From: The Australian Taxation Office.

1. Online services
2. Scams, cyber safety and identity protection
3. Verify or report a scam

Verify or report a scam

What to do if you get a phone call, text message or email that you’re not sure is genuine.

Last updated 25 January 2024

On this page

• Verify a scam
• Report a scam
• Warning signs of tax scams

Verify a scam

Scams trick you into paying money or giving out your personal information.

Scammers often pretend to be from trusted organisations like the ATO.

We will sometimes contact you by phone, email, SMS and post. If you’re not sure whether it’s really us, do not reply. You should phone us on 1800 008 540 to check.

We’re recommencing the use of an external debt collection agency, recoveriescorp. If you’ve been referred to them, recoveriescorp may contact you by phone, email, SMS or post. If you’re not sure whether it’s really them, do not reply. Phone recoveriescorp directly on 1300 323 495 to check**.**

Report a scam

If you’ve been affected by an ATO impersonation scam, you can report it to us.

This information contains instructions on how to report:

• Email and SMS scams
• Phone scams
• Social media scams

Information about scams and how to report a scam is also available in Easy Read format and other languages.

Email and SMS scams

If you’ve received a scam email or SMS, do not click on any links, open any attachments or download any files. We will never send an unsolicited SMS that contains a hyperlink.

If you did pay money or provide sensitive personal identifying information to the scammer, phone us on 1800 008 540 to report it.

You should also:

• make an official report to your local police
• contact your bank or financial institution if you provided your credit card or bank details to the scammer
• contact the bank you made the payment to and lodge a fraud report.

If you did not pay money or provide sensitive personal identifying information to the scammer, you should still report the scam to us. You can either:

• forward the entire email to [email protected]
• take a screenshot of the SMS and email it to [email protected]

Delete the email (from your inbox, sent, and deleted items) or SMS after reporting it to us.

You can report other types of scams to ScamwatchExternal Link, or contact the Australian Cyber Security CentreExternal Link to report cybercrime.

Phone scams

If you received a scam phone call and you did pay money or provide sensitive personal identifying information to the scammer, phone us on 1800 008 540 to report it.

You should also:

• make an official report to your local police
• contact your bank or financial institution if you provided your credit card or bank details to the scammer
• contact the bank you made the payment to and lodge a fraud report.

If you received a scam phone call and did not pay money or provide sensitive personal identifying information to the scammer, you should still report the scam to us. You can use our online Report a scam form.

Social media scams

We’ve recently observed several social media accounts impersonating us.

If you’re approached by a social media account that is impersonating us, do not engage with it. Take a screenshot of the account or post and email it to [email protected].

You can read more on how to identify our legitimate social media accounts.

Warning signs of tax scams

Scammers are constantly looking for new ways to trick people.

There are some common warning signs to help you check if you have been contacted by a scammer or by us:

• Emails and SMS scams
• Phone scams
• Social media scams

You can also find out about current scams we’re aware of.

Emails and SMS scams

Some of the common features of email and SMS scams are described in the table below. Use this information to help you identify and respond to scams.

How to identify and respond to email or SMS scams|What scammers may do|Our approach|
| — | — |
|Scammers may send text messages or emails advising of suspicious activity on your account. They may ask you to provide personal information through a return SMS or email.|Where the ATO has identified suspicious activity on your account, we may place protective measures on the account to protect you.

We may SMS or email you to advise that suspicious activity has been identified on your account. However, we will never send an unsolicited message asking you to return personal identifying information through these channels.

If you’re not sure whether it’s really us, do not reply. Phone us on 1800 008 540 to check.

Protect your personal information. Do not give out your tax file number (TFN), date of birth, bank details, or other personal identifying information unless you trust the person you are dealing with, and they genuinely require these details.

Never share your myGov sign in details with anyone, including your registered tax agent.|
|Scammers send text messages or emails that contain a link for you to click on or a QR code to scan to log on to online services.

Scammers create fake log on or sign in pages that look real. They use these sites to steal your credentials (usernames and passwords).|We will never send you an email or unsolicited SMS with a link or a QR code to log in to online services.|
|Scammers send text messages or emails that contain a link to download files or attachments.

Scammers may do this to install malicious software on your computer to gain access to your data. Or they may keep your personal identifying or financial information for future misuse.|Do not download attachments, or click links, even if the message appears to come from us.

