ATO Tax Refund Scam in Australia (2026): how the phishing attack works and how to spot it

Why Australian tax season is peak scam season

The Australian financial year runs 1 July to 30 June. Most individuals lodge a return between 1 July and 31 October, and most refunds land in bank accounts between mid-July and the end of September. That ten-week window concentrates roughly 14 million Australian taxpayers into a single mental state: actively waiting for an ATO payment to arrive. Scammers know when the window opens and time their campaigns to match it.

Volume reflects the opportunity. The ATO reported in 2024 that it received more than 30,000 impersonation-scam reports across the calendar year, with refund-themed SMS and email the single largest category. The Australian Competition and Consumer Commission, which runs Scamwatch, separately tracked tens of millions of dollars lost to government-impersonation scams in the same period, with the ATO being the most-impersonated agency by a wide margin. The Australian Cyber Security Centre at cyber.gov.au sees the same pattern in its national incident reporting feed.

Scammers cluster their sends into three windows: early July (1 to 14 July, just after the financial year closes), late August to mid-September (peak refund processing), and late October (the run-up to the 31 October self-lodgement deadline, when overdue-payment threats become plausible).

How an ATO refund scam works end to end

Four stages, each engineered to look like the ordinary public-service experience an Australian taxpayer already expects.

Stage 1: Delivery. High-volume SMS or email blast impersonating the ATO. SMS often arrives from a spoofed alphanumeric sender ID displaying as "ATO" or "myGov", grouping into the same thread as legitimate messages from prior years. Email comes from addresses like noreply@ato-services.com or refund@ato-payments.net.

Stage 2: The hook. A refund ready, a TFN flagged, a BAS overdue, or a JobSeeker payment cancelled. Scarcity language ("within 24 hours or refund will be returned to Treasury") shuts down deliberation.

Stage 3: The landing page. The link opens a near-perfect clone of the myGov sign-in page using the ATO crest, "Australian Government" wordmark, and myGov logo. On mobile the difference is essentially invisible because the URL bar truncates. The user enters myGov username, password, SMS code, TFN, and bank details. Every keystroke is exfiltrated in real time.

Stage 4: The downstream attack. Two monetisation paths. Path A: real-time session takeover, the scammer logs into the genuine my.gov.au within minutes, changes the linked bank account, intercepts the next refund. Path B: the TFN plus identity data is used to lodge a fraudulent return next financial year, redirecting a fabricated refund to a mule account. Recovery through the Client Identity Support Centre takes weeks to months.

The 4 templates in active rotation

The exact wording shifts, but the underlying templates are stable. If the SMS or email you received matches one of these, treat it as a scam by default and do not engage.

Template 1: "Your tax refund is ready"

The most common variant. Sample SMS: "ATO: Your tax refund of $1,247.50 has been approved. Confirm your bank details within 24 hours to receive payment: ato-refund.com.au/claim". The dollar amount looks like a plausible refund (the average Australian individual refund in 2024 was around $2,800, so figures between $700 and $3,500 land in the believable range). "Confirm your bank details" frames the click as routine admin. The fake landing page collects myGov credentials and bank details under the cover of "direct deposit setup".

Template 2: "Tax File Number suspended"

Sample email subject: "URGENT: Your TFN has been temporarily suspended due to suspicious activity". The body claims a third party tried to lodge a return using the recipient's TFN, that the TFN is now frozen, and that identity must be verified within 48 hours or face permanent revocation. The most psychologically effective template because it inverts the victim's relationship to the threat: the user is told they are already a victim of identity theft, so clicking is framed as the protective action. In reality the click is the identity theft. The ATO does not suspend TFNs by email and will never ask you to verify identity via a link.

Template 3: "BAS overdue"

Targets small business owners and sole traders registered for GST. Sample SMS: "ATO: Your BAS lodgement is overdue. Outstanding balance $4,182.66. Pay within 24 hours to avoid penalty: ato-claim.online/bas". The Business Activity Statement angle is plausible because most small businesses lodge quarterly BAS and many have received a real late-lodgement reminder from the ATO at some point. The fake variant demands immediate card payment to an "ATO clearing house" that is in fact a scammer-controlled merchant account.

Template 4: "JobSeeker payment cancelled"

Sample SMS: "Services Australia: Your JobSeeker payment scheduled for tomorrow has been cancelled. Verify your details to resume payment: mygov-services.net/restore". Strictly a Services Australia / Centrelink impersonation rather than an ATO one, but it almost always routes through a fake myGov sign-in page and collects the same credentials that unlock the ATO portal. Real payment changes from Services Australia appear inside the myGov inbox, never via an external link.

