How the ATO protects your financial data

Jade Hawkins:
Be vigilant with your attention to fraud protection, both within your own firm, but also encouraging clients to set up their own protections through the ATO app and strong online access strength. Fraud doesn't rest. It is continuously evolving, so we have to be equally as agile and vigilant in identifying, containing and protecting our systems against it.

Jenny Wong:
Welcome to the CPA Australia's With Interest Podcast. I'm Jenny Wong, tax lead at CPA Australia. As we head into tax time 2026, there's a growing focus on fraud and keeping taxpayers' information and refunds safe as scams, identity theft, and cyber threats become more sophisticated.

In this episode of our Tax Time series, we're joined by Jade Hawkins, assistant commissioner in the ATO's fraud and criminal behaviours business line. Jade unpacks the ATO's counter-fraud programme, a major investment designed to detect and stop fraud earlier using real-time data analytics and stronger system protections.

We'll also explore what this means in practice from new features in the ATO app that give taxpayers more control over their accounts to the steps agents can take to protect their clients and their own practices from emerging threats. Welcome to With Interest, Jade.

Jade Hawkins:
Thanks for having me, Jenny.

Jenny Wong:
Can we start with the counter-fraud programme? So what is the counter-fraud programme and what is the ATO doing to prevent fraud?

Jade Hawkins:
Well, the counter-fraud programme is the ATO's $187 million investment to build and future-proof our systems to detect fraud earlier in order to contain it and also to prevent it from happening again. Fraud is constantly evolving and the programme enables us to pivot to new and emerging risks in order to disrupt fraud and financial crime at the earliest opportunity while simultaneously strengthening the tax and super systems by building enhanced protections and tools against future threats.

It also provides us with the opportunity to bring consequence to fraudsters through audits and even criminal prosecutions by testing new criminal offences aimed at evolving fraud types such as identity crime and also the promotion of tax and super fraud over social media. But at its core, the counter-fraud programme is a really holistic modernization of the ATO's approach to fraud, detection and treatment.

Historically, we were a very reactive organisation identifying fraud post-lodgement and taking compliance action after the fact. But in 2026, we're proactively identifying fraud through key threat indicators on taxpayer records combined with other data points in order to detect fraud at the earliest opportunity. This enables us to then utilise our data analytics and digital forensic skills to track the fraud online to decide just how much we want to learn before we contain it and when to apply real-time consequences such as blocking access and locking accounts in real time.

So this has really changed the game for the way the ATO deals with fraudsters and enables us to protect taxpayers from them before the loss of funds or information even happens. It's also enhanced the evidence we use when conducting criminal investigations as we can track online evolving frauds as they happen. But the ultimate advantage is that every evolving fraud teaches us about another way to harden the system and to prevent future attacks.

Jenny Wong:
Jade, I understand the counter-fraud programme also involves the ATO app. What updates have been made to the ATO app to keep people safe and how can agents help support their clients in using these features?

Jade Hawkins:
That's right, Jenny. Part of the counter-fraud programme has also focused on putting safety and security of a person's tax affairs back into their own hands through enhancements to the ATO app. When a taxpayer has strong online access strength through myID and have downloaded the ATO app, they can receive real-time messages alerting them to action on their account, giving them the ability to lock and unlock their account, preventing unintended actions if they did not authorise them themselves.

So for example, if a fraudster gains access to my personal identity information and seeks to change my bank account details in order to receive a dodgy refund, I'll be notified of the bank account change so that I can lock my account in a simple way through the app.

And I've got a real example to share, which illustrates how it works. So on Friday the 27th of June last year, we had a taxpayer register their mobile device using the ATO app. This means that at that time, they could then receive real-time messages through the ATO app on key changes to their ATO account. On Monday, the 1st of July at 12:36 AM, the taxpayer received three security messages on the app from the ATO, alerting them to the fact that their bank account had been deleted, a new bank account had been updated, and a '24-'25 tax return had been lodged online.

At 12:40 AM, the taxpayer responded and locked their account using the ATO app. The taxpayer was able to do this outside of business hours and was able to secure their ATO account immediately before any fraud occurred. The next morning around 9:05, the taxpayer called the ATO Client Identity Support Centre and confirmed the '24-'25 lodgement was fraudulent.

