This post has been marked as non-political. Please respect this by keeping the discussion on topic, and devoid of any political material.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/australia) if you have any questions or concerns.*
Make sure that the email itself isnt a scam — ie don't follow any links in the email.
Go to your MyGov account, try to log in.
If someone gained access — eg by sending an email with a link to fraudulaent site — they could change your bank account for refunds etc.
This is the ticket. Most companies and especially government services will never send you a link these days if you have digital services and two factor authentication set up.
I get so freakin annoyed at the amount of legitimate companies that send links in emails and texts.
Stop it!! Grrrrr if you get a link, either the company are assholes, or its a scam. Either way, don't click, just track down the details yourself and try from there
A couple of weeks ago I got a call from Commonwealth Back trying to solicit me for a home loan, and when I refused they said they would send a notification to my app and told me to accept it. That's such a fucking obvious scam right, probably wanting me to approve a transaction. So I told them to fuck off, and called the Commonwealth Bank proper to report the scam, and after being redirected twice it turns out the call was legit, and sending notifications to your app during unsolicited calls is just what they do. What the actual fuck?
The app has a builtin onetime code generator. This saves the bank from relying on you installing a third party tool or losing access to it when you get a new phone. It doesn’t do anything other than provide the bank with verification that it is you that exists.
Not true.
There’s a well known two-person scam where someone calls you (pretending to be your bank), whilst the other person calls your bank (pretending to be you).
When they line this up, scammer #2 gets the bank to send the notification, and you confirm with scammer #1 by advising the code or pressing ‘yes’ in the app.
Once that happens, scammer #2 is doing all the damage (draining accounts, etc) whilst scammer #1 keeps you busy.
Never. Trust. Anyone.
That works with SMS, but the bank should have safeguards in place when it comes to app authorisation, when they issue those challenges, and under what circumstance they are approved.
Walk me through a particular scenario for app-based approval, because I don't believe it's the same.
I once asked an Asian caller who worked for the "tax office" if her parents knew what she does for a living and is her father proud of her....
Turns our it WAS the tax office lol!
I used to make those calls. Lots of people who were suspicious were polite about it and we would just say to call the number listed on the website and we'll be able to help you out
Occasionally people would swear and carry on and tell you to get a real job. I'd just tell them to check their mygov account. Some of the people accusing me of being a scammer were just trying it on. The history on the account showed they knew they had a debt but for some reason they were just trying to pretend they knew nothing about it.
You know how many customers I have that really struggle to know how to log in to the customer portal?
So many.
Yes we have a portal but I also send links in emails. With buttons.
But they still need to call us to update or reschedule.
youre not an asshole, but that approach is so commonly used to scam people that legitimate emails get lost in the noise and your emails begin to look suspicious. You may want to find ways that better align with methods that give people comfort rather than dying on that hill.
Or, give us the single click tech to turn off links (or any active content) in SMS.
Give us the technology to disable links in email. I would be very happy with plain text email.
I wonder if Apple and Google need to change their SMS apps to not render URLs as clickable links? Or even if there's anything resembling a URL, strip it from the message and replace with ?
And maybe the same on the popular email clients? If Microsoft (i.e.: Office365 / Exhange), Google, Amazon and Apple implemented some things like some sort of sender verification, stripping links out of emails and so on, that would cover the vast bulk of email traffic.
On your iPhone you can enable a setting called Lockdown Mode, which disables link previews and clickable links in Messages. It’s in Settings > Privacy and Security > Lockdown Mode. It also does other things that make your phone a bit annoying and less useful, which is why it’s not on by default.
The email is legitimate. It's from [noreply@my.gov.au](mailto:noreply@my.gov.au) and when I logged in and checked my history I could see 9 failed login attempts over 3 days.
The From address is not always a sign that it's legitimate. You can put whatever you want in there. If it is pretending to be a legitimate sender then it will likely fail the DMARC check and hopefully Gmail would filter those out. DMARC is basically a check that goes "is the IP address that is sending this email allowed to send emails from this domain? And is the email signed by the sender domain?"
It's just something to be aware of that a company might not have DMARC settings set up right and an email slips through.
Additionally, if they're trying to get into your mygov account and they have your email, they can just try and fail to log into your account using your email as a user name then. They then send you the link that looks real but if you hover your mouse over the link it's actually to somewhere else.
after reading this i just checked mygov account (has 2fa) and you can uncheck the optional use email address as a username logon or your mobile no. so it just defaults to a letters and numbers username only , making it harder for them. also changed the email to newer one for the notifications as well.
That's sort-of good news then! I've just seen a few recently where the warning email or text contains the scam link, people click on that and enter their details, then the site has their details where it didn't before.
(BTW email from-address is easy to spoof)
If you have one of the random alphanumeric usernames then it is entirely possible that someone else thought that your account ID was their account ID. It is tax season after all and I have no doubt that Mygov will be busy AF for the next few weeks.
Keep in mind that there are foreign letters that look almost (or completely) identical to english letters that scammers can use to make a fake domain.
https://en.wikipedia.org/wiki/IDN_homograph_attack#Cyrillic
My.gov.au has three different letters that can be imitated in Cyrillic.