Lookalike ATO domains in 2026

Scammers cannot register an ato.gov.au domain, because .gov.au is a restricted second-level domain reserved for verified Australian Government entities through the Australian Government Domain Name System. So they default to consumer-grade TLDs that look government-shaped at a glance. Recognising the patterns is half the battle.

Pattern 1: ATO keyword on a non-government TLD

Examples observed in 2026 campaigns: ato-refund[.]com.au, ato-claim[.]online, australian-tax[.]net, ato-payments[.]com, ato-services[.]online, mytax-au[.]com.

The .com.au example deserves a note. Many Australians assume any .com.au domain is government-verified. It is not. .com.au is a commercial TLD any business with an active ABN can register. The only reliably government-restricted Australian TLD is .gov.au.

Pattern 2: myGov lookalikes

The legitimate myGov sign-in page lives at my.gov.au. 2026 lookalike variants include mygov-services[.]net, mygov-login[.]com, my-gov[.]online, mygov-au[.]com, and mygov-secure[.]net. None are operated by the Australian Government. The genuine myGov domain is always my.gov.au with the dot between my and gov and the .au on the right.

Pattern 3: ATO subdomains on free hosting providers

Examples: ato-refund[.]vercel[.]app, ato-claim[.]netlify[.]app, mygov-verify[.]pages[.]dev, ato[.]github[.]io. Free hosting platforms take minutes to set up and provide automatic HTTPS. Attackers spin up a fresh subdomain, push the cloned myGov page, and start sending texts within an hour. The padlock icon confirms only that traffic is encrypted, not that the page is operated by the ATO.

Pattern 4: URL shorteners hiding the destination

Examples: bit.ly/ato-refund-2026, tinyurl.com/myGov-verify, t.ly/ATOclaim. The destination is hidden until you tap, and the tap is the entire attack.

How real ATO contact actually works

The simplest defence is knowing what real ATO contact looks like. Memorise these facts, published by the ATO itself at ato.gov.au/online-services/scams:

• The ATO never sends an SMS or email with a hyperlink asking you to log in, verify identity, claim a refund, or update bank details. No exceptions for "secure messages" or "urgent verification".
• Real refund notifications appear inside your myGov Inbox. You reach it by typing my.gov.au into a fresh browser tab. You will not be sent an external link to "view" or "claim" the refund.
• The ATO never demands payment by gift card, cryptocurrency, prepaid debit card, or wire transfer. Real payments go via BPAY, credit card on a verified ato.gov.au URL, or direct deposit to an ATO account number that has not changed in years.
• The ATO never threatens arrest, deportation, or immediate court action by phone or SMS. Real debt-collection processes involve multiple mailed notices and months of due process.
• The ATO will never ask for your TFN, myGov password, or bank password via email or SMS. The agency that issued your TFN does not need you to send it back.
• The official ATO phone enquiry line for individuals is 13 28 61. Verify this number on ato.gov.au itself before calling. Do not Google the ATO phone number, as tech-support scammers run fake "ATO support" listings in search results.

The verification routine that catches every variant

Use this short routine in order:

1. Do not tap the link. The link is the entire attack.
2. Open a fresh browser tab and type my.gov.au directly. Do not search for "myGov" or "ATO" in Google: sponsored scam ads occasionally appear at the top of results. Bookmark my.gov.au for future use.
3. Log into myGov and open the Inbox. Any real refund notification, TFN flag, BAS reminder, or Services Australia payment change will appear there. If your inbox is empty, the message was fake.
4. If the message references a specific notice, call the ATO on 13 28 61. The Individual Enquiries line operates Mon-Fri business hours. Verify the number on ato.gov.au itself.
5. Report the phishing attempt. Forward suspicious ATO-themed emails to ReportAScam@ato.gov.au as an attachment if possible. For SMS, send a screenshot to the same address. Report to Scamwatch at scamwatch.gov.au (ACCC). If credentials or money were lost, also report to the Australian Cyber Security Centre via cyber.gov.au or ReportCyber on 1300 292 371.