We will never send you an unsolicited SMS message that contains a hyperlink.|

Phone scams

Some of the common features of phone scams are described in the following table. Use this information to help you identify if a phone call claiming to be from us is a scam.

How to identify phone scams|What scammers may do|Our approach|

|Scammers may threaten you with immediate arrest. They do this to make you afraid or panic and stop you thinking clearly.|We will never threaten you with immediate arrest.|
|Scammers may:

• demand you pay right now and keep you on the phone line until you pay
• say that if you hang up there will be a warrant for your arrest.

They use these threats to make you pay by the end of the call.|We will never demand you stay on the line until a payment is made.|
|Scammers may:

• send unsolicited pre-recorded messages (robocalls) to your phone
• leave messages on your voicemail asking you to call back.|We will never send unsolicited pre-recorded messages to your phone.

Only phone us on a number you have looked up yourself. Do not call the number given to you in the call or voicemail.|
|Scammers may use technology to show real ATO or Australian phone numbers in the caller ID or call log.|Calls from the ATO do not show a number. They will show as No Caller ID.

Only phone us on a number you have looked up yourself. Do not call the number shown in caller ID or in your call log.|
|Scammers may request that you pay a fee to receive a tax refund.

They will usually ask you to pay the fee using your credit card and then steal your credit card details.|We will never ask you to pay a fee to receive a refund.

Do not provide your credit card details to anyone unless you trust the person you’re dealing with, and they genuinely require these details.|
|Scammers may request that you pay money into a personal bank account.

This could be an Australian-based account established by scammers. The money moves accounts until it is sent offshore.|We will only ever ask you to pay a tax debt into a bank account held by the Reserve Bank of Australia. Check online to see that the Bank-State-Branch (BSB) number is one for the Reserve Bank of Australia.

You can find out about legitimate ways to make payments to the ATO.|
|Scammers may tell you that your TFN has been cancelled or suspended due to money laundering or other criminal activity.

They will say you either need to:

• pay money to avoid being arrested or sent to court
• transfer your money to a safe bank account to protect your TFN from future misuse.|We do not cancel TFNs.

Always check that you’re dealing with a legitimate agency before providing any information. If you’re not sure, hang up.

You can phone us to check. Only call us on a number you have looked up yourself. Do not call the number given to you in the call or voicemail.|
|Scammers may refuse to allow you to speak with a trusted adviser or your regular tax agent.

They do this to prevent anyone from telling you that it’s a scam and stopping you from paying.|We will never prevent you from discussing your tax affairs with your trusted adviser or agent.|
|Scammers may request payment by retail gift cards or vouchers such as iTunes or Google Play.

These vouchers can be easily purchased and sold globally. They are an untraceable form of currency (money).|We will never request payment of a debt through iTunes, Google Play, or other vouchers.

You can find out about legitimate ways to make payments to the ATO.|
|Scammers may request you pay money through offshore wire transfer (where the scammers are located).|We will not request payment of a debt through offshore wire transfer.

You can find out about legitimate ways to make payments to the ATO.|
|Scammers may offer payment arrangements if you can’t pay the full amount.

This is one to increase instances of payments and the total amount paid.|Before you enter a payment arrangement, contact us or your tax agent using a number you have looked up yourself.|
|Scammers may attempt to make a conference call with a fake tax professional, law enforcement officer or another official.

They do this to make the call seem real and increase your fear, but the second person will be another scammer.|We will never make a conference call with a third party, such as your tax agent or law enforcement.

Know your tax affairs – you can log into ATO online services through myGov to check your tax affairs at any time. You can also contact your tax agent or the ATO.|
|Scammers may request payment by Bitcoin or other cryptocurrencies, either directly or deposited into an ATM.

This currency is difficult to trace and offers more anonymity.|We do not accept payment in cryptocurrency.

You can find out about legitimate ways to make payments to the ATO.|
|Scammers may request that you pay money through a cash delivery either through a courier service or made in person at a pre-determined public location.|We will never ask you to pay through a cash delivery.

You can find out about legitimate ways to make payments to the ATO.|
|Scammers may request that you pay through cardless cash ATM withdrawals.|We will never ask you to pay a tax debt through a cardless cash ATM withdrawal.

You can find out about legitimate ways to make payments to the ATO.|

Social media scams

Some of the common features of social media tax scams are described in the table below. Use this information to help you identify and respond to scams.

How to identify and respond to social media scams|What scammers may do|Our approach|
| — | — |
|Scammers may create fake social media accounts and send requests to you asking for personal identifying information or payments.

