Your Tax File Number (TFN) sits at the centre of your financial identity. When it’s protected, your tax, business and wealth plans can do their job; when it’s not, you’re dealing with cleanup instead of progress. Here’s how to keep things tight year‑round—especially at tax time, when scammers get bolder.

The scams you’ll encounter

Scams don’t follow the calendar, but they do spike around key deadlines. The common thread is pressure—urgent language designed to make you click or divulge details before you think.

• Messages pretending to be myGov/ATO, urging you to “verify” via a link
• Spoofed caller‑ID phone calls demanding TFN confirmation or payment
• “Helpful” third parties asking for TFN, DOB and bank details to “speed things up”

Rule of thumb: The ATO doesn’t ask for TFNs or passwords via email, text, or social media.

Everyday habits that make you hard to hack

Security works best when it’s boring and repeatable. Put these basics in place once, then keep them on autopilot—reviewing more closely around tax time and other lodgment peaks.

1. MFA everywhere: myGov, email, banking, cloud file storage.
2. Strong, unique passwords: use a password manager to keep them straight.
3. Go direct: open the official my.gov.au site/app—never tap links in messages.
4. Minimal sharing: provide your TFN only when legally required.
5. Keep details current: update your ATO/mobile/email/postal address promptly.
6. Check activity: Scan myGov and bank statements monthly for any unfamiliar transactions.

Extra controls for owners and practice managers

Businesses have more doors and keys—authorisations, staff changes, payment settings—so the controls need to be tighter. A few disciplined routines can significantly reduce most of the risk.

• RAM/myGovID hygiene: quarterly access audit; remove ex‑staff immediately.
• Lodgment safeguards: reconfirm bank details and mailing addresses before BAS, STP finalisation and returns.
• Payment discipline: dual authorisation for refunds and supplier changes; enable new‑payee alerts with your bank.
• People & process: phishing‑aware training, a “no‑link‑clicking” rule for ATO/myGov messages, and a simple incident playbook.

If you think your TFN is compromised

Speed matters. The goal is to stop further misuse, preserve evidence and restore control. Work through this sequence—then loop us in so we can coordinate the clean‑up across all your entities.

1. Call the ATO Client Identity Support Centre: 1800 467 033.
2. Report to Scamwatch and record reference numbers.
3. Lock down access: change passwords and enable MFA for everything.
4. Notify your bank and consider a temporary credit ban.
5. Collect evidence: screenshots, dates, phone numbers, emails.
6. Collect evidence: screenshots, dates, phone numbers, emails.

How DFK Everalls can help

If you’d like a hand, we can keep things simple: check who has access (ATO/RAM), ensure your ATO details and lodgments are correct, raise staff awareness, and have a short, practical plan in place for what to do if something seems off. We’ll also take a quick, holistic look across your structures—business, family, trusts, SMSF, and investments—and agree on a light-touch check-in rhythm, with a little extra attention around tax time.

Do you have a concern, or have you received a suspicious message? Please contact your DFK Everalls account manager (or our office) before clicking or replying. We’re here to review any discrepancies and coordinate next steps as needed.