Invoice Fraud & Tax Scams

Construction is a prime target for two money-stealing scams — fake "we have changed our bank details" invoice redirection, and ATO impersonation. Both rely on you trusting an email or a phone call. Here is the scale, how to tell a real ATO contact from a fake, the controls that actually stop it, and what to do in the first hour if you have been hit. This is general guidance — for a serious incident, get professional IT and legal help.‍‌​​‌‌​‌​‌‌​​​​​‌‌​‌​‌‌​‌‌‌​‌​‌‌​‍

The two scams that target tradies

Payment-redirection (invoice) fraud is now one of Australia's biggest scam categories by losses. Criminals hijack or spoof an email thread and change the bank details on a progress claim or final invoice, so your payment lands in their account. The ACCC's Scamwatch reported payment-redirection losses of roughly $152.6 million in 2024 (up from about $91.6 million in 2023) — and the ACSC and AFP single out construction as a focus sector: large payments, fragmented subcontracting chains and heavy email reliance. In one 2025 AFP case, a NSW construction company sent fraudulent invoices totalling about $41,800 after criminals spoofed a trusted supplier's email. (Figures are as reported and move year to year — treat them as scale, not gospel, and check Scamwatch for current data.)

ATO impersonation scams spike at tax time — around 7,500 reports in July 2025 alone. They come as fake calls (threats of arrest, "your ABN will be cancelled", demands to pay by transfer, card, gift cards or crypto) and phishing SMS or emails with myGov/ATO branding linking to a fake login that harvests your TFN and credentials.

Telling a real ATO contact from a fake

The ATO will NOT:

• ask for your myGov sign-in details, one-time codes or full card details by email, SMS or social media;
• send you a link in an email or SMS to a myGov or ATO login;
• threaten immediate arrest, police or deportation.

The genuine article uses .gov.au domains (anything like "ato-gov.com" or "mygovau.net" is fake), and important messages land in your myGov inbox with a separate notification (no login links). To verify: do not click or reply — log into myGov by typing the address yourself, or call the ATO scam line on 1800 008 540. Forward suspicious emails to ReportScams@ato.gov.au, then delete them.

Controls that actually stop invoice fraud

• Verify every bank-detail change out of band. Treat any request to change account details — from a supplier, subbie or client — as high risk. Before you pay, call a known number (from your records or the contract, never the one on the email or invoice) and read back the BSB and account. For a large payment, send a $1 test and confirm it landed.
• Put a warning on your own invoices: "Our bank details will never change by email or SMS — call us on [landline] before paying." This protects your clients from being scammed in your name.
• Dual approval for higher-value payments: one person sets up the payee, another checks it against the original contract and the bank details on file. Use Confirmation of Payee / NameCheck where your bank offers it.
• Lock down email and identities: MFA on all company email and cloud tools (Xero/MYOB, project management, file-sharing); strong unique passphrases; external-sender banners.
• Email authentication (SPF, DKIM, DMARC): publish SPF, enable DKIM and enforce DMARC (move from monitoring to quarantine/reject). It will not stop your staff being tricked, but it stops criminals impersonating you to your clients — huge in construction chains.
• Essential Eight basics against ransomware: patch promptly, run reputable endpoint protection, block internet macros, and keep tested offline backups.
• A 10–15 minute toolbox talk each quarter: dodgy bank-detail changes, what a suspicious login page looks like, and the rule that no one gets in trouble for pausing a payment to double-check.

If you have been hit — the first hour matters

1. Call your bank's fraud line immediately and ask for a recall or freeze plus a fraud report to the receiving bank. Banks use the Fraud Reporting Exchange to flag suspect accounts — fast reporting is your best chance to freeze funds before they are moved on through mule accounts.
2. Secure your systems — assume email is compromised: change email and banking passwords, confirm MFA, run scans.
3. Report it — ReportCyber (police), Scamwatch (ACCC), and your local police for a formal report your insurer will want.
4. If tax or identity is exposed — call the ATO on 1800 008 540 (TFN or ATO info), and contact IDCARE (free identity support) if licences or IDs were uploaded to a fake portal.

Recovery is uncertain — most funds are recovered only when the bank is contacted within hours, and there is no automatic reimbursement regime. So the priority is limiting damage, tightening controls, and gathering evidence.

Other threats to watch

Ransomware on your project files; theft of licence and insurance credentials to impersonate your business in fake tenders; fake RFQs that harvest your company info; and look-alike domains (mybuilder-pty.com vs mybuilder.com.au) used to inject bogus invoices into long email chains. Verify new subbies against the regulator's register, not an emailed PDF, and remove ex-staff and ex-subbie system access promptly.

Common mistakes

• Acting on a bank-detail change from an email without phoning to verify.
• Clicking a "myGov" or "ATO" link instead of typing the address.
• No MFA on email or accounting software.
• Waiting to report — every hour cuts the chance of recovery.

How this site is funded →

Spotted something wrong or out of date? Email us at hello@kilnguides.co.uk.

In crisis? Lifeline 13 11 14 · Mental health support

How this site is funded →