Tax Refund Scam Spoofs the ATO and myGov

A sophisticated new phishing campaign impersonating the Australian Taxation Office (ATO) has been intercepted by MailGuard, designed to trick recipients into handing over their credit card details under the guise of a legitimate tax refund offer. 

The email appears to be from the ATO and includes an official-looking message advising the recipient that their 2024 tax return has been processed and a refund of $878.00 AUD is available. The email contains a QR code, a PDF attachment, and a phishing URL (e.g. mygovtax(dot)com/?=TT148950) directing users to a spoofed refund claim page.

What does the scam look like? 

The phishing email claims to come from the ATO’s Tax Refunds Department and uses the branding of myGov and the Australian Government to add legitimacy. It instructs the recipient to confirm their refund by scanning a QR code or clicking a link.

Once clicked or scanned, the QR code redirects to a spoofed ATO landing page, hosted on ebmfi(dot)kinsta(dot)cloud — a domain not associated with the ATO or any legitimate government service.

Step-by-step breakdown of the scam 

Step 1: The fake ATO-branded landing page reassures the user that they are eligible for a tax refund.

Step 2: The user is prompted to enter credit card details, including full name, card number, expiry date, and CVV.

Step 3: A fake “Payment Error” screen is displayed if details are entered, encouraging users to try again — increasing the likelihood of harvesting multiple card numbers.

This loop is designed to appear plausible and can result in real-time credit card charges if users proceed.

What makes this threat dangerous?

• Emotional manipulation: Exploits public trust in the ATO and creates urgency with a limited refund window.
• Multi-layered deception: Combines HTML emails, PDF attachments, QR codes, and fake domains to evade security filters.
• Financial exploitation: Actively attempts to charge cards in real-time, putting both personal and business accounts at risk.

Despite using generic sending addresses like noreply(at)mail(dot)invoicehero(dot)net, the email displays as # A T O in recipients’ inboxes. Variants of the address include one-time generated sending aliases, making the campaign harder to detect and block without advanced threat filtering.

Stay Safe - Know the Signs

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.

Avoid emails that:

• Are not addressed to you by name.
• Use poor English or omit personal details that a legitimate sender would include.
• Come from unexpected businesses or government bodies.
• Contain links or QR codes that redirect to a domain not matching the sender's real URL.
• Claim you must act urgently to claim money or avoid penalties.

Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late.

Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One Email Is All That It Takes   

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters!  Our real-time 'zero-zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.