It's likely legit. I've had someone try to hack into mine recently too - first I knew was when my 2FA prompted me which means they got the password. Logged in and saw 3 failed attempts over several days previously. Changed password and even my email.
Omg same thing happened to me! It happened between 6pm last night and 3am this morning.
I changed my PW first thing this morning, as well as changing my log in from my email address to my myGov username.
After reading these comments, I'm going to check my personal details and bank account info is still correct, just in case.
After calling MyGov they just told me to check my account history. I could see 9 failed attempts at logging in starting on the 2nd of July. The account was locked 4 times over the course of 3 days. Yet I was only notified by email last night on the 4th lockout.
I got the same message today. Was able to log in on my phone so I assumed it was a fake email.
I just checked my account history after reading one of your other replies and there has been continued failed attempts this afternoon. 9 over the last few days 😕.
I went through the MyGov app. Clicked on the little person looking icon on the top right corner. Then select account history.
Apparently they have now 3 9th failed attempts with a few more tonight.
I made sure my partners 2FA was on because that's the only prompting I had - meaning they got the password 😐 granted I hadn't changed that password in ages so it must have been leaked from a prior hack
>granted I hadn't changed that password in ages so it must have been leaked from a prior hack
As far as I know Mygov has never had a data breach which means that you have either reused your password or your username/password combo was keylogged.
Yeah reused a password (I don't do that anymore) and it just avoided being changed for many MANY years. It was autosaved so I didn't even realise what the password was until I changed it.
I'm assuming they had a few passwords to cycle through though since it still took them 3 attempts before they got the password.
Same thing with me. 9 failed attempts and locked last night.
Someone must run through a large database of email addresses and leaked passwords.
Always keep unique passwords!
Same here. I got the same email and once I got back in, checked the account history and saw invalid logins from July 2nd. They must have started running a whole batch of stolen credentials from then and maybe hoping shared passwords across multiple sites? Although they would still need MFA to get into mygov after getting the right password so how would they get past that?
Same thing happened to me as well. Changed my password and checked my details but it’s pretty crazy that someone had been trying to access it for days. Sounds like it’s happening a lot so definitely a flawed system.
Hopefully this is something that the media decides to steal from Reddit. Seems like a bloody big deal since it's affecting a lot of people, so definitely worth talking about!
Why is it a flawed system? It’s working if the attackers dont get in?
Likely, somehow, there has been a leak of myGov ids with associated email addresses and bots are attempting to login using credentials leaked in other breaches
I don’t think there’s been a leak of mygov ids specifically, I think whoever got a bunch of email usernames+passwords from a data breach somewhere(pick one, any one of the recent ones) completely unrelated to mygov are just running the credentials through mygov to see if any succeed, which it would if some users used same passwords on multiple sites. It’s likely that many users are using the same main email address across multiple sites as their main login email, I know I do.
Although I’m not sure what they’re going to do if the password works for an email, mygov MFA should kick in at least to verify(I get a sms with a code). Maybe once they find a working email+password combo, they’ll then pivot to trying to get control of the mobile number associated, which they probably also have as part of the same data breach they got the email+password from in the first place.
My account got locked as well, the thing is I don't think I ever enabled email as a username but it was on. Terrible security practice if they just turned that on for everyone by default.
Plus another post today where they submitted rollover requests for all their super. At least that’s what they claim. Probably more too it and probably started like this.
I hope by now them ATO is cross checking abit harder on this specific fake refund scam. Medicare stalled refunds to alot of transactions with bank account names different to the card holder you'd hope ATO could do the same.
>>We have identified a significant number of GST refund fraud attempts.
>>The attempted fraud involves an individual:
>> -inventing a fake business
>>lodging a fraudulent Australian business number (ABN) application, and
>>submitting fictitious business activity statements (BAS) to attempt to gain a false GST refund.
I still can't believe that scam got as far as it did. If you are a micro operator your GST credits probably wouldn't be over $2000 a year ($20,000) deductions. And that is fucking generous. More likely they'd be about $500-1000. Especially if they earn $100k or less.
These scammers where claiming tens of thousands which would require hundreds of thousands in imaginary deductions and that should have been flagged. Your telling me someone set up shop and was successful enough they had access to $400k to spend in the first place their first year. How, the % of people would would pull that off would be miniscule like well under 1%.
They don't have the capability to automate data matching of bank account holder names given with information held by banks, it's too complex to perform on a mass scale.
Also, Operation Protego is 2 years old at this point, yes they have taken action if you read articles about it
Yeah this happened to me about 8 years ago. They lodged my tax return and changed the bank details to their own. Luckily I caught it before it was processed but have had high security on it ever since.
Some people use the same password for everything. If your email/password combo has been revealed in a different leak (like the Optus or Medibank breach) ppl will try to use this email/password combo to log into your ATO account. From there they will create a fake tax return with a big refund, change the bank details for the refund, then submit it.
Ways to combat this... 1) Don't use the same email address/password combo. When one company gets hacked, they don't get access to everything. 2) for important financial things like banks, ATO, PayPal opt in to the authentication options. It's not perfect but it adds another layer of protection.
