a zigzaggy background with a colourful hand holding a phone with an IRD speech bubble and an orange arm putting down a phone with a suspicious speech bubble
When someone purporting to be IRD calls, would you pick up the phone?

SocietyMarch 3, 2025

IRD is learning the hard way what scams have done to trust

a zigzaggy background with a colourful hand holding a phone with an IRD speech bubble and an orange arm putting down a phone with a suspicious speech bubble
When someone purporting to be IRD calls, would you pick up the phone?

Inland Revenue has called thousands of New Zealanders in the past week in an effort to raise awareness about its new security system. Unfortunately, many people think it’s a scam. Shanti Mathias explains.

There’s a page on the IRD website that keeps an ongoing list of scams impersonating the government’s tax arm. Fake emails about tax policy; false IRD application websites; email scams saying there are new messages in the My IR system; emails about the cost of living payment. That’s just the list from 2024

Not included is recent concern over phone calls from IRD made to thousands of New Zealanders, informing them of an update to the online system that requires two-factor authentication (2FA), which links people’s IRD accounts to another form of contacting them in order to improve security. That’s because, of course, the calls are legitimate. 

“When I answered, they identified themselves as calling on behalf of the IRD – I was like, yeah right,” said Stephen, who received a call last week from a New Zealand number he didn’t recognise. After he raised his concerns, the person on the phone told him that if he was suspicious, the information could be sent to his MyIRD inbox, which showed that the message was legitimate. “Overall I thought it was a strange way to contact people as it looked and sounded like a scam. I don’t think it’s the most effective way to run the 2FA project, especially as it’s mandatory.”

hand above a phone showing a safety alert
Scams make it harder to trust each other (Photo: Getty Images)

Of the 34,000 calls IRD has made to clients informing them of the 2FA changes so far, four official complaints about the form of communication have been received by IRD. Other recipients have told staff of their concerns the calls were a scam. In a statement, IRD said that protecting customers was the reason for the change. “We are not asking people to click on a link to get to their accounts to make the necessary changes. We’re also not asking for credit card or bank account details and we won’t be asking people to pay anything,” said an IRD spokesperson in a comment. 

“Scams are transforming our capacity to trust the institutions we rely on,” said Ruairi O’Shea, an investigative writer at Consumer NZ. “The prevalence of scams has made it increasingly difficult for organisations to communicate with their customers and for consumers to confidently engage with legitimate communications.” Large-scale frauds enabled by the internet don’t just take people’s money; they also steal people’s trust

Given the reality of fraud, IRD’s two factor authentication system is good for clients: it will make it harder for people to have their IRD accounts taken over by those with ill intent. While the 2FA authentication is slowly being rolled out for everyone, you don’t have to wait for a call or message in MyIRD to install it – you can initiate it yourself

The main way that IRD or other legitimate institutions can assuage suspicious clients or customers is to get them to get in touch directly. For IRD this mostly looks like sending people messages through the IRD online message system; in the case of other institutions, you might have to call a bank directly, pay a toll road fee through the official government website or contact a courier company by email. 

The National Cyber Security Centre, a branch of the GCSB dedicated to protecting New Zealand’s cyber security, said that it often received messages about scams impersonating government departments on its incident reporting form. In fact, the cybersecurity centre itself has been targeted; its incident reporting page currently has a banner notifying users of a scam call coming from their hotline. “Sometimes these are legitimate calls but they get reported because the receiver wasn’t expecting them, or they did not recognise the number. We advise New Zealanders to err on the side of caution and verify that the caller is from the organisation they claim to be,” said NCSC threat and incident response team lead Tom Roberts.

The prevalence of scams means it is important for all organisations to follow best practice when contacting customers. Sending links in text messages, a frequent tactic used by scammers, is a big red flag, O’Shea said. “Instead, people should be encouraged to log in to their app or navigate directly to a website so they know and trust they’re in the right place.” 

While this advice is helpful for individuals and institutions, it can be difficult to follow. Scammers take their money, after all, by being effective impersonators of official communications. When you’re busy or distracted, doing detective work on a seemingly innocuous email or call isn’t high on the priority list. 

“Unfortunately, everyone needs to keep their wits about them and have a healthy level of suspicion to ensure they aren’t scammed,” O’Shea said. “If you are contacted by an organisation about something that sets off alarm bells, put the phone down and do some digging yourself.