ATO adds in-app call verification to stop scams

The Australian Taxation Office (ATO) has launched an in-app feature that lets customers confirm in real time whether a call claiming to be from the tax office is genuine, the government agency said.

A new verify call function sits inside the ATO app for Apple iOS and Google Android devices, and works by pushing a notification to a registered device within 30 seconds of activation.

When a taxpayer receives a call from someone claiming to be the ATO, they open the app, log in, and select the verify call option.

If the notification does not appear within that window, the ATO said the call should be treated as a scam and the user should hang up.

The feature inverts the burden of proof, putting the tool in the taxpayer's hands rather than asking them to independently verify a caller's identity.

"Scammers are becoming increasingly savvy, making it harder for individuals to distinguish between illegitimate and genuine contact," ATO assistant commissioner Anita Challen said.

"This security measure means fraudsters will find it harder to pretend to impersonate the ATO."

The verify call feature is part of the ATO's $187 million Counter Fraud Program (CFP) and complements existing app controls such as real-time account-change alerts and account locking.

An increasing number of scam call attempts prompted ATO to add the verification feature. 

It logged almost 7500 impersonation scam reports in July 2025 alone, with volumes expected to climb again as the 2025-26 filing season approaches.

Across the Tasman, the New Zealand Inland Revenue department (IR) said it had noticed a steep increase in automated malicious login attempts in March this year.

Attackers made over 500,000 attempts to access taxpayer accounts at IR's myIR service.

IR rolled out two-step verification last year, and this blocked most of the account takeover attempts.

Attackers using credential stuffing were able to enter the correct, reused password for up to 900 accounts, but were stopped by the two-step verification (2SV).

However, some 300 accounts did not have the 2SV protection enabled, and were successfully accessed by attackers.

The compromised accounts were closed down by the IRD, with police and the Office of the Privacy Commissioner being notified.

Unlike the ATO, IRD does not provide another layer of security through in-app verification and instead asks users to manually confirm that calls are genuine.

This is similar to the tax authorities in major English speaking countries such as United Kingdom's His Majesty's Revenue and Customs, Canada's Revenue Agency and the Internal Revenue Service in the United States.

ATO's preferred sign-in method is through myID, in the Australian government Digital ID app.

myID requires identity verification in the app, and isn't limited to a particular mobile number or device, so it can be used out of coverage and while customers are overseas.

ATO said myID provides even better security than multifactor authentication, thanks to in-app identity verification.