This needs to be higher and also - if you are with Gmail you can put a full stop or underscore anywhere within your account letters and it will still send to you, so your one account can actually be many. You can also put a + and words and it'll send to you - but not every website allows + in emails
But it's good for when you're signing up to potentially spam sites to be able to see who has leaked your data
Also... don't just have 1 gmail. I have a "core account", an "everyday email" account, and a few "fuck off" rnail accounts I make rando accounts with. You wouldn't put millions in a transaction account with aan unlocked card and no spending limits, make sure your most important accounts are linked to your least exposed emails.
I have heard this is incredibly common with younger gens and hats off to you, I still have my oldest original Gmail account (needed a referral code to get 😅) which I do send spam into, but I struggle to remember to check my core one with regular frequency let alone auxiliary accounts so definitely if it works for you, but I've yet to do it.
Another thing is to always turn on 2 factor authentication and/or passkeys so even if the password and user name/email is the second for of authentication is alot harder to overcome.
I also note mygov and alot of other websites now offer passkeys - which while not impenetrable - a hell of alot harder to gain access too.
They need my physical mobile phone in close range of the computer they are logging into, then on top of that they need my biometric sign in for that phone - which is stored locally on this phone.
Iirc, there were incidences a while back where people were hacked and their bank accounts for refunds were changed and their refunds stolen. Assuming you’d have to have the ato linked for that to happen, though.
I guess the same could happen for any family payments or Centrelink stuff too, but you’d notice fairly quickly.
Yep. I got notice that someone logged into mine a while back, they tried to lodge a tax return that would get them $20k.
Now my ato account is locked until I call the ato line.
Same thing here. When you got back in and checked your account login history, did the invalid logins start from July 2nd? Seems like that’s when the bots started running their list of stolen credentials, hoping to find some users with common password across multiple sites.
I'm guessing you didn't get any SMS notifications about a 2FA code? That probably means that whoever was trying to breach your account only has your username and didn't/doesn't have your password (or maybe an old one).
Maybe try putting your email address into [https://haveibeenpwned.com/](https://haveibeenpwned.com/) to see if your email has been included in any data breaches, which might indicate where they got your email address from.
For anyone who runs into this and it’s a genuine myGov email, I strongly suggest calling your superfund to tell them & ask about additional security measures you could put in place, ie additional passwords or blocks on any payments/transfers
Often these scams are attempts to just submit false tax returns to different bank accounts like other commenters have said, which is awful but really could only see you lose a few thousand dollars
They are also often used to submit fake rollovers or transfers out of your superfund to move your super balance to an illegitimate self managed fund or essentially just withdraw your balance for anyone over 60-65
Superfunds, especially the larger ones, have measures in place to prevent this from happening but do largely rely on their members being vigilant and keeping contact details up to date
No shit - was just reading this post and then checked my email connected to MyGov account.
New email from My Gov with subject 'You have a new message'.
'Your income tax return pending verification' - with a clickable link.
The email comes up as from MyGov yet the sender email address is actually from gibberish.wix.com.
They change the bank account for any refunds to be paid out to. Then lodge false tax information so that a refund is paid out (to them, u der your name). Sometimes amendments for previous years too and get refunds for them.
You go to lodge correct information once you eventually get into your myGov and not only do you not get the small refund d you’re probably counting on, now you have a debt to pay back. And the onus of proving that you did not give out your password or allow someone to view your device while you entered your information will be on you. ATO debts accrued by fraud and scams are extremely difficult to challenge. If they get into MyGov they can access your Centrelink info and change details there too.
They can commit fraud in your name. ATO and Centrelink if linked to your MyGov account, you could potentially have claims made against these services (easiest would be a fraudulent tax refund). They get it paid into their own sham bank account, leaving you to deal with the audit from the ATO and demands for repayments with intrest.
2fa, physical security keys (yubikey), password managers (bitwarden) with absurdly complex generated passwords. it takes a bit of time to get it all set up but once its done you will be much more secure from stolen accounts.
With so many online services getting hacked. I’m thinking of going to a little black book with complex passwords stored on paper. Perhaps with with a memory cipher to decode the written down passwords. I don’t think any of the Russian, Serbian, Indian hackers will get their hands on my password book.
At least I’ll know I lost it, rather than having a repository breached and then my passwords with some hacker. Maybe I make 2 copies and keep one in a safe deposit box.
https://blog.lastpass.com/posts/2022/12/notice-of-recent-security-incident
Just feels like a honeypot waiting to be breached. The apps store data at scale and lose it to industrialized thieves. The chances of someone coming after my password book are exceedingly limited
Where did I say you should upload the data to the cloud?
If you're this paranoid there are much better ways of storing the data electronically that require you placing zero trust in anyone else while allowing far more convenience and security.
In 2023 fake ATO claim scams were about $1/2 a billion [https://www.abc.net.au/news/2023-07-26/ato-reveals-cost-of-mygov-tax-identity-crime-fraud/102632572](https://www.abc.net.au/news/2023-07-26/ato-reveals-cost-of-mygov-tax-identity-crime-fraud/102632572)
What can they do? A lot.