We’re actively working to combat these scams as they arise.|We are on FacebookExternal Link, TwitterExternal Linkand LinkedInExternal Link, but we will neveruse these social media platforms to ask you to provide personal information or documentation, or ask you to make payments.

You can tell it’s genuinely our Facebook account as our page has a blue verification tick to the right of our name (Australian Taxation Office). Our X (formerly Twitter) account has a grey tick next to our username (@ato_gov_au).

You can verify us on LinkedIn by ensuring that the account you’re engaging with:

• has the official ATO logo and organisational name next to the message. Beware of slight variations of our name, like ‘Australia’ rather than ‘Australian’ Taxation Office
• has been posting on LinkedIn actively, and has been doing so for a long time
• only provides you with email addresses that end with ‘.gov.au’
• doesn’t have typos or grammatical errors in its messages
• has a large number of account followers.

We will never interact with you through Whatsapp.

Never share information such as your TFN, myGov or bank account details on social media, even through private message.|
|If you comment on our social media posts, scammers may respond and offer to provide support, asking you to direct message them away from our official page.|We can’t access or discuss your personal ATO account on social media. We’ll never:

• send you a private or direct message
• engage with you outside our official social media pages
• ask you for personal identifying information such as your TFN.|

Authorised by the Australian Government, Canberra.

Thank you for the information provided here.

The section regarding email and SMS scams is of particular interest to me.

I’ve recently been sent multiple emails and SMS messages by my Superannuation company (Aware Super), with links to click to login to their website. One such message was a link to click to register my details for a new account.

I contacted Aware’s Member Relations Team, concerned that this practice is unsafe. There have been multiple recent reports of scams involving unsuspecting targets receiving emails/SMS messages in the same thread as previous genuine messages, with links to login in to what transpired to be a cloned website. Login information was captured and money stolen.

Aware Super was not very receptive to my request to reconsider their policy regarding sending links. I provided examples of messages from other financial institutions stating they will never send a link in an email or SMS.

I sent my response to their Chief Operating Officer, Jo Brennan, since she was quoted in a previous CHOICE article ( https://www.choice.com.au/money/financial-planning-and-investing/superannuation/articles/stopping-super-scams ), “Brennan says that scammers trying to fraudulently create super accounts to steal people’s super “is one of the most rapidly emerging threats to members”.”

I also copied my response to their Chief Risk Officer.

The final response I received from Aware states: “We have assessed your complaint and acknowledge the concerns you have raised. We can assure you that links that are sent to members via email and SMS channels, adhere to our rigorous security and risk protocols, and all links are assessed and approved by our Risk & Compliance teams, in line with our risk frameworks.

Furthermore, we conduct a robust due diligence process to ensure that all links issued never directly send members to log-in portal pages, but rather direct members to our public website, where they can subsequently choose to log-in by navigating to the member log-in portal.”

This completely misses the point of the risk of sending links at all, since the source of the sent message may be a scammer impersonating the sender, directing them to a cloned website for nefarious purposes.

There’s nothing further I can do, other than point out my experience here, so others can hopefully be forewarned and be very wary of clicking on a link to a financial institution’s website sent in an email or SMS.

It is infuriating. Some organizations just do not get the message and continue to send out emails and SMS to their customers with links to click on or press that lead to active logins or acceptance of something.
They just normalise the very thing that scammers exploit.

Good on you for raising a complaint. And so should others.

IMG_09881073×313 53.5 KB

Received this text message this morning. There’s an alert about this on the Auspost scam alerts. Will forward it to them.

Protect ourselves. Post Office scams

• Personal About us About our site Online security, scams & fraud Scam alerts

Scam alerts

Learn how online attackers are targeting Australia Post customers and attempting to gain your personal or financial information.

View current scams Protect yourself from scams with the AusPost

Australia Post will never:

• call, text or email you asking for personal or financial information including password, credit card details or account information
• call, text or email you to request payment
• ask you to click on a social media message to organise a courier for your online marketplace listings

If you think you’ve fallen victim to a scam, contact iDCare on 1800 595 160. You can also refer to their factsheet for more information.

Report a scam

If you’ve received a suspicious email, invoice or text message claiming to be from Australia Post, send it to [email protected] so that we can investigate. This mailbox is for reporting suspicious scams only. If you have a question that needs urgent attention, please contact us.

