Home » Tech Translated — IT Blog for Australian Businesses | All IT Services » Tax-Time Scams Are Surging Before EOFY — What Australian Businesses Should Do Before 30 June
Shield and tick motif on dark navy with the words Tax-Time Scams Are Surging Before EOFY
By — Head of Relationships |

Author: Dan Briggs  |  Published: 25 June 2026  |  Reading time: 15 minutes

Executive summary

The fortnight either side of 30 June is the busiest stretch of the year for scammers targeting Australian businesses. Tax is on everyone’s mind, finance teams are processing a flood of invoices and refunds, and a well-timed email asking you to “confirm your bank details before EOFY” looks completely ordinary. Criminals know this, and the reporting data shows they ramp up to match.

The Australian Taxation Office logged 7,420 reports of impersonation scams in July 2025 alone, a 75% jump on the month before, and reports were already climbing again through May 2026. Across the whole economy, Australians reported $2.18 billion in scam losses in 2025, with payment redirection scams against businesses accounting for $166.8 million of that figure. For a single mid-sized business, one successful business email compromise now costs an average of more than $97,000.

The good news for owners and managers is that almost none of these scams rely on clever hacking. They rely on a rushed person doing a normal thing slightly too quickly. That means the defences are mostly process and habit, not expensive technology, and they can be put in place before 30 June. This paper walks through the specific scams hitting Australian businesses this tax time, what they cost, why professional services firms, hospitality venues and not-for-profits are particularly exposed, and a practical checklist you can action this week.

Why the weeks around 30 June are scam season

Tax time creates the exact conditions scammers want. Volume is high, deadlines are tight, and a lot of communication that would normally raise an eyebrow suddenly looks legitimate. An email about your business activity statement, a text about a refund, a call about an “overdue debt”, a supplier asking you to update their account before the books close: in late June, any of these can land in an inbox without seeming out of place.

The ATO’s own reporting shows how sharp the seasonal spike is. In July 2025, the first month of the new financial year, the ATO received 7,420 reports of impersonation scams, a 75% increase on June. By May 2026 the ATO was again recording rising activity, with 1,386 impersonation reports for the month, up 11% on April, as criminals positioned themselves ahead of the 2026 tax season. The pattern repeats every year, and it tracks the calendar rather than any particular breach.

Timing matters for businesses specifically because the money is moving. myTax opens for individuals on 1 July, refunds start flowing within roughly two weeks of lodgement, and businesses are reconciling supplier accounts, paying staff and finalising superannuation. We see the same thing across our client base every year: the requests that get people into trouble are the ones that arrive when a bookkeeper is clearing a backlog at 4:45pm on a Friday in late June. The scam doesn’t have to be sophisticated. It just has to arrive at the right moment.

The tax-time scams hitting Australian businesses right now

Most of what we are seeing falls into six patterns. They overlap, and a single attack often combines two or three, but it helps to name them so your team can recognise them.

ATO and myGov impersonation

The classic. An email, SMS or phone call claims to be from the ATO or myGov and tells you that your taxable income has been recalculated, that you are owed compensation or a refund, or that there is a problem with your return. To “claim” or “fix” it, you are asked to click a link, log in to a fake myGov page, or reply with personal details such as a tax file number, payslips, driver’s licence or Medicare card.

The tell is simple and worth drilling into every staff member: the ATO will never send you an unsolicited message with a link asking you to log in, and it will never ask for your myGov sign-in details, bank details or personal identifying information by email or text. If a message does any of those things, it is a scam. The ATO has also warned ahead of the 2026 tax season to be wary of misleading “tax hacks” circulating on social media and from AI tools and so-called finfluencers, which is a reminder that not every tax-time threat is a phishing link; some are bad advice designed to get you to hand over information or money.

Business email compromise and payment redirection

This is the one that empties bank accounts. In a business email compromise, a criminal either spoofs or actually breaks into an email account (yours, a supplier’s, or a senior manager’s) and uses it to redirect a legitimate payment. The invoice is real. The work was done. Only the bank account has been quietly changed. Because the email comes from a genuine or convincingly faked address and refers to a real transaction, it sails through the usual checks.

The Australian Signals Directorate now ranks email compromise as the most reported cybercrime affecting Australian businesses, making up around 15% of all business-related cybercrime in its 2024–25 reporting year. Payment redirection is also the single most expensive business scam tracked by the National Anti-Scam Centre, with $166.8 million in reported losses across 2025. EOFY is prime time for it, because end-of-year invoicing and account reconciliation give criminals more genuine payments to hijack.

Fake invoices and “our bank details have changed”

A close relative of payment redirection, this version targets your accounts payable process directly. You receive an invoice that looks like one from a regular supplier, or a polite note that the supplier has switched banks and their remittance details have been updated. If your team pays it without checking, the money goes straight to the criminal. We have seen near-identical email domains (a single swapped letter), genuine logos lifted from a real website, and even correct purchase order numbers harvested from an earlier compromise.

The defence here is not technical, it is procedural: any change to a supplier’s bank details gets verified by phone, using a number you already hold, before a cent moves. More on that in the checklist below.

Payroll and superannuation diversion

Two flavours, both busy at EOFY. In the first, a scammer emails payroll posing as an employee and asks to update the bank account their wages are paid into, timed for just before a pay run so the change goes unnoticed until someone complains they haven’t been paid. In the second, criminals exploit the attention on superannuation at year end, impersonating funds or the ATO to harvest super account details or push people toward fraudulent “early access” or “consolidation” offers. For any business, a payroll diversion email should trigger the same callback verification as a supplier bank change.

Accounting-software phishing

Because so many Australian businesses run on Xero, MYOB or QuickBooks, fake login pages for these platforms are a tax-time staple. The lure is usually an “invoice waiting”, a “subscription expiring”, or a “security alert” that links to a near-perfect copy of the real sign-in screen. Hand over your credentials and the criminal has access to your billing, your client list and, often, the ability to send genuine-looking invoices from your own account to your own customers. Multi-factor authentication on every accounting and finance login is the control that defeats this, and it is free.

Refund, TFN and “overdue debt” cons

Rounding out the set are the high-pressure classics: a text promising a tax refund if you “confirm your details”, a call claiming your tax file number has been suspended or used in a crime, or an aggressive demand to pay an “overdue ATO debt” immediately, often via unusual methods. These prey on fear and urgency. The ATO does contact people about genuine debts, but it does not threaten immediate arrest, demand payment in gift cards or cryptocurrency, or refuse to let you hang up and call back through official channels.

How one of these scams actually unfolds

It helps to see how the pieces fit together, because the danger lies in how ordinary each step looks. A common version runs like this. A criminal phishes the email login of a small supplier your business pays regularly, say a cleaning contractor or a marketing agency. They sit quietly in that mailbox for a week or two, reading past invoices and learning the language the supplier uses. In late June, knowing the books are being finalised, they send your accounts team a genuine-looking invoice from the supplier’s real email address, with a brief note that the business has changed banks. The amount matches previous invoices, the branding is correct, and the reply-to address is the one your team always uses.

Your bookkeeper, working through a backlog before the end of the financial year, updates the payee and pays it. Nothing looks wrong until the real supplier calls a fortnight later asking where their money is. By then the funds have been moved through several accounts and are close to impossible to recover. No malware touched your systems, none of your passwords were stolen, and your bank statement shows a payment you authorised. The only control that reliably stops this is a thirty-second phone call to the supplier, on a number you already had, to confirm the new account before paying.

What it’s costing Australian businesses

The numbers make the case better than any warning can. The National Anti-Scam Centre’s Targeting Scams report for 2025, published in March 2026, recorded $2.18 billion in reported losses for the year, up 7.8% on 2024. That came from 481,523 reports, with more than 274,000 of them involving a financial loss. The figures are almost certainly an undercount, because many businesses never report, particularly when the amount is embarrassing or the loss is written off quietly.

Two categories sit squarely on businesses:

  • Payment redirection: $166.8 million reported lost in 2025. This is the false-billing and business email compromise family, and it is the most expensive business scam type the National Anti-Scam Centre tracks.
  • Phishing: $97.6 million reported lost in 2025. The credential-harvesting attacks behind most accounting-software and myGov impersonation scams.

The per-incident cost is what makes this an owner-level issue rather than an IT footnote. The Australian Signals Directorate’s Annual Cyber Threat Report 2024–25 puts the average self-reported loss from a business email compromise at more than $97,000. The average cost of cybercrime across all types reached $80,850 per report, and even small businesses averaged $56,600 each. For most Australian small and medium businesses, a single bad payment at EOFY is not a rounding error. It is a serious dent in the year’s profit, and sometimes a threat to the business itself.

It is worth saying plainly: these are not losses that insurance always covers, and recovering a payment once it has left your account is difficult and often impossible. Prevention is the whole game.

Why professional services, hospitality and not-for-profits are in the firing line

Every business is a target at tax time, but three groups we work with carry extra risk, for different reasons.

Professional services

Accountants, law firms, financial advisers, architects and consultants are attractive for two reasons: they move significant money on behalf of clients, and they hold concentrated personal and financial data. A compromised email account at a small accounting practice in late June gives a criminal a front-row seat to dozens of client transactions, each one a payment-redirection opportunity. Trust accounts and client disbursements raise the stakes further. If your firm sends or receives client funds, payment verification controls are not optional, and your professional indemnity and regulatory obligations may depend on them.

Hospitality

Pubs, restaurants, cafes and venues run on thin margins, high staff turnover and a lot of casual payroll, which are exactly the conditions payroll-diversion and invoice scams exploit. A venue might onboard and offboard dozens of casuals across the year, so a “please update my bank account” email doesn’t stand out. Supplier invoices arrive constantly, often from small operators whose own email security is weak, which makes supplier impersonation easy. And because hospitality teams are usually serving customers rather than sitting at a desk, finance tasks get squeezed into rushed windows where verification slips. Hospitality websites have also been hit this year by fake ‘verify you’re human’ pop-ups that spread malware, so the risk is not limited to invoices and payroll.

Not-for-profits

Charities and community organisations are targeted because they combine real money movement with stretched resources and goodwill. Volunteer or part-time finance staff, board members approving payments by email, grant and donation inflows around the end of the financial year, and a culture of saying yes all make NFPs vulnerable to both invoice fraud and donation-diversion scams. The reputational damage of a breach, telling donors their generosity funded a criminal, can be worse than the dollar loss. NFPs also tend to assume they are too small or too worthy to be targeted, which is precisely the assumption criminals count on.

Your EOFY scam-proofing checklist (before 30 June)

Here is the practical part. None of these require a big budget, and most can be done this week. We have ordered them by impact. If you only do three things, do the first three.

Action Why it matters Who owns it
Verify every bank-detail change by phone, using a number you already have on file, never the number in the email requesting the change. Apply this to suppliers, employees and anyone asking you to move money. Defeats payment redirection and payroll diversion, the most expensive scams of the season. Finance / accounts payable
Require dual approval for payments over a set threshold and for any new or changed payee. Two people, two sets of eyes, before money leaves. One rushed person is the single point of failure in almost every business email compromise. Owner / finance manager
Turn on multi-factor authentication everywhere across email, myGov and myGovID, banking, and Xero, MYOB or QuickBooks. Use an authenticator app or passkeys, not SMS where you can avoid it. Stops phishing of credentials from turning into account takeover. Free and fast. IT / MSP
Brief your team on the EOFY scams above in a 15-minute stand-up. Name the patterns. Make it clear that slowing down to verify is always welcome and never a problem. Most scams succeed on human urgency, not technical weakness. Owner / manager
Confirm email authentication (SPF, DKIM and DMARC) is correctly configured for your domain. Makes it harder for criminals to spoof your business’s address to your own customers and staff. IT / MSP
Use the ATO app’s “verify call” feature and circulate the official ATO verification line, 1800 008 540, so staff can check any suspicious ATO contact in seconds. Gives everyone a fast, authoritative way to confirm whether ATO contact is genuine. All staff
Lock down and patch the basics by keeping devices and browsers updated, restricting macros in Office files, and removing finance access from staff who no longer need it. Closes the technical doors that turn a single click into a full compromise. IT / MSP
Write down what “normal” looks like. A one-page note on how genuine suppliers invoice you and how the ATO actually contacts you gives staff a reference when something feels off. People spot anomalies far better when they know the baseline. Finance

If your business uses a managed IT provider, items marked IT/MSP should be a quick conversation rather than a project. Several of them, such as MFA, email authentication and patching, are part of the security baseline we recommend for Australian SMBs, and a good provider should already have them in place. EOFY is a sensible moment to confirm rather than assume.

What to do in the first hour if you’ve been caught

Speed matters more than blame. If a payment has gone out or credentials have been handed over, working quickly through these steps gives you the best chance of limiting the damage.

  1. Call your bank immediately. If a payment has left your account, the bank may be able to halt or recall it, but only if you move fast, often within hours. This is the first call, before anything else.
  2. Reset the affected passwords and revoke sessions. If an email or accounting login was exposed, change the password, sign out all sessions and confirm multi-factor authentication is on. Check for mailbox rules the attacker may have set to hide their activity.
  3. Report it. Report tax-related scams to the ATO (call 1800 008 540 or use the verify or report an ATO scam page). Report the scam to Scamwatch, and report cybercrime to ReportCyber. If identity details were exposed, contact IDCARE, Australia’s free identity and cyber support service.
  4. Tell the people affected. If a supplier’s or employee’s details were involved, let them know so they can protect themselves. If customer data was exposed, you may have obligations under the Notifiable Data Breaches scheme, so get advice quickly.
  5. Write down what happened. A short timeline of what arrived, what was clicked or paid and when will help your bank, your insurer and your IT provider act, and help you tighten the gap afterwards.

One regulatory note for larger businesses: if a scam escalates into ransomware or cyber extortion and you make a payment, organisations with annual turnover of $3 million or more must report that payment to the Australian Signals Directorate within 72 hours under the Cyber Security Act. Since 1 January 2026 the government has moved from an education-first approach to active enforcement of this obligation, with penalties for failing to report. It is a reminder that an incident response plan needs to cover reporting duties, not just technical recovery.

A note on AI-generated scams

The reason these scams keep working better each year is that the lures keep getting more convincing. Criminals now use AI to write clean, error-free emails in correct business English, to clone the look of ATO and myGov pages, and even to generate voice messages that mimic a manager or supplier. The old advice to “look for spelling mistakes” is no longer reliable. What still works is verifying through a separate, known channel: a phone call to a number you already hold, a login you navigate to yourself rather than via a link, a face-to-face check. Process beats appearance, because no amount of AI polish can fake a callback to the right person.

Frequently asked questions

How can I tell if an ATO message is genuine?

The ATO will never send an unsolicited message with a link asking you to log in, and will never ask for your myGov credentials, bank details or personal identifying information by email or SMS. If you are unsure, do not use any contact details in the message. Open the official ATO app and use the “verify call” feature, or phone the ATO directly on 1800 008 540.

We’re a small business. Are we really a target?

Yes, and often more so than large organisations. Small and medium businesses move real money but rarely have dedicated security staff, which is exactly the gap criminals look for. The Australian Signals Directorate’s most recent figures put the average business email compromise loss at more than $97,000 and the average cybercrime cost to a small business at $56,600. Size is not protection.

What’s the single most effective control?

Phone-based verification of any request to send or redirect money, using a number you already hold rather than one supplied in the message. It is free, it takes a minute, and it defeats payment redirection, fake invoices and payroll diversion in one move. Pair it with multi-factor authentication on email and accounting logins and you have closed off the large majority of tax-time attacks.

Does cyber insurance cover scam losses?

Sometimes, but not always, and policies vary widely on whether they cover funds lost to payment redirection or social engineering. Recovering money once it has left your account is difficult, so prevention is far more reliable than relying on a claim. Read your policy’s social-engineering and funds-transfer-fraud terms before you need them, and speak to your broker if you are unsure.

Talk to All IT Services before EOFY

Most of the controls in this paper are quick to put in place, but they work best as a connected set rather than a scramble of one-off fixes. If you want a second set of eyes on your business before 30 June, we can run a short review of your email security, multi-factor authentication, payment-verification process and staff readiness, and tell you plainly where the gaps are.

All IT Services is an Australian managed IT provider supporting businesses across Sydney, Brisbane, Central West NSW and Melbourne, with a particular focus on professional services, hospitality and not-for-profits. Call us on 1300 425 548 or get in touch via allitservices.com.au/contact-us to book a pre-EOFY check. A short conversation now is a great deal cheaper than a redirected payment in July.

Sources and further reading

This whitepaper is general information only and does not constitute legal, financial or tax advice. Speak to a suitably qualified professional about your specific circumstances.

Posted in All Resources Security Whitepapers

About All IT Services

We’re a leading IT specialist providing premium services and support to businesses across Australia’s eastern seaboard. Our strength lies in our size – big enough to tackle complex projects yet small enough to pick up the phone when you call.  At All IT Services, our approach is refreshingly straightforward - no endless wait times or tech jargon. Just real people with genuine passion and expertise in IT solutions.

CONTACT US