Avoid Scams: Spot Fake ATO SMS

Security alert • ATO

Scam alert: fake ATO SMS

During Tax Return season, SMS scams (smishing) increase. Here’s how to spot them, what to do if you receive one, and how to protect your account.

Scam alert: fake ATO SMS

What is smishing?

Smishing is a scam where fraudsters send text messages pretending to be a legitimate organisation (such as the Australian Taxation Office). These messages often include links to fake websites designed to steal details like your TFN, login credentials, or banking information.

Important

Even if the ATO may contact you by SMS in some cases, it will never ask you to enter personal details or make payments through a link.

Quick rule

If the message pressures you, threatens fines, or asks you to “verify” via a link: don’t trust it.

How to identify a fake ATO SMS

These are the most common red flags:

  • Suspicious sender: unknown numbers, international numbers, or unclear identification.
  • Spelling mistakes or odd phrasing (poor wording, unnatural sentences, etc.).
  • Strange links: shortened URLs, unusual domains, or look-alike addresses.
  • Urgency or threats: “your account will be suspended”, “avoid penalties today”, etc.
  • Asking for details or payments: the ATO doesn’t handle this via SMS links.

Typical examples

  • “Your refund is ready. Claim it now by clicking here.”
  • “The ATO has detected an outstanding debt. Avoid penalties by paying here.”
  • “Your myGov account has been locked. Restore it using this link.”

What to do if you receive a suspicious SMS

  1. Don’t click the link and don’t reply to the message.
  2. Verify via official channels: type the official website address manually or contact the ATO by phone.
  3. Report the message: mark it as spam and report it if available.
  4. Block the number and delete the SMS.
  5. If you shared any details, act quickly: change your passwords and contact your bank if you entered financial information.

If the ATO detects suspicious activity

If the ATO identifies unusual activity, it may lock access for security. To restore it, you’ll usually need to call, verify your identity and, in some cases, you may be given temporary access.

That’s why the most important thing is prevention: always double-check before sharing details or opening links.

Tip: protect yourself from smishing

  • Enable two-factor authentication (2FA) on myGov and your financial platforms.
  • Don’t share your TFN with unverified third parties.
  • Check links before clicking (best practice: type the URL yourself).
  • Always use official sources for any tax-related steps.

Received a suspicious SMS?

If you’re unsure, we’ll guide you so you don’t fall for a scam and can continue safely.

Contact us
Follow Us
Follow Us