Think you won’t get caught by a myGov Scam?

Sunday 5th May 2024

Think you won’t get caught by a myGov Scam?

Sunday 5th May 2024
Written by Scott Brooks

Most of us think that we’re smart enough not to fall prey to online scams. However due to the sophisticated techniques used by today’s cyber criminals, the reality is that it can be all too easy to be duped. 

Despite government warnings, in November 2023, over 4,500 myGov scams had been confirmed since the beginning of the year, with thousands of accounts suspended each month due to suspected fraud.

We’ve actually experienced it first-hand here at Maxim, with two of our clients unknowingly falling victim to a Services Australia myGov scam. 

Scam kits stealing personal data

These myGov phishing scams are the result of criminals using so-called ‘scam in a box’ kits purchased on the dark web. 

These kits create fake myGov websites and comms, such as texts and emails, asking people to click on links to the fake website and provide personal information. The information is then used to hack accounts and change your financial data to make fraudulent claims. 

Once they steal your passwords, they can then use them to hack other accounts, as it's common to use the same passwords for multiple access points. 

Related: Cyberattacks on small businesses: how to protect yourself

Maxim clients experienced MyGov scam

So, how did the myGov accounts of two of our clients get hacked?

Client X had their 2021, 2022 and 2023 tax returns amended via myGov, with the hacker removing capital gain in the 2021 year, adding an allowance and excessive PAYG withholding credits to receive a $14,200 ATO direct refund for that year. 

There are no bank details on the tax agent portal profile, so we’re assuming the hacker recorded bank account details and then deleted them after receiving the refunds. 

Client Y was hacked when scammers lodged their 2023 tax return and claimed an interest deduction of $60k, resulting in a $19k tax refund. 

Both clients have no idea how it happened, only realising upon seeing statements of account from the ATO, which is the worrying thing. 

Client X did receive several myGov messages in early April but ignored them. These messages were likely related to the amended tax returns in progress and/or the notices of assessment being available.

Upon realising the scam, we called the Australian Taxation Office (ATO), and they locked down the client’s account, preventing any access to their myGov account even to them. Now, neither us nor the client can lodge any returns without calling the ATO and quoting a unique reference number to temporarily unlock the profile. This action is permanent. 

Related: The Essential 8: Cybersecurity for small business

What to do to stop it happening to you

These examples are a very real lesson for us all. But there are a number of things you can do to spot a myGov scam and protect yourself.

Stop and ask, ‘Is this real?’

Firstly, anytime you’re contacted by myGov, for example, to update your details, claim a refund or stop your account from being suspended, stop, think and check. Ask yourself, ‘Is this for real?’

myGov will never ask you via email, text or direct message on social media to do any of the following:

  • Click on a link to sign in to myGov
  • Enter your bank details 
  • Provide identity documents
  • Provide personal details, for example:

            - Username

            - Password

            - myGov pin

            - Secret questions and answers

            - Centrelink Reference Number (CRN) or Tax File Number

They also don’t offer live chat on social media. Learn more in this myGov video

Be aware of legitimate MyGov messages 

If you are being scammed, you likely won’t know about it. Because of this, be aware of any legitimate communications from myGov, which may alert you to the fact you’re being targeted—don’t ignore them. You can then alert the ATO. 

Always do this by going directly to your myGov account or app and your myGov inbox and accessing it securely. Never click on any links or provide the above information anywhere else. 

Proactively protect your data

Take steps to protect your online data. This means ensuring you use complex passwords and that you change your passwords regularly. 

A complex password typically:

  • Includes 12-16 characters
  • Uses a mix of characters, e.g. upper and lower case, numbers and special characters such as !, @, #, $, % , 
  • Avoids using personal information such as your date of birth or children's names

Regularly changing your password makes it less likely that a stolen password will remain valid for long.

Stay vigilant and alert the ATO

We hope this is a helpful reminder and that you take note of these tips. If you’re concerned about the legitimacy of a myGov correspondence or think you’ve fallen victim to a phishing scam, contact the ATO immediately. If you’re one of our clients, you can also contact us via our website or directly on (02) 4925 1000, and we can deal with it for you.