Tax time is stressful enough without having to worry about scammers lurking in your inbox—but unfortunately, that’s exactly what’s happening this year.

A new, highly sophisticated phishing scam is making the rounds, and it’s targeting Australians right when we’re most likely to be expecting official messages from the ATO or myGov.

Even if you consider yourself pretty tech-savvy, this scam is clever enough to fool just about anyone—and it’s even designed to get around two-factor authentication (2FA), which many of us rely on for extra security.

This isn’t your run-of-the-mill, typo-riddled scam email. According to cybersecurity experts at MailGuard, the scam starts with a very convincing email that appears to come from the ATO.

The subject lines are designed to grab your attention—think 'New mail In' or 'Urgent new notification in your account inbox.' The message is polite, urgent, and looks exactly like something you’d expect to see during tax season.

The email urges you to click a link to 'review' a message or claim a refund. If you do, you’re taken to a fake myGov login page that’s almost indistinguishable from the real thing.

Here’s where it gets really sneaky: after you enter your myGov username and password, the site asks for your SMS verification code—just like the real myGov site would. This is a deliberate move to bypass 2FA, a security measure that’s supposed to keep your account safe even if your password is stolen.

A new, highly sophisticated ATO phishing scam is targeting Australians during tax season, using fake myGov emails to steal personal and financial information. Image source: Ed Hardie / Unsplash.

But it doesn’t stop there. The fake site then asks for even more personal information, including your full name, date of birth, address, driver’s licence number, and credit card details. In other words, everything a scammer needs to steal your identity or drain your bank account.

'It’s a textbook example of psychological manipulation. The message is urgent, polite, and familiar — exactly what someone would expect during tax season. But one click opens the door to identity theft and financial fraud,' said MailGuard CEO Craig McDonald.

The timing of this scam is no accident. As McDonald explains, 'Cybercriminals are opportunists. They exploit timing, behaviour, and platform trust. During tax time, Australians expect emails from the ATO or myGov and that expectation becomes a vulnerability if not protected.'

With millions of Australians preparing and lodging their tax returns, scammers know we’re on the lookout for official messages. That’s why their emails are so convincing—and why so many people are falling for them.

Also read: Tax office exposes scams that mislead super members

This isn’t an isolated incident. The ATO has reported a staggering 300% increase in scam emails compared to the same period last year.

In just the first four months of 2025, phishing scams have cost Australians nearly $13.7 million—almost triple the losses reported in early 2024. While the total number of scam reports has dropped, the amount of money lost is skyrocketing, showing just how effective these new scams have become.

It’s not just individuals who are at risk, either. Businesses are also being targeted, with scammers using similar tactics to try to access sensitive financial information.

So, how can you tell if that email from the ATO or myGov is the real deal or a scam? Here are some key things to look out for:

• Unsolicited emails or SMS messages with links: The ATO and Services Australia have made it clear—they will never send you an email or text with a link asking you to log in, provide personal information, or share your password.
• Requests for personal or financial information: If you’re being asked for your driver’s licence, credit card details, or other sensitive info, it’s almost certainly a scam.
• Urgent or threatening language: Scammers often try to create a sense of urgency to get you to act without thinking.
• Suspicious sender addresses: Even if the email looks official, check the sender’s address carefully. Scammers often use addresses that are close to, but not exactly, the real thing.

If you ever receive a message that seems suspicious, don’t click any links or provide any information. Instead, log in to your myGov or ATO account by typing the address directly into your browser, or use the official app. Any legitimate communication about your tax affairs will be waiting for you there.

If you think you’ve received a scam message, or if you’ve accidentally given out your details, contact the ATO directly and report the incident to Scamwatch. The sooner you act, the better your chances of minimising any damage.

You can view the photos of the phishing scam emails here.

Read next: Is the ATO messaging you more than usual? Here are some things to watch out for during tax season

Key Takeaways

• A new, highly sophisticated ATO phishing scam is targeting Australians during tax season, using fake myGov emails to steal personal and financial information.
• The scam stands out for its ability to bypass two-factor authentication (2FA), tricking victims into providing SMS verification codes and sensitive details like driver’s licence numbers and credit card information.
• Phishing scams like this are on the rise, with the ATO reporting a 300% increase in scam emails and nearly $13.7 million in losses in the first four months of 2025 alone.
• The ATO and Services Australia remind Aussies they’ll never send unsolicited emails or SMS messages with links or requests for login details, and urge anyone suspicious to contact the ATO directly or report scams to Scamwatch.

We know many of our members have been on the receiving end of scam attempts—some more convincing than others! Have you received a dodgy email or text claiming to be from the ATO or myGov? Did you spot the scam, or did you nearly get caught out? Share your experiences in the comments below!

 

[Rickcb63]

It is amazing how stupid people can be. Government agencys clearly inform in their emails that never to click on a link and that they will never ask for personal information in an email. The agency will send email saying to log into the relevant Government agency or phone them on a government phone number.
There needs to be an advertising campaign by Government about this - pit on TV, Bill boards and every Government website in big bold letters.

Wouldn’t be worrying about that side of it, people are stupid !
Take away the fact that scammers are able to hack the government and want us all to go digital !
that’s the worry !

 

[Leeann]

I’ve received one text message and one email. Fortunately just remembered in time not to click on the text. It would be easy to do if you’re side tracked minding grandchildren etc.

 

[7777]

Once again..
If anyone falls for this then they are plain and simply stupid and deserve to lose everything they have.
Simple: DO NOT CLICK ON ANY LINK!
If you get this email or text simply delete it and go straight to your MyGov account and check it out..

