Article
How to Spot Fake ATO Email Scams This Tax Time
July is peak season for ATO and myGov impersonation scams targeting Australian small businesses. Here's how the tax-time phish actually works — and the simple habits that stop it.

It's the first week of July. Your BAS is due, your accountant is emailing you about receipts, and somewhere in your inbox there's a genuine message about the new financial year. Which makes this the one time of year when an email that says "Australian Taxation Office" in the sender line doesn't look suspicious at all.
Scammers know this. It's why ATO and myGov impersonation scams spike every July, right on schedule, like magpies in spring. The scam doesn't get smarter at tax time — you get busier, and that's all it needs.
The tax-time phish doesn't hack your computer. It hacks your calendar.
Why July is the perfect hunting season
Here's the mechanism, because it's worth understanding properly. For eleven months of the year, an unexpected email from the ATO is unusual — your brain flags it. In July, it's expected. You're lodging, reconciling, chasing your accountant. A message about your activity statement fits the pattern of your week perfectly, so it sails straight past the mental checkpoint that would normally stop it.
Now add the economics. Sending 50,000 phishing emails costs a scammer almost nothing — the templates are traded ready-made, and a lookalike domain costs a few dollars. Suppose only one recipient in five hundred clicks through and signs in to the fake page. That's still a hundred sets of working myGov credentials from a single morning's send. The scammer doesn't need you to be careless. They need one in five hundred people to be having a busy Tuesday — and in July, everyone is.
What actually happens when someone clicks
The email says something plausible: your activity statement has a discrepancy, or better, you're owed a refund — a specific, believable figure like $1,240.55, because precise numbers feel official. The link leads to a pixel-perfect copy of the myGov sign-in page. You type your username and password; the fake page quietly passes them to the real one, and you may even land on the genuine site afterwards, none the wiser.
From there the attacker is you, as far as the tax system is concerned. They can redirect refunds to their own account, lodge fraudulent amendments, and harvest enough personal detail — TFN, address, date of birth — to open credit in your name months later. The ATO's scam alerts page and Scamwatch track wave after wave of exactly this play. And the stakes aren't trivial: the Australian Signals Directorate's annual threat report has put the average self-reported cost of a cybercrime for a small business at close to $50,000 — with a report coming in roughly every six minutes nationwide.
The good news is that this entire scam depends on one move, and the defence is one rule: the ATO does not send unsolicited emails or texts with links asking you to sign in. Ever. If a message wants you to log in to myGov, don't touch the link — open a browser, type my.gov.au yourself, and check your inbox there. If the ATO genuinely needs something, it'll be waiting. That single habit defeats the whole July campaign.
The twist: when the "ATO" fails, the "supplier" calls
So you've briefed the team, nobody clicks tax links, problem solved? Not quite — the new financial year opens a second front. July is when businesses genuinely update pricing, terms and account details, which makes it the perfect month for an email that says: "Please note our banking details have changed for FY27 — updated invoice attached." It looks routine because in July, it is routine. Pay that invoice and the money lands in a scammer's account, and bank recovery windows are brutally short.
The fix costs one phone call: any request to change payment details gets verified by ringing the supplier on the number you already have on file — never the one printed in the email, which just connects you to the scammer's helpful "accounts department".
A quick word about the spelling mistakes
For years, the standard advice was to look for clumsy English — the typos and odd phrasing were the tell. That advice is now obsolete, and it's worth pausing on why. We built AI tools that write flawless, friendly, perfectly formatted English at zero cost, and, uh… some of the most enthusiastic early adopters turned out to be the people writing the scams. The tell is gone. Which means the defence can't be "spot the bad grammar" any more — it has to be process: verify the channel, not the prose.
The July checklist
- Never sign in from a link. Type my.gov.au or ato.gov.au yourself. This one rule beats the entire tax-time phishing season.
- Turn on multi-factor authentication everywhere — myGov, email, banking, Microsoft 365. Stolen passwords are worth far less when they're not enough on their own.
- Verify every bank-detail change by phone, using the number already in your records — not the one in the email.
- Brief your whole team this week. The person who pays the invoices matters more than the firewall here. Structured security awareness training turns your staff from the easiest target into the first alarm.
- Check where you actually stand. A free Microsoft 365 Security Assessment shows whether a phished password would stop at the login screen or walk straight through — and managed detection & response catches the attacker who gets past everything else.
None of this requires new hardware or a big project. It requires ten minutes at Monday's meeting, before the second wave of July emails lands. The scammers are running a numbers game — your job is simply to stop being one of the numbers.
Local IT and cyber security support across NSW
Chewing IT delivers IT support, cyber security and scam-resilience training for businesses across the Central Coast, Newcastle, Lake Macquarie, Hornsby and the wider Sydney North Shore. Most work is delivered remotely with same-day turnaround, and on-site support is dispatched from our Wyong office on the Central Coast and our Hornsby office in Sydney.
Not sure whether your business would catch the fake ATO email? Get in touch for a straight conversation about tax-time security — before the scammers' busy season becomes yours.