Why Australian tax agents need to secure every customer login to prevent the next wave of tax fraud

Australia's tax system is built on trust. Taxpayers trust accounting services with highly sensitive financial and identity information, while the Australian Taxation Office (ATO) relies on these registered tax practitioners to act as a secure gateway into the tax ecosystem. Yet as tax fraud becomes more sophisticated, the security of customer logins is emerging as one of the most important and overlooked vulnerabilities.

If an attacker gains access to an Australian taxpayer's account, they can often bypass many of the controls designed to protect our national tax system. The weakest point is often not the ATO's security but the credentials consumers and businesses use to access it. For Australian tax agents, securing every customer login should now be viewed as a professional responsibility, not simply an IT issue.

Tax fraud is becoming more sophisticated

The ATO continues to investigate large-scale tax fraud schemes involving identity theft and account compromise. Operation Protego, one of Australia's largest GST fraud investigations, uncovered widespread abuse, including fraudulent business registrations and false GST refund claims, resulting in attempted fraud totalling billions of dollars.

A major international scam syndicate linked to a sophisticated offshore criminal network has been hit by enforcement action by Operation Falcata. The ATO, Services Australia and the Australian Federal Police (AFP) disrupted this organised criminal network that used stolen identities to access ATO accounts, lodge fraudulent returns and redirect tax refunds. 

The ATO regularly warns taxpayers about phishing emails, SMS messages, and fake websites that impersonate myGov and government agencies to steal credentials and personal information.

These attacks are becoming increasingly sophisticated. Artificial intelligence is enabling cybercriminals to create more convincing phishing campaigns at scale, making it harder for taxpayers to distinguish legitimate communications from fraudulent ones. According to the Australian Cyber Security Centre's (ACSC) Annual Cyber Threat Report for 2025, cybercrime reports continue to rise, with credential theft and identity-related fraud remaining common attack methods.

For tax professionals, this creates a growing challenge. While fraud prevention often focuses on monitoring transactions and verifying identities, protecting access to taxpayer accounts is becoming equally important.

Passwords remain a major weakness

Most tax fraud schemes have one thing in common: stolen credentials.

Attackers do not need to compromise government systems if they can gain access to legitimate taxpayer accounts. Once inside, they may be able to submit fraudulent claims, alter account details, redirect refunds or access sensitive financial information.

Traditional usernames and passwords remain vulnerable because they can be stolen, reused, shared or phished. Even many common forms of multi-factor authentication (MFA) can be bypassed using adversary-in-the-middle phishing kits that capture login credentials and one-time passcodes in real time.

For tax agents, the consequences can be significant. A compromised client account can expose financial records, tax file numbers and banking details while also creating compliance obligations, reputational damage and costly remediation efforts. Protecting access to client accounts is therefore becoming just as important as protecting the data itself.

Security is becoming a professional responsibility

Australian tax practitioners already operate under significant obligations relating to client confidentiality and data protection.

The Tax Practitioners Board (TPB) has repeatedly emphasised that practitioners must maintain appropriate systems and controls to protect client information from risks such as cybercrime, fraud and identity theft. The Tax Agent Services Act 2009 and the strengthened Code of Professional Conduct also place greater emphasis on governance, risk management and the protection of client information.

The TPB's client verification guidance helps practitioners confirm that clients are who they claim to be. However, identity verification alone cannot prevent legitimate accounts from being compromised through phishing attacks or credential theft after access has been established.

The importance of stronger authentication is also reflected in the ACSC's Essential Eight framework. Widely regarded as Australia's baseline cybersecurity standard, the Essential Eight provides practical guidance for reducing cyber risk, including strengthening authentication and limiting opportunities for credential theft. For tax practices that handle highly sensitive identity and financial information, aligning security programs with the Essential Eight can improve resilience against increasingly sophisticated threats.

Why every customer login matters

Cybersecurity is becoming a core component of professional responsibility and client protection for tax agents. They will invest in securing their own systems but devote less attention to how clients access online services. This creates an opportunity for attackers, who increasingly target individual users rather than directly breaching large organisations.

A single compromised account can expose years of financial records, banking information and identity data. Whether the target is a large business, a sole trader, or an individual taxpayer, stolen credentials can give cybercriminals everything they need to commit fraud.

The future is phishing-resistant authentication

The most effective way for tax agents to reduce account takeover risk is to eliminate opportunities for attackers to steal credentials in the first place.

Phishing-resistant authentication technologies, such as passkeys and hardware security keys like the YubiKey, are designed to prevent credential theft. Unlike passwords, they cannot be reused across websites, intercepted by phishing or easily shared with attackers.

Even if a taxpayer visits a fraudulent website, phishing-resistant authentication helps prevent the handover of credentials to cybercriminals. 

A security conversation the tax profession can no longer avoid

The next wave of tax fraud prevention will require more than education and identity verification. It will require stronger identity security, modern authentication methods and a commitment to rigorously protecting every customer login.

As cybercriminals continue to target taxpayer identities, securing vulnerable accounts is becoming one of the most important steps accounting firms can take.