Do NOT click on any unexpected/unusual links or open attachments. Delete the message once you have sent it through to us.

SMS scams

Email

Other scams

Protect yourself

Download our app to ensure you’re receiving legitimate delivery notifications from Australia Post.

Read our tips to help you stay safe online and safeguard against scams.

Learn more about online security, scams and fraud.

Get trusted, accurate and legitimate delivery notifications from Australia Post

To receive delivery updates directly from Australia Post – and not scammers – download the AusPost app and enable notifications.

Current scams

• SMS scams

Be wary of SMS messages that lure you into clicking on links to resolve delivery issues or pay delivery fees. These links lead to fake Australia Post websites designed to steal your personal and financial details.

For added protection, we recommend downloading our AusPost app and enable in-app notifications for legitimate delivery and tracking updates.

How to spot an SMS phishing scam.

Published date: 17 April 2024

Key message: The recipient is requested to ‘update address details’ to complete the process of their delivery.

Objective: Stealing credit card details

Once clicked it will lead to a fake Australia Post website which is designed to steal your personal and financial information.

I get these really dumb scam messages at least once a day. I just use my iPhone’s report and delete feature to correct the problem.

There was an arrest in December 2023 linked to this Auspost and Linkt scam messages, the authorities said it would clean up the situation, looks like it didn’t. Just shows how easy it is to produce this garbage and send it on to us all. It doesn’t look like the arrests went deep enough into the structures of the network that creates this rubbish.

Easiest thing to recognise about this scam is the false Auspost addresses they use to hook the unwary. If the Auspost message contains a link to a web address, it gets binned with no further reading on my part required.

I approach texts and messages from unknown sources the same way; I ignore all of them, even though they may be legitimate. There is no law that mandates you must answer the phone when it rings. If the ATO, or any other government authority wants to raise an use with me, they must do so in writing. Firstly, it provides an accurate record of any communication, and provides better confidence that the sender is legitimate. Ask yourself how many scammers have carried out their chicanery by writing letters to intended targets. Now, some might argue that this is inefficient, and they may be correct. But the responsibility for the community rejecting contact electronically rests with a Government that has completely failed to address the problem of the internet being a platform of crime and deception. Don’t answer. Don’t respond. Wait until you receive a reliable communication that gives you confidence that it is valid. And keep this in mind; if you contact a government or semi government authority by phone you are interrogated for personal details before they will provide assistance…yet we have NO way of verifying who THEY are.

I got one of these “Australia Post” texts today. It was automatically filtered into “Spam and blocked” in Google Messages. I think both Google and Telstra are handling the filtering, and they seem to be doing a good job for me at present. This type of message almost never makes it past their filters now.

I always block suspicious / unwanted messages and “Report as spam” within Google Messages whenever one does make it through to my real message list. That information goes to my telco and possibly also to Google. There should be a similar option in other phone messaging apps. The more information the telcos get about spam messages, the better they can make their filters.

In principle.

Thank you @Guitarfish @stephen_scott51 @isopeda for your valuable tips and comments. Most of us are aware, alert and careful of the many scams that abound nowadays.
There is a strong need to starve of oxygen parasites who prey on those who might not be so alert, maybe the older generations used to a different type of open/honest way of life, or the very young and inexperienced ones, or those coming from countries which have put a fear of authorities in them and can very well believe that if they ‘don’t comply they will be arrested’.
Every little bit helps, we start with ourselves and we might see great things being achieved in the war against scammers

I’d like to see action from the financial regulators, so that sending emails or SMS with links is banned. This would not negatively impact the financial institutions, since they could send the same messages asking us to log on their website without including a link.
This simple action would help reduce the number of people caught out by clicking on links to cloned websites. @CHOICE could this possibly be included in your advocacy for safer online interactions?

Spammers and scammers would of course all obey all such regulations.

Totally agree. This is how my bank contacts me if there’s a statement to be viewed or any other communication. I feel safe logging in myself, would never click on a link.

IMG_09901335×329 88 KB

IMG_09891188×350 58 KB

Assuming you’re not being facetious, scammers and spammers obeying potential new regulations stopping them sending links would be a good thing! One less way for people to be caught out…
If they didn’t obey such regulations, it would be an easy ‘tell’, and with sufficient education, the public would know that any message containing a link is most likely a scam, and delete rather than click on it.
It’s a win either way, if the regulators have the will and the authority to put in place such regulations and/or at least a code of practice.