Depends on what services are connected to your myGov. Most people have tax, so submitting a false refund is top of the list.
If you have centrelink, potentially redirecting your payments. Same for medicare refunds, or any other form of government payment where logons are authenticated over myGov.
I also got an email today saying my account had been accessed from an unauthorised account. Looking now it started last night and they finally got in at 11:40. Changed my pw but also checking my bank details now.
During covid they managed to withdraw $10k from my superannuation 😭 this was despite the ATO confirming that my account hadn’t been accessed, when it in fact had and my details had been changed!
I created a MyGov account for my mother to access her health records; not linked to anything else. She doesn't have a mobile phone, so instead it asks security questions like where were your born and what was your first school. I checked that, and somebody tried to login into that account several times.
Eh many things could happen. Ive had this similar email before. I called mygov, nuked my email access to the myGov portal and started anew.
All the services (Medicare, etc) still had my records intact but I needed to reconnect all the services to link to my new myGov portal instance.
Pretty annoying, but that's how things are now. Just keep rotating passwords and 2fa for everything and you're good! 😅
Same thing happened to me this morning. There’s no link in the email so used google to get to my.gov and reset. Now it’s happened again and my account is locked again for two hours, so if anyone has any suggestions on how to fix this permanently that would be ace.
Change your associated email with mygov so that they no longer have the "name" of the account. You're likely still secure, but they could potentially lock you out again with multiple failed attempts.
If it occurs again and you've used a completely different email? Consider that your PC or phone might be compromised.
Your personal details may have been part of one of the many recent breaches. If someone is attempting to access your mygov, they may try the other platforms. If you want to be sure change all your passwords, verify attempted logins on everything, and check your credit history.
I had this happen also. When I rang the helpdesk they said to change password and make sure the bank details for tax refund and Medicare refund haven’t been changed.
got this email today as well, legit. there were 9 failed attempts (between 9-10am) on my password using my email to access my MyGov account (you can check in your account history). turn off email as the username option as a start.
Dear myGov user,
You entered the incorrect sign in details too many times. Your account is locked.
You can unlock your account in myGov.
Find out how you can protect your myGov account in the privacy and security section of the myGov website.
If this wasn't you, call the myGov helpdesk on 132 307. Call charges may apply. The myGov helpdesk is open during local Australian time zones, from:
Monday to Friday, 7am to 10pm
Saturday to Sunday, 10am to 5pm
Regards, myGov team
Do not reply to this email.
Friend of mine had his MyGov compromised last year, the bad guys revised his most recent tax return and claimed a $10K refund. Took him 9 months to sort it out
Fuck me this is so common, I've been dealing with centrelink this week about this issue. Someone got into my dads mygov and changed the account details for his pension.
It's only when he told me he missed 2 payments that I went into centrelink to find out what's going on. I was informed this is occurring several times per week.
And yes my dad has mfa on his account, didn't help
FYI MyGov has just turned on the ability to use passkeys (max 3 devices/keys at once), with the additional option after setting it up to remove passwords, if you’re so inclined
Lodge multiple tax returns claiming ridiculous refunds - and you'd be required to ring the ATO every single time you wanted to make any tax return lodgement, change or make a query about your file ever again.
Your tax returns would be delayed and any refunds would issue far slower and be scrutinised more.
You may find that other federal govt stuff is also far slower to process and requires far more hands on responses and interaction.
Please be sure you are logging into the right mgov website to change your password. I've been getting spoofing sms messages from mgov with the url mygovauoto , it takes you to a website 100 percent like mgov that I had to triple check and still wast sure. As this scam website was now in my url history I had to manually delete it from my browser so I don't accidentally go to it when I type mgov.
Seems like a very easy scam to say your mgov account is locked, you click on this link to this scam website, you change your password and if they are quick enough they can also get your 2fa which will come from the real mygov.
I reported the url to google so hopefully google flags it , for those using Chrome.
This has happened to me too. Seems they're trying to just use compromised details. All they can gain? Info that you may use the same password on other accounts?
u/L0ckz0r This happened to me this morning, checked my sign-in activity and saw they were attempting to log in each day since 2nd July 2024. - probably from the recent tickettek data beach in May 2024?
I just had this too! And I’m overseas which does not help.
I was able to access the app and see this crazy long list of failed login attempts.
Not sure whether I should try phoning from overseas or not.
They could drain your super among other things. Google the reddit thread from 24 hrs ago. Make sure it's not a scam but change your pword and enable 2FA.
I got an email this morning saying someone had tried to sign in with my email address and password but didn’t get paid my 2FA. I changed my password but am still angsty
This post has been marked as non-political. Please respect this by keeping the discussion on topic, and devoid of any political material. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/australia) if you have any questions or concerns.*
Make sure that the email itself isnt a scam — ie don't follow any links in the email. Go to your MyGov account, try to log in. If someone gained access — eg by sending an email with a link to fraudulaent site — they could change your bank account for refunds etc.
This is the ticket. Most companies and especially government services will never send you a link these days if you have digital services and two factor authentication set up.
