It's tax season and scammers know it

Apr 10, 2024

CERT NZ and Inland Revenue urge New Zealanders to watch out for tax-related scams.

Aerial view of a woman lying down on a bed with devices and a cup of coffee

As the financial year has just ended, Inland Revenue (IRD) will be starting to get in contact with businesses and people about their end of year taxes.

Scammers use this to their advantage and target taxpayers to get their hands on your information, your myIR account, or your money. The most common way in which scammers target people is through phishing. 

Phishing is a form of online attack where scammers send an email or text message pretending to be a trusted institution, asking you to click on a link, open an attachment or call a phone number.

Think before you click

Phishing messages are designed to look authentic and can be hard to detect. CERT NZ and IRD recommend looking out for a few things that make it easy to tell the fake messages from the real ones. 

  • Where: If it’s an email, check that the part of the email after the @ is ‘’ 
    If it’s a text, check that it is from a 4-digit code. IRD will not send a message from a mobile phone or overseas number. 
  • What: If the message has a link in it, do not click it. IRD does not send links to your myIR account.
  • How: IRD will address you by name and won’t put refund amounts in emails or texts. 

You can find more information on the IRD’s website about the latest scams and tips on identifying phishing messages.

Latest scams (

Protect yourself from phishing

  • Turning on two-step verification, also called two-factor authentication (2FA), for your important accounts is extremely effective against phishing attacks. This is where you enter a code as well as your password to access an account. 

IRD now offers two-step verification on myIR accounts. You can choose between codes sent to your registered email address or to an authenticator app on your phone. 

Set up and manage two-step verification (

  • Some phishing scams may attempt to phish your 2FA code, too. Check that the 2FA message matches what you are trying to do. For example, if you are trying to log in but the 2FA message is about a password reset, it could be a phishing attack. 
  • Use long, strong and unique passwords for your myIR account and email. Long passwords or passphrases are harder for scammers to guess. And make sure you use different passwords for each account. That way even if they get one password, an attacker can't use it to get into your other accounts.

You can learn more about online attacks and how to guard against them on Own Your Online. 

Protect yourself against phishing emails  

Use two-factor authentication to protect your account

How to create good passwords