For a second opinion on a specific link before you tap it, paste it into the SafeBrowz URL checker. The checker unwraps shorteners, checks domain age (most ATO phishing destinations are registered less than 30 days before the campaign launches), runs the URL through community blacklists, and returns a verdict in seconds. No login required.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 (Local detection): 60+ URL patterns plus 550+ brand-specific signatures running in the browser extension before the page renders. Layer 1 catches the ato-*, mygov-*, and australian-tax-* pattern families on any non-gov.au TLD instantly. ATO and myGov are in the brand database with official domains hard-pinned, so any page rendering ATO or myGov branding on a different host is flagged. Completes in milliseconds with no network call.
• Layer 2 (API checks): aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs. URL shorteners are unwrapped server-side so the verdict runs against the real destination. Domain age under 30 days, suspicious WHOIS, or a Safe Browsing hit pushes the verdict to danger.
• Layer 3 (AI deep scan, Premium): page content is analysed by a content-aware model that detects government-brand impersonation in 100+ languages including Australian English. ATO crest, myGov logo, or text like "Tax refund verification", "TFN suspended", or "BAS overdue" on a domain that is not ato.gov.au or my.gov.au is flagged as government impersonation. The same layer catches Services Australia, Medicare, Centrelink, and AFP impersonation.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

What to do if you already tapped the link or entered information

If you tapped the link but did not enter anything, close the tab and clear browser cookies for that domain. If you were prompted to download a file, do not run it. If you already ran it, treat the device as compromised and run a full antivirus scan.

If you entered your myGov credentials, TFN, or bank details, work through this list in order:

• Change your myGov password immediately at my.gov.au (open a fresh tab, type the address yourself).
• Enable myGov MFA (Code Generator app or SMS code) if it is not already on. Without MFA, a scammer with your password owns the account.
• Call the ATO Client Identity Support Centre on 1800 467 033 during business hours. This is the dedicated line for taxpayers whose identity may have been compromised. Staff can place a flag on your TFN that requires additional verification before any future return is processed, blocking fraudulent lodgements.
• Check the linked bank account in myGov. If a scammer has already changed it, change it back and report the unauthorised change.
• File an identity-theft report with IDCARE on 1800 595 160 (free national identity and cyber-support service for Australia and New Zealand). Case managers help coordinate notifications across affected agencies and credit bureaus.
• If you entered bank or card details, call the bank fraud line on the number printed on the back of your card. The bank will freeze the account, reissue card or BSB/account numbers, and dispute unauthorised debits. Monitor the account daily for at least 90 days.

Place a credit freeze (called a "ban" in Australia) with all three major credit bureaus, illion (illion.com.au), Equifax Australia (equifax.com.au), and Experian Australia (experian.com.au). Each ban blocks new credit accounts from being opened in your name and is free to request. Finally, file reports at scamwatch.gov.au and at cyber.gov.au (ReportCyber, 1300 292 371). These reports feed law-enforcement signals that help shut down active campaigns and support any subsequent insurance claim or bank dispute.

Protection guide: how to make ATO phishing fail in advance

Six steps in priority order to make the phishing harvest useless before it happens:

1. Turn on myGov MFA. Inside my.gov.au, Account Settings, enable the myGov Code Generator app or SMS code. The single highest-impact ten-minute investment any Australian taxpayer can make.
2. Subscribe to the ATO scam alerts page at ato.gov.au/online-services/scams. Familiarity with current variants drops your click rate close to zero.
3. Bookmark my.gov.au in your browser. Always reach myGov from the bookmark, never from a search result, an SMS, an email link, or a sponsored ad.
4. Install a phishing-detection browser extension. SafeBrowz is free for Chrome, Firefox, and Edge. Premium adds unlimited daily AI scans and detection of drainer JavaScript embedded in fake government pages for $14.99 per year.
5. Verify any unexpected ATO contact via 13 28 61. Hang up or close the message and call the Individual Enquiries line from the number on ato.gov.au. Real ATO staff can confirm in under a minute whether anything was actually issued in your name.
6. Lodge your return as early as you reasonably can. The longer your refund sits unclaimed, the larger the window in which a fraudster can lodge in your name first.

Block ATO phishing destinations automatically

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that detects ATO, myGov, Services Australia, Centrelink, and other Australian Government impersonation phishing the moment the page loads. The core protection is free forever. Premium adds unlimited daily AI scans and drainer JavaScript detection for $14.99 per year, or hold 10 million $SAFEBROWZ tokens on Base for unlimited Premium access. No install required to check a single link, the free public URL checker handles one-off cases.

Frequently asked questions