Why Your Tax Records Are at Risk

You're finishing your tax return at 10 PM on a Tuesday. By 2 AM the next morning, a fraudster has already lodged a fake return under your name, claimed $15,000 in refunds, and they're gone.

This isn't hypothetical. This is what happened to Sarah, a Melbourne accountant, in June 2024. She didn't have two-step authentication (2FA) enabled on her myGov account. The ATO caught the fraudulent return, but not before it created a compliance nightmare: conflicting records, delayed genuine refunds, and months of back-and-forth with the ATO.

"I thought my password was strong enough," Sarah told me. "I learned the hard way that a strong password means nothing if someone has your email."

This is Australia's growing tax fraud problem, and it's targeting you.

Enabling two-step authentication (2FA) on your myGov account is the single most effective step you can take to stop this.

The Real Cost of Skipping 2FA

Here's what most Australians don't realise: the ATO receives fraudulent tax returns daily. They've publicly stated that identity fraud and tax fraud are growing faster than they can investigate.

According to ATO data released in 2024, fraudsters are:

Filing false tax returns to claim refunds
Creating fake business structures to claim ABN deductions
Accessing myGov accounts to change banking details and intercept legitimate refunds
Lodging super contributions under stolen identities

The consequences aren't small:

Legitimate refunds delayed for months while the ATO investigates
Tax debts created in your name that take years to clear
Your reputation damaged if you're a business owner (clients see you as a fraud risk)
Superannuation compromised if they access your super account
Time and stress dealing with ATO inquiries and remediation

Sarah's case took four months to fully resolve. Four months of explanations, documentation, and phone calls with the ATO. And she was lucky—the ATO caught it quickly.

Others aren't so fortunate. Some people don't discover the fraud until they receive a tax assessment for income they never earned, or a debt notice for a super contribution they never made.

Why Fraudsters Target Tax Records

Your myGov account is valuable. It contains:

Your TFN (Tax File Number)
Your address and personal details
Access to your tax history
Banking details for refunds
Superannuation account links
Business ABN information (if self-employed)

With just your myGov credentials, a fraudster can:

Lodge a fraudulent tax return and claim your refund
Change your banking details to intercept legitimate refunds
Create fake business structures in your name
Access your superannuation account details
Request copies of sensitive documents

And here's the uncomfortable truth: your password alone won't stop them. Passwords are compromised constantly. Data breaches, phishing emails, malware—there are dozens of ways fraudsters get your login details without you ever knowing.

That's where 2FA comes in.

What is Two-Step Authentication (2FA)?

Two-step authentication is simple: even if someone has your password, they can't access your account without a second piece of information that only you have.

How it works:

You enter your username and password (first step)
The system sends a code to your phone, email, or authenticator app (second step)
You enter that code to complete login
Without the code, the fraudster is locked out—even with your password

The key difference:

Password alone: Like a lock with one key. If someone finds your key, they're in.
2FA: Like a lock that requires two keys. Even if they find one key, they still can't enter without the second.

Services You Must Protect With 2FA

Not all accounts need 2FA equally. But these ones do:

1. myGov Account (CRITICAL)

This is your tax identity. If a fraudster controls this, they control your tax life.

MyGov now offers 2FA via the myGov app or SMS. The ATO strongly recommends it—though they don't yet mandate it, which is a gap.

Time to set up: 5 minutes

2. Tax Agent Portals (If You Use One)

If you have an accountant or tax agent, they access your tax history through secure portals. Fraudsters use compromised logins here too.

Common platforms:

Xero
MYOB
ATO portals (for agents)
Your accountant's client portal

Time to set up: 5 minutes per portal

3. Internet Banking (CRITICAL)

Your bank account holds your refunds. If a fraudster redirects refunds to their account, you lose money immediately.

All major Australian banks now support 2FA. Some require it; others make it optional. Make it mandatory.

Time to set up: 10 minutes

4. Email Account (CRITICAL)

Your email is the master key. If someone controls your email, they can reset passwords on myGov, banking, and everything else.

Gmail, Outlook, and Yahoo all support 2FA. Use Google's setup guide or equivalent for your provider.

Time to set up: 10 minutes

5. Superannuation (If Self-Managed)

If you have an SMSF, your super account is a target. Enable 2FA if your super fund provider supports it.