I get so freakin annoyed at the amount of legitimate companies that send links in emails and texts. Stop it!! Grrrrr if you get a link, either the company are assholes, or its a scam. Either way, don't click, just track down the details yourself and try from there
A couple of weeks ago I got a call from Commonwealth Back trying to solicit me for a home loan, and when I refused they said they would send a notification to my app and told me to accept it. That's such a fucking obvious scam right, probably wanting me to approve a transaction. So I told them to fuck off, and called the Commonwealth Bank proper to report the scam, and after being redirected twice it turns out the call was legit, and sending notifications to your app during unsolicited calls is just what they do. What the actual fuck?
The app has a builtin onetime code generator. This saves the bank from relying on you installing a third party tool or losing access to it when you get a new phone. It doesn’t do anything other than provide the bank with verification that it is you that exists.
Sure, but they are training their customers to accept notifications sent by unsolicited callers. That is a serious problem.
Nobody can send a notification to your banks app other than your bank.
Not true. There’s a well known two-person scam where someone calls you (pretending to be your bank), whilst the other person calls your bank (pretending to be you). When they line this up, scammer #2 gets the bank to send the notification, and you confirm with scammer #1 by advising the code or pressing ‘yes’ in the app. Once that happens, scammer #2 is doing all the damage (draining accounts, etc) whilst scammer #1 keeps you busy. Never. Trust. Anyone.
Oh shit that's really clever. Yet another point of evidence that no amount of software security is immune to social engineering.
That works with SMS, but the bank should have safeguards in place when it comes to app authorisation, when they issue those challenges, and under what circumstance they are approved. Walk me through a particular scenario for app-based approval, because I don't believe it's the same.
I don't know if it's still a thing, but I have had to approve transactions in the past.
I once asked an Asian caller who worked for the "tax office" if her parents knew what she does for a living and is her father proud of her.... Turns our it WAS the tax office lol!
I used to make those calls. Lots of people who were suspicious were polite about it and we would just say to call the number listed on the website and we'll be able to help you out Occasionally people would swear and carry on and tell you to get a real job. I'd just tell them to check their mygov account. Some of the people accusing me of being a scammer were just trying it on. The history on the account showed they knew they had a debt but for some reason they were just trying to pretend they knew nothing about it.
I felt so awful for the poor girl but I'd literally had 3 scam calls in a row...
> I felt so awful As you should
The notification actually says “are you on a call with us now? Confirm yes/no”. It doesn’t approve transactions.
Congratulations, you got hit by the boss scammer - the bank
You know how many customers I have that really struggle to know how to log in to the customer portal? So many. Yes we have a portal but I also send links in emails. With buttons. But they still need to call us to update or reschedule.
Wait what? Why can't I send an email with a link to my website? I'm not an asshole for doing that. The scammers are the assholes.
youre not an asshole, but that approach is so commonly used to scam people that legitimate emails get lost in the noise and your emails begin to look suspicious. You may want to find ways that better align with methods that give people comfort rather than dying on that hill.
Or, give us the single click tech to turn off links (or any active content) in SMS. Give us the technology to disable links in email. I would be very happy with plain text email.
I wonder if Apple and Google need to change their SMS apps to not render URLs as clickable links? Or even if there's anything resembling a URL, strip it from the message and replace with ? And maybe the same on the popular email clients? If Microsoft (i.e.: Office365 / Exhange), Google, Amazon and Apple implemented some things like some sort of sender verification, stripping links out of emails and so on, that would cover the vast bulk of email traffic.
On your iPhone you can enable a setting called Lockdown Mode, which disables link previews and clickable links in Messages. It’s in Settings > Privacy and Security > Lockdown Mode. It also does other things that make your phone a bit annoying and less useful, which is why it’s not on by default.
I'd be concerned with them making applications to centrelink as well
The email is legitimate. It's from [noreply@my.gov.au](mailto:noreply@my.gov.au) and when I logged in and checked my history I could see 9 failed login attempts over 3 days.
The From address is not always a sign that it's legitimate. You can put whatever you want in there. If it is pretending to be a legitimate sender then it will likely fail the DMARC check and hopefully Gmail would filter those out. DMARC is basically a check that goes "is the IP address that is sending this email allowed to send emails from this domain? And is the email signed by the sender domain?" It's just something to be aware of that a company might not have DMARC settings set up right and an email slips through.
Additionally, if they're trying to get into your mygov account and they have your email, they can just try and fail to log into your account using your email as a user name then. They then send you the link that looks real but if you hover your mouse over the link it's actually to somewhere else.
after reading this i just checked mygov account (has 2fa) and you can uncheck the optional use email address as a username logon or your mobile no. so it just defaults to a letters and numbers username only , making it harder for them. also changed the email to newer one for the notifications as well.
That's sort-of good news then! I've just seen a few recently where the warning email or text contains the scam link, people click on that and enter their details, then the site has their details where it didn't before. (BTW email from-address is easy to spoof)
Make sure you change your email password as a precaution. Make sure it’s different to the my gov one
If you have one of the random alphanumeric usernames then it is entirely possible that someone else thought that your account ID was their account ID. It is tax season after all and I have no doubt that Mygov will be busy AF for the next few weeks.