In the discussion, they were made aware of other amendments that had been made to their '22-'23 and '23-'24 tax returns, which had been lodged or changed prior to them even registering for the app. So in that call, they were also then able to identify and stop additional frauds on their account. This just shows the power that a taxpayer now has in ensuring security over their own tax affairs.

Another really great feature of the ATO app is a new feature that we call Verify Call. So how many times have you received a call from a number, you're unsure whether it's authentic, who it's from. In the ATO app, you can quickly verify if the call claiming to be from the ATO is genuine. And if you can't, you can immediately hang up and not continue the conversation. So we're constantly trying to make new advances in ways the app can safeguard a taxpayer's account.

And I'd also encourage listeners to look out for further announcements in May where there'll be some additional protections via the app related to superannuation. But really important I think for this group is that the ATO app is designed to benefit all taxpayers, including those that have an agent.

The security features are designed to, first and foremost, keep your clients safe, but there's a range of additional tools that can also support the services you provide to your clients, such as the ability for users to quickly check the status of their pre-fill information, to know when they're ready to engage with you to lodge their returns online. Their ability to track the progress of their return once it's already been lodged, and also to make managing work-related deductions easier using the myDeductions tool rather than bringing in their box of receipts.

We've also developed a range of fact sheets specifically tailored to support tax professionals and to help guide conversations that you have with your clients about the ATO app and you can search QC105069 on ato.gov.au in order to find out more.

Jenny Wong:
Jade, what can agents do to help protect their clients and their practices from fraud?

Jade Hawkins:
As agents and those in the tax profession know, fraud is a shared risk that requires us to work together in order to prevent these sorts of threats to the entire community. With the incredible benefits of digitalization, there's also come increasingly sophisticated online threats and the ATO values its role along with those in the tax profession as stewards of the tax system to keep taxpayers' information and funds safe. This includes being open with the community about the risks to their personal information and the steps they need to take to better protect themselves.

As a tax professional, you can encourage your clients to use myID, download the app and set it to the highest identity strength they can achieve to access ATO online services through myGov. You can also encourage your clients to download the ATO app to give them the power to stop fraud on their own account and to keep them digitally safe. By encouraging your client to set up a strong myID and download the ATO app, you're putting their account safety into their hands, which lets you as the tax professional get on with your important work in dealing with their tax affairs.

As I noted earlier, doing these two things enables clients to protect themselves by locking and unlocking their account, as well as signing in securely to access online services without needing to wait on a call.

And finally, I'd encourage all tax professionals to be alert to fraudsters among your clients, peers, and the community. Both the ATO and Tax Practitioners Board benefit from reports of suspected fraud, which in the ATO's case is via the Tax Integrity Centre, and we encourage your listeners and the rest of the community to help keep an even playing field by reporting suspected fraud.

Jenny Wong:
And what about more cyber-related attacks?

Jade Hawkins:
To help prevent cyber attacks on your practice, you can actually implement some pretty simple but effective habits. Firstly, it may seem like an absolute no-brainer, but it is so important to keep your devices updated. Install software updates regularly to stay protected against the latest threats.

Also, to use strong, unique passphrases, my name, date of birth, dog or a child may seem easy to remember, but it's opening the front door to a fraudster. So we suggest combining four or more random words such as otter, lamp, tiger, cloud, and add special characters or numbers for extra strength.

Also, avoid quotes, personal details or predictable phrases which AI can second guess in an instant. And finally, to turn on multifactor authentication. It adds that extra layer of protection by requiring two or more proofs of identity to grant access, for example, passphrase and biometrics.

Jenny Wong:
What resources are available to agents and where can they find more information?

Jade Hawkins:
You can read more about the ATO Counter-Fraud Programme at ato.gov.au/taxfraud, but we've also released a new cybersecurity module with the essentials to strengthen your small business online learning site. So this module is designed to help you and your clients implement practical cybersecurity measures. It's free to use and designed to be shared with your clients and can also be accessed from the ATO website.

Jenny Wong:
What fraud or scam trends is the ATO seeing most frequently right now?

Jade Hawkins:
Well, with an ever-changing external fraud environment, we are seeing an increase in scams focused on acquiring personally identifiable information or what we call PII. Data breaches involving PII increased in 2025 and were increasingly sophisticated and agile. The current digital environment is causing a pressure on system integrity, but human involvement also remains a driver and, unfortunately, vulnerable populations are more likely to fall victim to fraud.

