Tax season might not be your favorite time of year, but scammers are absolutely buzzing with excitement. As Australian businesses rush to wrap up the end of financial year (EOFY) tasks, cybercriminals see an opportunity.
The Australian Taxation Office (ATO) warns that ATO impersonation email scam reports have spiked by over 300% compared to this time last year.
Scammers know this is when you’re expecting to hear from the tax office, so they ramp up their attacks during the chaos of EOFY.
And it’s not just individuals in the crosshairs.
Small and medium business owners are being targeted too often because fraudsters know SMEs are busy and pressed for time. (After all, if you’re scrambling to get your paperwork in order, you might be more likely to click without double- checking; exactly what scammers are counting on.)
Why scammers love tax time (and why SMBs should care)
EOFY is prime time for scam campaigns. As June rolls into July, there’s typically a spike in tax-related scams. Fraudsters commonly pose as the ATO, sending emails or texts that use official logos and urgent language to blend in with legitimate tax communications. They’ll promise a refund or warn of a tax debt to create panic or excitement, then push you to act immediately.
The goal is to trick you or your staff into clicking a malicious link or divulging sensitive info before you realise it’s a con.
SME owners should be particularly vigilant. This kind of fraud doesn’t just target individuals: if you run a business, scammers will target your company inboxes too, impersonating the ATO, your accountant, or even your clients.
They know business owners are often juggling multiple tasks at EOFY, so a cleverly timed fake ATO email can slip past a distracted eye. In fact, small businesses lost a staggering amount (over $13 million to scams in 2024); proof that cybercriminals are successfully preying on busy SMEs. The end of financial year, with all its deadlines and paperwork, just makes their job easier.
New tactics: AI-Powered fake ATO messages
Unfortunately, spotting a scam isn’t as easy as noticing a typo anymore.
Identifying these scams is becoming increasingly tough. Scammers are now leveraging AI to duplicate official ATO emails with alarming accuracy
– Aaron Bugal, Field Chief Technology Officer for APJ at Sophos, in a CyberDaily article
In other words, criminals can use artificial intelligence to craft perfect-looking emails that mimic ATO templates, wording, and even sender addresses. Your finance team could receive an email that looks exactly like a real ATO message, complete with logos and a convincing tone, making it harder than ever to tell real from fake.
Pro Tip: If even the office IT guru has to take a second look, you know the fakes are good. Scammers may use proper business English, mirror government webpages, and even spoof caller IDs. High-tech trickery is their game, so don’t feel embarrassed if a scam email looks legit at first glance – they’re designed that way.
Adding to the confusion, many Australians (and their employees) remain unaware of how the ATO actually contacts people. The ATO’s main form of communication is through your secure myGov inbox, not direct emails or random phone calls.
With the added pressure of tax season and this lack of awareness, it’s easy for people to be caught off guard by an email that seems to come out of the blue.
Scammers exploit this by sending out bogus “ATO” emails and calls, knowing some recipients won’t realise that an unsolicited email with a direct link is a red flag (the ATO never sends you a link to log in or ask for personal info via email).
The bottom line: if you or your staff get a surprise message claiming to be from the ATO, be skeptical. It’s likely a wolf in ATO clothing.
How to protect your team from tax scams
The surge in EOFY scams might sound scary, but there’s good news: a few proactive steps can dramatically reduce the risk to your business. Now is the time for approachable yet urgent action.
Below are ways SME owners can shield their staff and company from ATO impersonation fraud.
1. Educate your employees
Start with a quick huddle or training session on tax-time scams. Share examples of phishing emails or SMS (blur any personal info) so they can see what a fake ATO message might look like.
Emphasise common red flags: generic greetings, odd sender addresses, spelling mistakes like “Australian Taxiation Office,” urgent scare tactics, or links/QR codes asking them to log in.
When your team knows what to watch for, scams lose much of their power. A little empathetic coaching (“We know everyone’s busy, but taking a moment to double-check can save a lot of trouble”) goes a long way.
2. Verify, verify, verify
Make it a firm office rule that no one should click on links or give out info from an unsolicited ATO message. The ATO communicates via your official myGov account and will never ask you to log in through an email link.
Train staff to independently verify any tax-related communication: for example, if an email says “urgent action needed on your BAS,” they should go to the myGov website directly (by typing the URL or using a bookmark) or call the official ATO contact number to check.
In other words, trust but verify through a separate channel. It only takes a minute and can save your business from a costly mistake.
3. Strengthen your digital defenses
Now is a great time to review your company’s basic cyber hygiene.
Ensure all staff are using strong, unique passwords for their myGov and work accounts: enable multi-factor authentication wherever possible (for instance, turn on the SMS code feature for myGov logins ), update your security software and make sure your email spam filters are tuned correctly.
Many scam emails can be caught by good filters before anyone on your team even sees them. There are also free tools and browser extensions that can scan links or preview emails to flag scams (for example, services that check if a URL is safe before you click).