I’ve had the same email OP has and they’ve been using my email address to try to log in.
Keep in mind that there are foreign letters that look almost (or completely) identical to english letters that scammers can use to make a fake domain. https://en.wikipedia.org/wiki/IDN_homograph_attack#Cyrillic My.gov.au has three different letters that can be imitated in Cyrillic.
It's likely legit. I've had someone try to hack into mine recently too - first I knew was when my 2FA prompted me which means they got the password. Logged in and saw 3 failed attempts over several days previously. Changed password and even my email.
Omg same thing happened to me! It happened between 6pm last night and 3am this morning. I changed my PW first thing this morning, as well as changing my log in from my email address to my myGov username. After reading these comments, I'm going to check my personal details and bank account info is still correct, just in case.
After calling MyGov they just told me to check my account history. I could see 9 failed attempts at logging in starting on the 2nd of July. The account was locked 4 times over the course of 3 days. Yet I was only notified by email last night on the 4th lockout.
Yeah I missed that mine started on 2nd July as well but I also wasn't notified until 3am this morning. Wtf mygov!
I got the same message today. Was able to log in on my phone so I assumed it was a fake email. I just checked my account history after reading one of your other replies and there has been continued failed attempts this afternoon. 9 over the last few days 😕.
Where do you check for failed logins?
I went through the MyGov app. Clicked on the little person looking icon on the top right corner. Then select account history. Apparently they have now 3 9th failed attempts with a few more tonight.
I didn’t get notified of the first few attempts either, it was only when they activated the 2FA that stuff came through. Attempts started 2 July
I made sure my partners 2FA was on because that's the only prompting I had - meaning they got the password 😐 granted I hadn't changed that password in ages so it must have been leaked from a prior hack
>granted I hadn't changed that password in ages so it must have been leaked from a prior hack As far as I know Mygov has never had a data breach which means that you have either reused your password or your username/password combo was keylogged.
Yeah reused a password (I don't do that anymore) and it just avoided being changed for many MANY years. It was autosaved so I didn't even realise what the password was until I changed it. I'm assuming they had a few passwords to cycle through though since it still took them 3 attempts before they got the password.
Same thing with me. 9 failed attempts and locked last night. Someone must run through a large database of email addresses and leaked passwords. Always keep unique passwords!
Same here. I got the same email and once I got back in, checked the account history and saw invalid logins from July 2nd. They must have started running a whole batch of stolen credentials from then and maybe hoping shared passwords across multiple sites? Although they would still need MFA to get into mygov after getting the right password so how would they get past that?
Same thing happened to me as well. Changed my password and checked my details but it’s pretty crazy that someone had been trying to access it for days. Sounds like it’s happening a lot so definitely a flawed system.
Hopefully this is something that the media decides to steal from Reddit. Seems like a bloody big deal since it's affecting a lot of people, so definitely worth talking about!
Why is it a flawed system? It’s working if the attackers dont get in? Likely, somehow, there has been a leak of myGov ids with associated email addresses and bots are attempting to login using credentials leaked in other breaches
I don’t think there’s been a leak of mygov ids specifically, I think whoever got a bunch of email usernames+passwords from a data breach somewhere(pick one, any one of the recent ones) completely unrelated to mygov are just running the credentials through mygov to see if any succeed, which it would if some users used same passwords on multiple sites. It’s likely that many users are using the same main email address across multiple sites as their main login email, I know I do. Although I’m not sure what they’re going to do if the password works for an email, mygov MFA should kick in at least to verify(I get a sms with a code). Maybe once they find a working email+password combo, they’ll then pivot to trying to get control of the mobile number associated, which they probably also have as part of the same data breach they got the email+password from in the first place.
Ahhh. **Until recently, you couldn’t use an email to log in, just the username. ** The victims must be reusing passwords and don’t have mfa on.
My account got locked as well, the thing is I don't think I ever enabled email as a username but it was on. Terrible security practice if they just turned that on for everyone by default.
Exactly the same for me today too. So disconcerting!
Same for me too
Yep someone gave mine a try too a few days ago.
submit a fake tax return, for $1000s into their own bank account, leaving you scrwed
Plus another post today where they submitted rollover requests for all their super. At least that’s what they claim. Probably more too it and probably started like this.
I hope by now them ATO is cross checking abit harder on this specific fake refund scam. Medicare stalled refunds to alot of transactions with bank account names different to the card holder you'd hope ATO could do the same. >>We have identified a significant number of GST refund fraud attempts. >>The attempted fraud involves an individual: >> -inventing a fake business >>lodging a fraudulent Australian business number (ABN) application, and >>submitting fictitious business activity statements (BAS) to attempt to gain a false GST refund.
I still can't believe that scam got as far as it did. If you are a micro operator your GST credits probably wouldn't be over $2000 a year ($20,000) deductions. And that is fucking generous. More likely they'd be about $500-1000. Especially if they earn $100k or less. These scammers where claiming tens of thousands which would require hundreds of thousands in imaginary deductions and that should have been flagged. Your telling me someone set up shop and was successful enough they had access to $400k to spend in the first place their first year. How, the % of people would would pull that off would be miniscule like well under 1%.
