Fri Aug 2

It’s tax time and scammers are targeting your myGov account. Here’s how to stay safe

Written by Cassandra Cross, Associate Dean (Learning & Teaching) Faculty of Creative Industries, Education and Social Justice, Queensland University of Technology

For many, tax time is an exciting part of the year – there’s the potential for a refund. However, it’s also an attractive time for fraudsters looking for ways to get money and deceive unsuspecting victims.

Each year Australians lose large amounts of money to scams. In 2023, Australians reported losses of more than A$2.7 billion ^[1]. While this is a slight reduction from the $3.1 billion in 2022, there are still millions of victims who’ve suffered at the hands of scammers.

Impersonation scams are one common approach. Scamwatch reports that in 2023, 70% of reports to them ^[2] involved impersonation.

A large number of these were linked to the Australian Taxation Office (ATO) and myGov.

What is an impersonation scam?

Impersonation scams are what they sound like: when an offender pretends to be someone or something they are not. Offenders may pretend to be family members or friends in our contact lists.

In many cases, they will say they’re from an organisation such as a bank or a well-known retailer, or a government department – like the ATO.

Offenders take on the identity of a known and trusted organisation to increase the chances of success. While we may ignore communications from unknown entities and strangers, we’re more likely to engage with what’s familiar.

Additionally, the ATO has a powerful status as a government agency, and we are unlikely to ignore its messages – especially at tax time.

What are they trying to get out of my myGov account?

myGov is the gateway to a range of government services, including Medicare, Centrelink, My Health Record, the National Disability Insurance Scheme, and of course, the ATO.

Being able to log in to myGov gives offenders access to a wide range of your personal details. This can help them build a fuller profile of you to potentially commit identity theft (such as opening new accounts in your name).

There’s also the potential for direct fraud. With access to myGov, offenders can change your bank account details and redirect any refunds into their accounts, whether from the ATO or other linked services.

They can even submit false tax returns, medical claims or other forms to obtain fraudulent funds. As the legitimate owner of the account, you may not immediately notice this.

A phone screen showing an email from myGov.

There have been recent reports of people’s myGov accounts receiving repeated login attempts. The Conversation

What does a myGov scam look like?

In most instances, a myGov scam will look like one of the many phishing attempts we all receive on a daily basis. While each approach can be worded differently, their desired outcome is the same: to acquire your personal information.

Fraudsters are sending text messages and emails pretending to be from the ATO, advising you there’s a refund available if you click the provided link.

Another approach is to flag a “problem” with your tax return or bank account, and direct you to take immediate action via a link. Creating a sense of urgency can trick users into acting in the moment, without thinking through the request.

The text or email may also be very neutral, simply stating there’s a new message waiting – with a link to where you can read it.

Regardless of what the message says, the goal is to direct you to a website that looks genuine, but is fake. If you enter your myGov details into such a fake site, the offender can capture your login details and use them to log into your actual myGov account.

What to do if you’ve been a victim?

If you have clicked on a scam link and provided your personal details, there are steps you can take.

Change your password and review your account settings if you still have access to your myGov account.

Check your bank accounts, to see what, if anything, has been lost. Contact your bank or financial institution immediately if you notice any withdrawals or suspicious transactions.

Contact any other organisation linked to your myGov account to see if any unauthorised actions have been taken.

For anyone who has lost personal information and experienced identity crime, IDCARE is the national support centre ^[3] for identity crime victims. They will be able to assist with a personalised response plan to your specific situation.

How do I keep my account safe?

Never click on links in text messages or emails that direct you to log in to your accounts. Always access your accounts independently, through details you have found independently of any text or email.

Review your security settings. There have been recent reports of people’s myGov accounts being targeted with repeated login attempts ^[4]. Using your unique eight-digit myGov username for logging in can be safer than using your email address ^[5].

Enable multi-factor authentication ^[6] where possible. myGov uses two-factor authentication in the form of a text message in addition to an online login. While this is not foolproof, it offers an additional layer of protection and can stop offenders accessing your account with only partial pieces of your information.

Be vigilant on all communications. Always keep in mind that all may not be what it seems and the person you are communicating with may not be who they say they are. It is okay to be sceptical and do your own checks to verify details of what is presented to you.

Remember, fraudsters thrive on the silence and shame of those who respond or fall victim to their scams. We need to communicate openly about these schemes and talk to family and friends, to increase everyone’s knowledge and awareness.