The public has been ‘educated’ constantly for years. Every week there is a new article in the media giving examples of the latest methods of giving away your money to strangers. Every financial education publishes material listing the things that they never do that would be methods for scammers to deceive.

This has been going on for years and yet the numbers of those who take no notice of any warning keeps rising. You cannot educate those who don’t see the need to be educated.

For the record, I do not think that scammers and spammers would take the slightest notice of such a ban. Should the ban be implemented we would have a new class of sad stories in the press where victims would tell us how they didn’t know their bank didn’t send links anymore.

This is a very good point. At the moment the problem is that the warning about ‘clicking on a link’ cannot be applied across the board as there are still companies that follow such practices. You have provided an example in your superannuation company.
It gets confusing for customers to decipher which is safe and which is not and to remember which has said ‘we will never ask you to click on a link’ and which ones didn’t. Easier if it is banned across the board, might take a little while but it will become public knowledge.

Sadly not everyone is as clever as you , although no-one is invincible, and I’m sure you do not consider yourself above education…why would you be part of this community otherwise?
For many, particularly the elderly or those for whom English is not their first language, transacting online is still not something they are comfortable with. When placed under pressure to take action (as indeed I was in a genuine email and SMS from my super company) they may act in haste out of fear, rather than with the necessary caution.
Just because you and I are cautious doesn’t make it OK for any financial institution (including large superannuation companies) to continue to employ risky practices which make life easier for scammers. Such behaviour amounts to corporate irresponsibility. If financial institutions refuse to undertake best industry practice, then it is unjust and unproductive for us to only blame the victims and declare them unwilling to be educated.
I’m a believer in doing something to try to improve things rather than sitting on my hands doing nothing because ‘I’m alright Jack’. If more people voiced their concerns, then we might just get somewhere and improve things for others.

I am not suggesting those who are less capable ought to be left to their own devices at all but that this idea will not assist.

For those people preventing genuine institutions from sending links will do no good.

I used to work for a large organisation that had to communicate with people from all walks of life. Their letters all had notices in many languages advising those who needed an interpreter where to get one for no charge. The material was written as simply as it could be. But those were not the main reasons letters were ignored. The main problem with the message not getting through was those who were otherwise capable who took one look at the letter and threw it in the bin.

It is the ones who do think they are alright, that it won’t happen to them, who do not read about the problem and take no notice who are the problem. They will not bother with any information given to them that links are no longer used but just do as they have always done.

I am not advocating doing nothing. I am saying this particular idea will achieve very little.

Respectfully, I disagree. To state that ‘the ones who do think they are alright, that it won’t happen to them, who do not read about the problem and take no notice who are the problem’ is oversimplifying, when organisations choose to employ outdated and dangerous practices and refuse to improve. You seem so certain of your view that I wonder if you work for one such institution…
Do you have any constructive ideas on how to help those who are less capable?

I think that is a good idea, but should be broader to include any online accounts (email, social media, phone/internet etc etc).

We are finding that some of the businesses we deal with now send written instructions on how to action the request being send through. An example something like…

To update your payment details

1. Log into your account
2. Go to My Account
3. Select Payment Options
4. Update details shown
5. When updates have been made, select Save Changes

No links are provided. They also provide information on how to log in should password be forgotten.

I must admit some of the instructions assumed some prior knowledge of navigation around the website… as has taken some additional time to find the exact location.

Even a bank we deal with uses such approach with the following (no links) information:

Screenshot_2024-05-30-10-23-43-251871×1357 188 KB

This approach is good as one is forced to use their usual account login to action. It prevents consumers clicking on spurious links provided through communications.

It would also involve educating consumers that links in communications = scams. While it might not protect everyone, it is better than doing nothing.

No I don’t but you are not the first to suggest that because I disagree with them I do not hold honest opinions but must have some vested interest that I am serving.

Agreeing to disagree is the end of this.

Exactly! Where there’s a will, there’s a way, as you have shown here, and is also my experience with other financial institutions. Where there’s no will, an opportunity is open for the regulators to step in.

Thank you for sharing - the more information we share, the more we can try to raise awareness both in this community and elsewhere, in an effort to bring about change. We need to call out those companies who refuse to review their risky policies and improve customer online safety, and highlight companies who do follow current best practice. This way, more people will become aware of the difference.

How many more people will be scammed before companies swallow their ‘we know best’ attitude and/or the regulators step in?