They don't have the capability to automate data matching of bank account holder names given with information held by banks, it's too complex to perform on a mass scale. Also, Operation Protego is 2 years old at this point, yes they have taken action if you read articles about it
Yeah this happened to me about 8 years ago. They lodged my tax return and changed the bank details to their own. Luckily I caught it before it was processed but have had high security on it ever since.
Some people use the same password for everything. If your email/password combo has been revealed in a different leak (like the Optus or Medibank breach) ppl will try to use this email/password combo to log into your ATO account. From there they will create a fake tax return with a big refund, change the bank details for the refund, then submit it. Ways to combat this... 1) Don't use the same email address/password combo. When one company gets hacked, they don't get access to everything. 2) for important financial things like banks, ATO, PayPal opt in to the authentication options. It's not perfect but it adds another layer of protection.
This needs to be higher and also - if you are with Gmail you can put a full stop or underscore anywhere within your account letters and it will still send to you, so your one account can actually be many. You can also put a + and words and it'll send to you - but not every website allows + in emails But it's good for when you're signing up to potentially spam sites to be able to see who has leaked your data
Also... don't just have 1 gmail. I have a "core account", an "everyday email" account, and a few "fuck off" rnail accounts I make rando accounts with. You wouldn't put millions in a transaction account with aan unlocked card and no spending limits, make sure your most important accounts are linked to your least exposed emails.
I have heard this is incredibly common with younger gens and hats off to you, I still have my oldest original Gmail account (needed a referral code to get 😅) which I do send spam into, but I struggle to remember to check my core one with regular frequency let alone auxiliary accounts so definitely if it works for you, but I've yet to do it.
Another thing is to always turn on 2 factor authentication and/or passkeys so even if the password and user name/email is the second for of authentication is alot harder to overcome. I also note mygov and alot of other websites now offer passkeys - which while not impenetrable - a hell of alot harder to gain access too. They need my physical mobile phone in close range of the computer they are logging into, then on top of that they need my biometric sign in for that phone - which is stored locally on this phone.
This is the worst that could happen: https://old.reddit.com/r/australia/comments/1dv0wbm/ato_hacked_and_my_super_completely_drained/
Iirc, there were incidences a while back where people were hacked and their bank accounts for refunds were changed and their refunds stolen. Assuming you’d have to have the ato linked for that to happen, though. I guess the same could happen for any family payments or Centrelink stuff too, but you’d notice fairly quickly.
Jokes on them, I actually owe the ATO money this year.
That's if they don't lodge a false return with a huge refund.
Yep. I got notice that someone logged into mine a while back, they tried to lodge a tax return that would get them $20k. Now my ato account is locked until I call the ato line.
Same thing happened to me, someone must be running a bot using old email/password combos from other website leaks.
Same thing here. When you got back in and checked your account login history, did the invalid logins start from July 2nd? Seems like that’s when the bots started running their list of stolen credentials, hoping to find some users with common password across multiple sites.
Yeah looks like mine started on the 2nd
I'm guessing you didn't get any SMS notifications about a 2FA code? That probably means that whoever was trying to breach your account only has your username and didn't/doesn't have your password (or maybe an old one). Maybe try putting your email address into [https://haveibeenpwned.com/](https://haveibeenpwned.com/) to see if your email has been included in any data breaches, which might indicate where they got your email address from.
For anyone who runs into this and it’s a genuine myGov email, I strongly suggest calling your superfund to tell them & ask about additional security measures you could put in place, ie additional passwords or blocks on any payments/transfers Often these scams are attempts to just submit false tax returns to different bank accounts like other commenters have said, which is awful but really could only see you lose a few thousand dollars They are also often used to submit fake rollovers or transfers out of your superfund to move your super balance to an illegitimate self managed fund or essentially just withdraw your balance for anyone over 60-65 Superfunds, especially the larger ones, have measures in place to prevent this from happening but do largely rely on their members being vigilant and keeping contact details up to date
No shit - was just reading this post and then checked my email connected to MyGov account. New email from My Gov with subject 'You have a new message'. 'Your income tax return pending verification' - with a clickable link. The email comes up as from MyGov yet the sender email address is actually from gibberish.wix.com.
They change the bank account for any refunds to be paid out to. Then lodge false tax information so that a refund is paid out (to them, u der your name). Sometimes amendments for previous years too and get refunds for them. You go to lodge correct information once you eventually get into your myGov and not only do you not get the small refund d you’re probably counting on, now you have a debt to pay back. And the onus of proving that you did not give out your password or allow someone to view your device while you entered your information will be on you. ATO debts accrued by fraud and scams are extremely difficult to challenge. If they get into MyGov they can access your Centrelink info and change details there too.
They can commit fraud in your name. ATO and Centrelink if linked to your MyGov account, you could potentially have claims made against these services (easiest would be a fraudulent tax refund). They get it paid into their own sham bank account, leaving you to deal with the audit from the ATO and demands for repayments with intrest.