Dear member BruceC, thankyou for your post. Just because the elderly are trusting of people, please don't lable them as simply stupid and deserve to loose everything they have, as you have stated in your post. These words are very degrading and disrespectful, no one deserves to loose everything they have, because they placed their trust into a strange email. The elderly are not as tech savvy as you might be. Please, show respect to the elderly who have experienced so much throughout their lives both good and bad. Don't mock their inability to recognise a scam. Who knows, technology could soon become even more advanced, placing you in a vulnerable situation. I don't think you would appreciate being called, simply stupid and deserve to loose everything you ever had. We can learn so much from the elderly, please, show respect and dont mock those who fall victim to scammers, because it is happening to people all over the world, both to the young and the elderly. Wishing you a pleasant day. God bless,

 

[Isis]

There is only one thing we all need not to do. Age grouping regardless, don’t tap on any link. You can contact the provider to check, but my gov does not ask to tap on links and nor should a lot iof providers.

 

[Isis]

Dear member BruceC, thankyou for your post. Just because the elderly are trusting of people, please don't lable them as simply stupid and deserve to loose everything they have, as you have stated in your post. These words are very degrading and disrespectful, no one deserves to loose e erything they have because they placed their trust into a strange email. The elderly are not as tech savvy as you might be. Please show respect to the elderly who have experienced so much throughout their lives both good and bad. Don't mock their inability to recognise a scam. Who knows, technology could soon become even more advanced placing you in a vulnerable situation. I don't think you would appreciate being called simply stupid and ordeserve to loose everything you ever had. We can learn so much from the elderly, please, show respect and dont mock those who fall victim to scammers, because it is happening to people all over the world, both the young and tbe elderly. Wishing you a pleasant day. God bless,

Thought the same thing thank you for your comments that would have echoes mine.

 

[ozieagle]

It is crucial that YOU NEVER NEVER EVER CLICK ON A LINK IN A TEXT OR EMAIL!!!!! If it sounds genuine go directly to the site and log in yourself. It will show whether there is a message for you or not.

OK I wasn't aware that others had posted. They say the same thing.

 

[Isis]

It is amazing how stupid people can be. Government agencys clearly inform in their emails that never to click on a link and that they will never ask for personal information in an email. The agency will send email saying to log into the relevant Government agency or phone them on a government phone number.
There needs to be an advertising campaign by Government about this - pit on TV, Bill boards and every Government website in big bold letters.

Trusting does not mean stupid. , a lot of people particularly the elderly take it as gospel. I am elderly but have learned what not to do. But it is a new world for us and we don’t deserve vilification.

 

[PepeLePew]

Nope, I'm not gonna get scammed. Any and all emails that come from so called MyGov don't get clicked into until I go to my MyGov account and check to see if I have a message from them. If the email is genuine then I will have a message on my account, if not I just delete said email. It's not rocket science.

 

[Radiant]

Yes I got asked to pay a $300 speeding fine before midnight or I would incur more costs. As suspicious as I usually am I believed it. BUT I got onto the License registration place to check (it took me ages waiting time) and got confirmation it was a hoax. I believed it because I thought Australia Podt may have lost or mid delivered a letter advising me of a fine

 

[Radiant]

Once again..
If anyone falls for this then they are plain and simply stupid and deserve to lose everything they have.
Simple: DO NOT CLICK ON ANY LINK!
If you get this email or text simply delete it and go straight to your MyGov account and check it out..

Oh no people are not stupid. The scams can be very convincing. I’m not stupid and I don’t deserve to lose money, but I nearly fell for one

 

[Veggiepatch]

Yes I got asked to pay a $300 speeding fine before midnight or I would incur more costs. As suspicious as I usually am I believed it. BUT I got onto the License registration place to check (it took me ages waiting time) and got confirmation it was a hoax. I believed it because I thought Australia Podt may have lost or mid delivered a letter advising me of a fine

Never pay an infringement notice via online methods, whether it be BPay. credit or debit card. It will give the "issuing authority" access to more than your name and address.

Be like me. Just disregard them and never pay them. Saved me over $10000 over the last 15 years.

 

[7777]

It is amazing how stupid people can be. Government agencys clearly inform in their emails that never to click on a link and that they will never ask for personal information in an email. The agency will send email saying to log into the relevant Government agency or phone them on a government phone number.
There needs to be an advertising campaign by Government about this - pit on TV, Bill boards and every Government website in big bold letters.

Dear member Pec Xland, thankyou for your post. Kindly stop calling the elderly stupid because they opened an email to a scam. This is a Senior's Discount Club. So when you call one elderly stupid, you are in sense, mocking and insulting other respected elderly who are members on SDC. Views and opinions can be expressed without insults and name calling the elderly. Calling the elderly stupid, does not raise your level of intelligence, or make you a stronger person, because you dare to be so insulting. It kind of makes people feel sorry for you, for choosing to lower your level of respect for others, and yourself. Wishing you a pleasant afternoon. God bless,

 

[7777]

Never pay an infringement notice via online methods, whether it be BPay. credit or debit card. It will give the "issuing authority" access to more than your name and address.

Be like me. Just disregard them and never pay them. Saved me over $10000 over the last 15 years.

Dear member Veggipatch, thankyou for your post. You make it sound so easy. I always get worried that I will get a court summons if I don't pay an infringement. Wishing you an enjoyable afternoon. God bless,