Time to set up: 5 minutes

Not sure if your business accounts are properly secured? Our accountants regularly help clients audit their digital security setup. Book a free 15-minute call and we'll walk you through it.

How to Set Up 2FA on MyGov (Step-by-Step)

Here's the clearest walkthrough I can give without screenshots (but the myGov app walks you through it visually):

Step 1: Go to myGov.au

Navigate to www.mygov.au
Log in with your username and password

Step 2: Open Settings

Click your name in the top right
Select "Settings"

Step 3: Security Settings

Look for "Security settings" or "Two-factor authentication"
The myGov app (download free from App Store or Google Play) is the easiest method

Step 4: Choose Your 2FA Method

Option A: myGov App (Recommended)

Download the free myGov app
In myGov settings, select "myGov app"
Scan the QR code with the app
The app will show approval prompts when you log in
Done—highly secure and no codes to remember

Option B: SMS (OK)

Select "SMS"
Enter your mobile number
Receive a code via SMS when you log in
Slightly less secure than the app (SMS can be intercepted) but still effective

Option C: Authenticator App (Very Secure)

Download Google Authenticator or Microsoft Authenticator (free)
Scan the QR code provided by myGov
The app generates a time-limited code every 30 seconds
Use this code to log in
Most secure option, but slightly more complex

Step 5: Save Recovery Codes

MyGov will give you recovery codes (usually 5 codes)
Write these down and store them securely (not on your computer, not in email)
If you lose your phone, these are how you regain access
Put them in a physical safe or give to your accountant/partner

Step 6: Test It

Log out of myGov
Log back in
You should see the 2FA prompt
Confirm it works before you leave

Common Mistakes That Leave You Vulnerable

Mistake 1: Not enabling 2FA on email

Your email is the backup reset key for everything. Fraudsters often crack tax accounts via email. If your email doesn't have 2FA, don't bother with the others—you're still exposed.

Fix: Set up 2FA on your email account first.

Mistake 2: Saving recovery codes in email or cloud

Recovery codes are passwords. Saving them in Gmail or OneDrive defeats the purpose.

Fix: Write them down or give to your accountant in person. Physical paper is fine.

Mistake 3: Using SMS 2FA everywhere

SMS 2FA is vulnerable to SIM-swap attacks (fraudsters impersonate you to your phone company and port your number).

Fix: Use authenticator apps or app-based 2FA (like myGov app) instead.

Mistake 4: Thinking 2FA makes you invulnerable

2FA is one layer of defense. You still need:

A strong, unique password stored in a password manager (1Password or Bitwarden)
Caution with phishing emails (don't click links in unsolicited emails)
Changing passwords immediately if you suspect a breach (routine rotation is no longer recommended by security experts)

Fix: 2FA + strong password + caution = real protection.

Mistake 5: Not updating 2FA when you change phones

You get a new phone and forget to update your 2FA settings. If you're locked out, recovery is complicated.

Fix: Update 2FA immediately when you change devices.

Real Cases: What Happened When 2FA Was Missing

Case Study 1: The Accountant (Sarah's Story)

What happened: Sarah's password was stolen from a data breach at an online retailer (not tax-related). The fraudster waited three months, then logged into myGov using her credentials in June 2024. They filed a fake return claiming $15,000 in construction deductions and lodged it electronically.

Why it happened: No 2FA on myGov. The fraudster only needed the password.

What happened next:

The ATO flagged the return as suspicious (her income didn't match the deductions)
Sarah didn't discover until the ATO sent her a "please explain"
She had to prove the return wasn't hers—including gathering her actual business records
Her legitimate refund was delayed 4 months while the ATO investigated
Cost to her: $8,000 in lost refunds (money she was owed), plus $2,000 in accounting fees to sort it out

The fix: If Sarah had 2FA enabled, the fraudster would have been locked out at the 2FA prompt. One simple step would have prevented this entirely.

Case Study 2: The Small Business Owner

What happened: Mark, a tradesman, received a letter from the ATO saying his business had claimed $47,000 in super contributions under his ABN. He'd claimed $8,000. Someone had created false contribution records.