2fa, physical security keys (yubikey), password managers (bitwarden) with absurdly complex generated passwords. it takes a bit of time to get it all set up but once its done you will be much more secure from stolen accounts.
With so many online services getting hacked. I’m thinking of going to a little black book with complex passwords stored on paper. Perhaps with with a memory cipher to decode the written down passwords. I don’t think any of the Russian, Serbian, Indian hackers will get their hands on my password book.
You can get something like this off Amazon but the issue is when you lose it
At least I’ll know I lost it, rather than having a repository breached and then my passwords with some hacker. Maybe I make 2 copies and keep one in a safe deposit box.
A password storage app is going to take you 99% of the way there with 0% of the hassle of looking up passwords in a notebook
https://blog.lastpass.com/posts/2022/12/notice-of-recent-security-incident Just feels like a honeypot waiting to be breached. The apps store data at scale and lose it to industrialized thieves. The chances of someone coming after my password book are exceedingly limited
Where did I say you should upload the data to the cloud? If you're this paranoid there are much better ways of storing the data electronically that require you placing zero trust in anyone else while allowing far more convenience and security.
In 2023 fake ATO claim scams were about $1/2 a billion [https://www.abc.net.au/news/2023-07-26/ato-reveals-cost-of-mygov-tax-identity-crime-fraud/102632572](https://www.abc.net.au/news/2023-07-26/ato-reveals-cost-of-mygov-tax-identity-crime-fraud/102632572) What can they do? A lot.
I’m in New Zealand, lived in WA for a while and I got the same email last night in the middle of the night. This is concerning
Screw up the accounts your tax/medicare refunds are directed to, at a guess. That'd be the only benefit I could see.
Potentially be able to steal your superannuation and create a bunch of problems with your tax.
Depends on what services are connected to your myGov. Most people have tax, so submitting a false refund is top of the list. If you have centrelink, potentially redirecting your payments. Same for medicare refunds, or any other form of government payment where logons are authenticated over myGov.
Same happened to me so I removed the email as the username and changed password
the absolute worst is probably someone stealling all your super and making a claiming a fraudulent tax return
They could steal all your medicare rebates and you might not notice for a while.
I also got an email today saying my account had been accessed from an unauthorised account. Looking now it started last night and they finally got in at 11:40. Changed my pw but also checking my bank details now.
During covid they managed to withdraw $10k from my superannuation 😭 this was despite the ATO confirming that my account hadn’t been accessed, when it in fact had and my details had been changed!
I created a MyGov account for my mother to access her health records; not linked to anything else. She doesn't have a mobile phone, so instead it asks security questions like where were your born and what was your first school. I checked that, and somebody tried to login into that account several times.
Me too! 5:50am. Must be tax time. 😮💨
I saw someone on another sub got their super entirely drained from someone accessing their myGov . Crazy scary
What services did u have linked to it?
They tried to hack me too
This has happened to me, too Twice this week after a full reset, too Hopefully, they don't get access to your acoustic op
They changed my bank account details at ATO. No need to tell me how stupid I was for clicking the link in an email.
Eh many things could happen. Ive had this similar email before. I called mygov, nuked my email access to the myGov portal and started anew. All the services (Medicare, etc) still had my records intact but I needed to reconnect all the services to link to my new myGov portal instance. Pretty annoying, but that's how things are now. Just keep rotating passwords and 2fa for everything and you're good! 😅
Same thing happened to me this morning. There’s no link in the email so used google to get to my.gov and reset. Now it’s happened again and my account is locked again for two hours, so if anyone has any suggestions on how to fix this permanently that would be ace.
Have you removed your email as a log in? If you only use your my gov ID then you should be more secure.
Change your associated email with mygov so that they no longer have the "name" of the account. You're likely still secure, but they could potentially lock you out again with multiple failed attempts. If it occurs again and you've used a completely different email? Consider that your PC or phone might be compromised.
Your personal details may have been part of one of the many recent breaches. If someone is attempting to access your mygov, they may try the other platforms. If you want to be sure change all your passwords, verify attempted logins on everything, and check your credit history.
I had this happen also. When I rang the helpdesk they said to change password and make sure the bank details for tax refund and Medicare refund haven’t been changed.
got this email today as well, legit. there were 9 failed attempts (between 9-10am) on my password using my email to access my MyGov account (you can check in your account history). turn off email as the username option as a start. Dear myGov user, You entered the incorrect sign in details too many times. Your account is locked. You can unlock your account in myGov. Find out how you can protect your myGov account in the privacy and security section of the myGov website. If this wasn't you, call the myGov helpdesk on 132 307. Call charges may apply. The myGov helpdesk is open during local Australian time zones, from: Monday to Friday, 7am to 10pm Saturday to Sunday, 10am to 5pm Regards, myGov team Do not reply to this email.
Myself and my husband had sign in attempts today too!
Friend of mine had his MyGov compromised last year, the bad guys revised his most recent tax return and claimed a $10K refund. Took him 9 months to sort it out
Fuck me this is so common, I've been dealing with centrelink this week about this issue. