June 6, 2026 Phishing

Tax Time Phishing Alert: ATO and myGov Scammers Are Now Targeting Australians via iMessage and RCS

With Australia's financial year closing on 30 June, security researchers at Proofpoint have warned of a sharp rise in credential-phishing campaigns impersonating the ATO and myGov — and a new wrinkle: attackers have shifted delivery to iMessage and RCS messaging channels, bypassing the email filters that organisations have spent years refining.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

The EOFY Phishing Spike Researchers Are Warning About

Australia's financial year ends on 30 June — and every year without fail, this window creates a perfect storm for cybercriminals. With just weeks remaining in FY2025–26, security researchers at Proofpoint have documented over 100 distinct campaigns in 2026 that use tax themes to deliver malware, remote management payloads, and credential-harvesting phishing pages, according to reporting by SecurityBrief Australia.

Australian taxpayers are specifically in scope. Proofpoint's research confirms campaigns are deploying counterfeit ATO and myGov login pages engineered to steal not just passwords but two-factor authentication codes and session cookies simultaneously — allowing attackers to bypass MFA and maintain persistent access to government accounts even after a victim changes their password. The ATO's own published scam data confirms the scale: in March 2026 alone, the ATO received 1,461 reports of impersonation scams — a 2% increase from February. Over the most recent full year of published data, that figure reached 25,609 reports, a rise of over 25%.

Perhaps most revealing is how criminals are now reaching their targets. The ATO's published scam data shows SMS-based scam contact increased by 414% compared to the prior period, far outpacing a 179% rise in email-based attempts. This dramatic shift reflects a deliberate adaptation: as Australian email gateways, spam filters, and link-checking services became more effective at intercepting phishing messages, attackers migrated to messaging channels that fall outside those defences.

The timing is strategic, not accidental. The EOFY period is when Australians genuinely expect communications from the ATO, their accountants, super funds, and myGov — making recipients more likely to act on messages that arrive in this window without pausing to verify their authenticity. The Australian Signals Directorate's Annual Cyber Threat Report 2024–25 recorded phishing as present in 60% of all incidents reported to the ACSC — the most frequently observed initial access technique by a wide margin, per the ASD Annual Cyber Threat Report.

Why the ATO and myGov Make Such Effective Impersonation Targets

myGov is not simply a government portal — it is a single-sign-on gateway connecting Medicare, the ATO, Centrelink, My Health Record, and more than a dozen other federal government services under one set of credentials. A stolen myGov username and password is therefore extraordinarily valuable: a single breach potentially exposes tax records, welfare entitlements, health data, superannuation account details, and the ability to update bank account information for government payments. This aggregation of high-value services under one credential is precisely what makes myGov a persistent, high-priority target for phishing operators.

The ATO has publicly confirmed several active scam templates through its official scam alerts page. One campaign impersonates DocuSign, delivering a fake document titled "Declaration and Final Release" — professional-looking paperwork that, when "reviewed," redirects victims to a counterfeit myGov login page harvesting credentials, name, date of birth, and driver's licence details. A separate campaign falsely claims a recipient's taxable income has been recalculated and requests payslips, tax file numbers, driver's licence details, and Medicare card numbers in a single reply — essentially a complete identity package handed over voluntarily.

Proofpoint's research identifies a specific threat actor, tracked as TA2730, that concentrates on credential phishing in countries including Australia. The group frequently uses lures tied to financial and tax documentation, and campaigns extend beyond ATO and myGov impersonation to target HR departments and investment platforms — reflecting the broader EOFY context in which Australians also expect communications from superannuation providers and financial advisers.

What makes these campaigns persistently effective despite years of public awareness efforts is the combination of familiarity, legitimacy, and urgency. The ATO and myGov are known, trusted senders in Australians' minds; EOFY creates genuine deadlines; and the stakes — a tax refund, a compliance notice, an account flag — feel high enough that a proportion of recipients will act before verifying. The ATO has stated this unambiguously in its own guidance: "The ATO and myGov will never send you an SMS or email with a link to access online services."

The New Delivery Vector: How Phishers Are Bypassing Your Email Defences

The Lucid PhaaS Platform and the RCS/iMessage Shift

The infrastructure enabling SMS and messaging-based phishing at industrial scale was comprehensively documented by Swiss cyber-intelligence firm Prodaft in April 2025. Their research exposed Lucid, a phishing-as-a-service (PhaaS) platform operated by a Chinese threat group identified as XinXin, active since at least mid-2023. According to coverage of the Prodaft research by The Hacker News, the Lucid platform has targeted 169 organisations across 88 countries — with Australia Post explicitly among the postal and brand names it impersonates. The same infrastructure is available to threat actors running ATO and myGov lures.

The central innovation of platforms like Lucid is the shift from email to RCS (Rich Communication Services — the successor to SMS on Android devices) and Apple iMessage. Both protocols use end-to-end encryption by default. This means the phishing message content cannot be inspected by the network-level filters, carrier spam detection systems, or enterprise email gateways that security teams rely on. A phishing link sent via iMessage or RCS arrives at a target device in the same way a legitimate message from a bank or government agency would — with no warning flags, no suspicious headers, and no spam indicators visible to the recipient.

The operational scale is considerable. Prodaft's research indicates the Lucid group claims to send approximately 100,000 smishing messages per day across RCS and iMessage channels, with access to over 1,000 phishing domains. The platform operates on a subscription model, meaning actors with limited technical skill can rent the infrastructure, select their target brand, and deploy campaigns without building anything themselves. This commoditisation of phishing capability is precisely why the ACSC reports phishing as appearing in 60% of incidents — the barrier to entry has collapsed.

Real-Time Account Takeover — Bypassing 2FA

What separates current PhaaS platforms from earlier phishing kits is their real-time interception capability. When a victim enters credentials into a Lucid-operated fake login page, the data immediately populates the attacker's live administration panel. If the victim is then prompted for a one-time passcode (OTP), the attacker simultaneously triggers the same authentication challenge on their own session — harvesting the code before it expires and gaining full authenticated access. This approach renders standard time-based MFA ineffective against real-time relay attacks, because the MFA code is used in the same session, not intercepted separately. Beyond account takeover, Prodaft's research found these platforms are increasingly focused on digital wallet provisioning — tokenising a victim's payment card to enable contactless tap-to-pay fraud.

Protecting Your ATO and myGov Credentials Right Now

The ATO's own data contains some reassurance: the number of Australians actually paying money to scammers has fallen sharply — down 66% to just 28 individuals in the most recent full year. The number of people divulging personal information dropped 71% to 346 people. Heightened public awareness is contributing to better outcomes. The challenge is that awareness alone is insufficient against real-time MFA-bypassing platforms — credential hygiene and technical controls matter as much as vigilance.

Use a unique, strong password for every government account. Credential reuse is the single biggest amplifier of phishing damage. If a campaign captures your ATO login and you have used the same password for myGov, Medicare, and your banking, a single successful phish becomes a cascade of account compromises. A password manager such as NordPass generates and stores cryptographically strong, unique passwords for every account — including ato.gov.au, my.gov.au, and your super fund portal — so you are not relying on memory or minor password variations that attackers can easily guess.

Enable multi-factor authentication on myGov. myGov supports MFA via authenticator app or SMS code. Authenticator app-based MFA is meaningfully harder to intercept than SMS codes, which are vulnerable to SIM-swap attacks and, to a lesser extent, real-time relay. While PhaaS platforms can defeat OTP-based MFA under specific conditions (as described above), MFA still substantially raises the cost and complexity of a successful attack and deters lower-sophistication operators who lack real-time relay infrastructure.

Never follow links in unsolicited messages claiming to be from the ATO, myGov, or Services Australia. The ATO's guidance is explicit: the agency will never send an SMS or email containing a link to access online services. If you receive such a message, navigate directly to ato.gov.au or my.gov.au by typing the address yourself. Verify any concerning message by calling the ATO's dedicated scam line on 1800 008 540 or forwarding suspicious emails to ReportScams@ato.gov.au. Any message that asks you to click a link, provide your TFN, or submit personal documents without a prior conversation initiated by you should be treated as suspicious.

A Layered Defence Against Tax-Time Credential Theft

The ASD's Annual Cyber Threat Report 2024–25 frames phishing as the most common initial access technique not because Australians haven't heard the warnings, but because the campaigns continue to improve faster than public awareness keeps pace. The ASD received over 84,700 cybercrime reports in FY2024–25 — one report every 6 minutes — with the average self-reported cost of a cybercrime incident rising 8% to $33,000. For a compromised myGov account that enables welfare payment redirection or tax refund theft, the actual financial damage can considerably exceed that figure.

A layered approach provides substantially better protection than any single control:

Unique passwords for every account, managed via a password manager. NordPass includes a dark web monitoring feature that alerts you if email addresses associated with your accounts appear in breach databases — providing advance warning before an attacker can act on stolen credentials.
App-based MFA over SMS codes where the service allows it. Authenticator apps generate time-based codes that are harder for remote attackers to intercept than SMS, which remains vulnerable to SIM-swapping by mobile carrier social engineering.
Passkeys where available. myGov and some Australian banks are progressively rolling out passkey support. Passkeys bind authentication to a specific device and are phishing-resistant by design — a fake login page cannot capture a passkey because the credential never leaves the legitimate domain.
Navigate directly, never via a link. Treat every unsolicited message claiming to be from a government agency as suspect. Bookmark ato.gov.au and my.gov.au and use those bookmarks rather than clicking links in email or SMS.

Under Australia's Notifiable Data Breaches (NDB) scheme, organisations holding your personal data are required to notify you and the Office of the Australian Information Commissioner (OAIC) if a breach is likely to cause you serious harm. However, if you believe your own credentials may have been compromised — through phishing rather than an organisational breach — do not wait for a notification. Change your myGov password immediately, revoke active sessions through myGov's security settings, check that your bank account details linked to Medicare and the ATO have not been altered, and report the incident to both the ATO and the ACSC's ReportCyber service at cyber.gov.au.

The phishing-as-a-service model has lowered the barrier to entry for sophisticated, MFA-aware attacks. What once required specialised technical skill is now available on subscription. The countermeasures — unique passwords, app-based MFA, direct navigation, credential monitoring — are low-cost and effective. Applying them consistently across this EOFY period is the practical response to a threat that is actively adapting to Australian defences.