your accountant emails about changed bank details, call them on a known number to confirm
- Wait for the coffee — don’t act on urgent tax messages first thing in the morning
Secure Your Document Sharing
Why: Every document shared is an opportunity for interception.
How:
- Never email tax documents as plain attachments
- Use your accountant’s secure portal or encrypted file sharing
- Verify requests for documents come from legitimate sources
- Be suspicious of requests for documents you’ve already provided
- Establish a secure method with your accountant before tax time gets busy
Brief Your Team
Why: Everyone who handles email or finances is a potential target.
Cover these points:
- Current scam tactics — show them examples
- Red flags to watch for (urgency, threats, requests for credentials)
- Procedure for reporting suspicious messages
- The rule: urgency is a reason to slow down, not speed up
- Who to contact if they’re unsure about any communication
If You’ve Been Targeted or Compromised
If you’ve clicked a suspicious link, entered credentials on a fake site, or shared sensitive information, act immediately:
- Call the ATO: 1800 008 540
- Contact your bank if you shared financial details
- Change your myGov password immediately from a trusted device
- Contact IDCARE: 1800 595 160 — Australia’s national identity and cyber support service
- Forward scam emails to: ReportScams@ato.gov.au
- Report to Scamwatch: scamwatch.gov.au
- If you’re a healthcare provider: assess whether patient data may have been compromised and your notification obligations under the Privacy Act
Speed matters. The faster you act, the more likely authorities can prevent further damage.
Five Things You Can Do in the Next 30 Minutes
- Enable MFA on myGov — if you haven’t already, do it now
- Verify your accountant’s contact details — call them on a known number, not one from an email
- Send a team reminder — a quick email about tax scams costs nothing
- Save the emergency numbers — ATO (1800 008 540), IDCARE (1800 595 160)
- Check your backup status — verify your last successful backup
Ready to Secure Your Tax Season?
Tax time is stressful enough without worrying about cybercriminals. At Kalluri IT, we’ve been protecting Australian businesses since 2012, with particular expertise in healthcare, legal, and professional services — sectors where data protection isn’t optional.
Our Tax Season Security Check includes:
- Assessment of your current security posture
- Secure document sharing setup
- Staff awareness briefing on current scam tactics
- Backup verification and testing
- MFA implementation across critical systems
- Incident response preparation
One Response
Good read for business owners. I like how it explains modern scam tactics clearly without making the topic overly technical or fear based.