Phishing-resistant authentication can prevent tax-time fraud

With Australia in the throes of tax season, criminal groups are looking for targets to steal funds from. They can do this by redirecting tax refunds, issuing falsified tax returns or creating fake BAS. And while many people think this would require sophisticated hacking, the reality is that criminals don't hack. They steal credentials and log in.

Protecting a user account and using the most secure log-in tools possible is the best, first defence against a criminal taking over an Australian Tax Office (ATO) account. But that is becoming increasingly difficult as threat actors employ increasingly convincing phishing scams using AI to dupe people into giving up their log-in credentials.

The problem is not just for individuals, Accountants and tax agents are the gatekeepers for millions of ATO accounts. It's imperative that they take as many precautions as possible to prevent their accounts being compromised. With the increased digitisation of the tax system reducing friction to make the end-user experience as seamless as possible, the time between compromise and exploit is very short.

Geoff Schomburgk, the Vice President for Yubico across Asia Pacific, said the improved tax system experience is a double-edged sword.

 "If an attacker mimics an individual the flow happens seamlessly. If they submit a fraudulent BAS statement or tax return and direct it to their account, the system's not going to pick that up because it looks legitimate. Money is siphoned to the criminals."

"The benefit of digitisation and a frictionless experience is great if it works well. But hackers see this as an opportunity. Once they are in someone's account, it's easy money."

High‑profile breaches have exposed details that criminals can use to impersonate legitimate users. When credentials are not available, they rely on phishing and social engineering, often posing as tax officials, help‑desk staff or government agencies, to coerce individuals into disclosing login details. The urgency of the request and the financial stakes make these tactics particularly effective.

This is why tools like multi-factor authentication (MFA), passkeys and physical security keys are so important. Even with a compromised username and password, criminals will fail at log-in without that secondary authentication tool. But not all forms of additional authentication are as secure as we'd hope.

"Legacy forms of MFA, such as SMS codes and authenticator apps, play an important role because any form of MFA is better than none," said Schomburgk. "But the bad guys and the technology have evolved. If one-time codes are sent over the mobile network unencrypted, they may be intercepted. Or they use social engineering to ask for a code to be replayed. But there are phishing resistant forms of authentication."

Becoming phishing resistant

Passkeys, Schomburgk added, are a good measure as they are phishing resistant. The Australian Signals Directorate's Essential Eight model says that organisations that achieve Maturity Levels 2 and 3 should use a phishing resistant form of authentication such as a passkey. He also noted that the Federal Government's MyGov application supports passkeys.

Schomburgk explained that one example of phishing resistant authentication is smart card which has been used for many years, particularly in the government and banking sectors. While it's highly secure, it's complex to administer.

Whereas the FIDO (Fast Identity Online) protocol, which is the basis of passkeys, has been designed to be equally phishing resistant. It uses public-private key pairs, so the credential is bound to a specific application such as MyGov. The public key sits at the service and the passkey is on the device. That might be a laptop using Windows Hello with a biometric, an iPhone with FaceID or a physical security key.

"These methods add steps so that someone trying to hack into an account needs physical access to a device," said Schomburgk.

A common question is where the difference lies between a passkey and a physical security key. And that is answered simply by where you want a passkey to be stored.

"Do you want to store it in your password manager that's built on software or do you want to store it on a hardware security key?" Schomburgk asked. "Either option is great because they're both phishing resistant credentials. But having it stored on a physically separate device, such as a YubiKey, is a more secure option."

Proactive government

The Federal Government has been more proactive when it comes to making access to critical systems more secure. Tools such as MyGov and changes to its counter-fraud strategy have shifted to a more preventative mindset. While response remains important, there is a very definite shift to taking a front-foot approach to stopping identity-led crime before it happens.

Organisations such as tax agents, accountants and bookkeepers have opportunities to boost their authentication controls. And while perceived complexity is real, many solutions have become easier to implement.

"Start with a risk assessment and the most valuable information. And from an authentication point of view, move away from legacy authentication towards modern phishing-resistant forms. Many end-user platforms support strong authentication natively. Often, they just need to be turned on to vastly improve security."

Phishing‑resistant authentication is the first line of defence that protects Australian tax accounts. Multi‑factor solutions such as passkeys, backed by the FIDO2 protocol, are a strong barrier that requires physical access to a device. Tax agents, accountants and bookkeepers should begin with a risk assessment to identify the most valuable information and then replace authentication methods with newer tools. By making these changes proactively, they can reduce the window for credential theft and prevent fraudulent tax documents from being lodged under a stolen identity.