Jenny Wong:
Jade, have you noticed any emerging patterns in how fraudsters are targeting tax agents versus individual taxpayers?

Jade Hawkins:
We have definitely seen this. As the ATO strengthens the system for individuals, we're mindful of the likely displacement of criminal attacks to vulnerabilities in the broader system, such as to tax practitioners, including digital wholesale services. We're also seeing an increase in data breaches and incidents against agents using different typologies. Whilst the fraud typologies that the ATO is seeing continue to evolve with respect to third-party unauthorised access, we have seen the following techniques used by fraud actors.

Firstly, malware used to harvest client information through the agent portal for the purpose of committing identity fraud. Secondly, phishing enabled fraud via agents by compromising sensitive information such as passwords or logging codes. And thirdly, credential stuffing, which is a type of cyber attack where hackers use stolen username and password combinations usually obtained from previous data breaches to try to gain access to other accounts and systems.

With respect to second-party fraud aligned to agents' accesses, we've seen the following techniques also used by fraud actors. Employee-driven misconduct, this is through unauthorised access to taxpayer information, manipulation of client records, refund redirection, misuse of agent credentials, and deliberate harvesting of client data.

We've also seen fraudsters continue to pose as clients, compromising identity credentials and using increasingly sophisticated social engineering techniques to obtain access to agent systems or influence staff behaviour. In relation to superannuation, we've also seen registered agents involved in practices that help individuals inappropriately access their superannuation early on compassionate grounds and also illegal early access schemes using SMSFs as a vehicle.

Jenny Wong:
If someone has been a victim of a scam or fraud, what does the ATO do to help them and what can clients do to help restore their access?

Jade Hawkins:
Great question. If the ATO is required to put safeguards in place, then we consider that a taxpayer has been... the terminology for us is compromised. The two main impacts of these safeguards for taxpayers are that, firstly, any subsequent lodgements received, including ABN, GST registrations, super rollovers, income tax, et cetera, will have additional verification checks completed by the ATO to help prevent fraud risks. And secondly, they may need to meet additional identification requirements when interacting with the ATO online or over the phone.

Last year, we reviewed agent restrictions to pre-fill data for compromised clients so agents can now access all prefilled data available without contacting us. This means agents have the same pre-fill experience for compromised taxpayers as they do with non-compromised taxpayers in both online services for agents and wholesale software environments. However, your client's access to ATO online services is restricted when compromised. This means you or your client need to call us for them to get 48-hour temporary access.

And whilst these protections remain important where your client has strong online access strength and the ATO app, they can now unlock their access without the need to call each time. Another really important reason to encourage clients to get the ATO app and that strong access strength through myID.

Currently, around 52% of compromised individuals have an active tax agent supporting them with their tax affairs and this just shows that tax agents have a huge impact in helping their clients secure their records and reduce the impacts of being compromised. You can find support including fact sheets to help these compromised clients restore their access on our website at ato.gov.au/strongaccess.

Jenny Wong:
Jade, do you have any final messages for our listeners?

Jade Hawkins:
I think the main messages I would have is firstly to be vigilant with your attention to fraud protection, both within your own firm, but also encouraging clients to set up their own protections through the ATO app and strong online access strength through myID. Fraud doesn't rest. It is continuously evolving, so we have to be equally as agile and vigilant in identifying, containing and protecting our systems against it.

Jenny Wong:
That brings us to the end of this episode of With Interest. Thank you to Jade Hawkins from the ATO for sharing her insights on the counter-fraud programme and how both taxpayers and agents can stay one step ahead of fraud this tax time.

Jade Hawkins:
Thanks for having me, Jenny.

Jenny Wong:
If today's discussion highlighted anything for your practice, whether it's encouraging clients to strengthen their digital security, adopt tools like the ATO app or reviewing your own cyber safeguards, now is the time to start those conversations. Don't forget to check the show notes for links and resources from CPA Australia and the ATO. If you like this episode, please share it with your friends and colleagues and don't forget to subscribe so you don't miss future episodes on our Tax Time 2026 series. Until next time, thanks for listening.