Using these tools adds an extra layer of protection in case someone accidentally lets their guard down.
4. Establish clear verification procedures
Scammers often try to create panic to short-circuit normal process. Combat that by setting up pragmatic internal processes.
Example: If an email asks to change bank details for supplier payments or requests an urgent transfer of funds, require a second staff member to sign off after verifying by phone with the supposed requester.
This can thwart business email compromise scams as well. Likewise, instruct your team that any request for sensitive data or payments purportedly from the ATO (or any authority) must be run by a manager before action.
A healthy degree of skepticism as company policy can stop scammers in their tracks.
Remember the ATO’s own mantra: “Stop. Check. Protect.” Take a moment to stop and think, double-check the source, and protect your business by not rushing into a scam.
5. Foster an open reporting culture
Make sure your staff know that they won’t be in trouble for mistaking a scam attempt for a real email: encourage them to speak up and ask if they’re unsure.
Create an environment of confident transparency: where employees can forward a suspicious email to IT or management without hesitation. It’s much better to double-check a legitimate email than to silently click a malicious one.
Also, if anyone believes they did fall for a scam (clicked a link or gave info), emphasise that time is of the essence and they should inform IT/security immediately.
Quick action (like changing passwords, contacting the bank, or alerting the ATO) can contain the damage.
No judgment; cyber threats are complex, and even the best of us can slip. What’s important is responding fast and learning from the incident.
By taking all the above steps, you empower your team to be the first line of defense against scams. It’s all about making caution second nature, especially during the hectic EOFY period.
Other tax-season scams to watch out for
ATO impersonation emails are a big headache this year, but they’re not the only scam in town. SME owners should keep an eye out for a few other common tax-time frauds that tend to surface around EOFY:
“Tax Refund” scams
These arrive as an email or SMS claiming you’re owed a refund due to an overpayment.
The catch? You need to click a link and fill in personal/banking details, or pay a small “admin fee” to release the funds. It’s a con – the only thing you’ll end up paying is the scammer.
Remember, if you are actually owed a tax refund, it will be processed through official ATO channels (and never require an upfront fee). Any message pressuring you to “act now to get your refund” is a red flag.
“Tax Debt” or payment scams
The flip side of the refund scam is the threatening fake tax debt. Scammers will call or message saying you owe the ATO money, sometimes claiming there’s a warrant for your arrest or a fine if you don’t pay immediately. They’ll often demand unconventional payments like gift cards, cryptocurrency, or direct bank transfers to non-ATO accounts. These tactics are designed to scare businesses into paying without thinking.
In reality, the ATO never demands instant payment on the spot or threatens arrest via phone/ email: genuine tax debts are formally documented and payable through official methods over time. If you get an “ATO” call or email that sounds angry and urgent, it’s almost certainly a scam. Hang up, or delete the email, and verify through the real ATO channels.
Business identity scams
Some fraudsters target businesses with fake forms or renewal notices during EOFY, knowing companies are updating their records. You might see a bogus email about renewing your ABN (Australian Business Number), confirming your business details for a “registry,” or paying a fee to avoid business. These often impersonate government agencies like ASIC or business registries.
Always double-check such requests: often the fine print reveals it’s not an official email. When in doubt, log in to the official government portal (e.g. the Australian Business Register or ASIC Connect) to see if any real notice exists. Never pay fees or share details via an emailed form that you didn’t expect.
Year-round scams peaking at EOFY
Finally, be mindful of scams that affect businesses year-round but can spike when you’re busiest.
Business Email Compromise (BEC) is one: hackers spoof your vendor’s or client’s email and send you a fake invoice or bank detail change right when lots of invoices are flying around.
Similarly, false billing scams that utilise social engineering tactics (like phony bills for “domain renewal” or office supplies you never ordered) often surge at the end of quarter/year.
Combat these by keeping good records and always verifying unusual requests (e.g., call the supplier directly if an email asks for a sudden bank account change). A calm, methodical approach trumps the scammers’ urgency tactics every time .
By being aware of these schemes, you can avoid turning EOFY into “End of Fraud Year.” (Yes, scammers are creative, but with knowledge on your side, you can outsmart them.)
Stay sharp this tax season
At IT First Responder, we believe in acting early and staying transparent. A moment’s caution can save you serious trouble.
So as you wrap up the year, remind your team; no legitimate authority minds being double-checked. The ATO encourages it, scammers hate it. From interns to finance leads, make sure everyone knows to stop and verify.
Think of it like this: if someone showed up at your office claiming to be from the ATO, you’d ask for ID. Treat emails and texts the same way. That’s not paranoia—it’s good business.
Human vigilance, a bit of training, and the right tools can outsmart even AI-powered scams. Stop, check, protect, and you’ll sail through tax season unscathed.
Stay safe, stay savvy, and here’s to an EOFY where the only surprises are happy ones (hello, tax refunds!) – not costly scams.
💪🏼 Need help educating your team? Let’s talk proactive protection.