Why it happened: Fraudsters accessed his myGov (no 2FA), saw his ABN, and created fake super contribution claims. The ATO's initial data-matching process flagged it, but Mark spent months proving the contributions were fraudulent.

What happened next:

Mark had to lodge a fraud report with the ATO
His super account was temporarily frozen during the investigation
His accountant spent 30 hours rebuilding his contribution records
Cost to Mark: $5,000 in accounting fees, plus stress and reputation damage

What To Do Right Now

Immediate Actions (Next 30 Minutes)

Enable 2FA on myGov — Do this first. It's the most critical account.
- Go to myGov.au
- Settings → Security settings → Enable 2FA
- Choose myGov app or SMS
- Save recovery codes (write down or store safely)
Enable 2FA on your email — This is your backup reset key.
- Gmail: Visit myaccount.google.com/security
- Outlook: Visit account.microsoft.com → Security
- Follow their 2FA setup
Enable 2FA on your bank — Your refund money lives here.
- Log into your bank's app
- Find security settings
- Enable 2FA (usually called "Multi-factor authentication" or "MFA")

This Week

Enable 2FA on your accountant's portal — If you use a tax agent, ask them to enable it on your account.
Update your password — Use a unique, complex password for myGov (not the same as other sites). Use a password manager like 1Password or Bitwarden to store it securely. For more on protecting your business finances, see our guide to financial ratios that predict business failure.
Check your phone — Fraudsters sometimes port your phone number. If you use SMS 2FA, ask your phone company to add "port lock" protection (prevents number transfers without in-person ID).

Monthly

Review account access — In myGov and your bank, check "recent logins" or "account activity" to spot suspicious access. If you see something weird, reset your password immediately.
Update your recovery codes — If you've used any recovery codes, myGov will regenerate new ones. Store the new ones securely.

The ATO's Position (and Why It's Changing)

While the ATO has been progressively strengthening myGov security, many accounts still don't have 2FA enabled. But the ATO's National Tax Compliance Priority for 2025-26 explicitly identifies "identity fraud prevention" as a focus area.

This means:

The ATO is investing heavily in fraud detection
Penalties for fraudulent returns are increasing
Businesses and tax agents are being asked to educate clients on 2FA
Full mandatory 2FA rollout is expected in the near future

The sooner you adopt it, the better protected you are.

Common Questions

Q: Does 2FA slow down my logins? A: Minimal. First login to your device takes 10 seconds extra. Subsequent logins on the same device don't require 2FA (most sites remember trusted devices).

Q: What if I lose my phone? A: That's what recovery codes are for. If you lose your phone, use a recovery code to regain access, then update your 2FA to a new phone. This is why you store recovery codes securely (and separately from your phone).

Q: Is the myGov app safe? A: Yes. It's published by the Australian Government and uses government-grade security. It's safer than SMS 2FA.

Q: What if a fraudster has my recovery codes? A: Extremely unlikely if you store them securely (written on paper in a safe, not in email or cloud). But if you're concerned, contact the ATO immediately to verify your account.

Q: Does 2FA protect me from all fraud? A: No. It protects you from password-based attacks. You still need to be cautious with phishing emails, don't use the same password everywhere, and monitor your accounts regularly.

Bottom Line

Setting up 2FA takes less than 30 minutes. The consequences of not doing it—fraudulent returns, delayed refunds, identity complications, stress—can take months to resolve.

Sarah didn't think 2FA was worth 5 minutes. It cost her 4 months of headaches and $10,000 in costs.

Mark didn't prioritise security. It froze his superannuation and damaged his business reputation.

Don't wait for a letter from the ATO telling you've been a victim. Do it now.

Your next step: Open myGov right now and enable 2FA. Seriously—don't put this off. The time to protect your tax records is today, not after a fraudster gets in.

Need Help With Your Tax Security?

If you're a business owner or self-employed, your tax security goes beyond just 2FA — it includes your accounting software, payroll systems, and client data. Thinkwiser's accountants work with Australian business owners every day on exactly these issues.

Book a free consultation →

Sources & Further Reading

Disclaimer: This article provides general information only and does not constitute legal or tax advice. For advice specific to your situation, consult a registered tax agent or accountant.

2FA for myGov & Tax: Protect Your Tax Records from Fraud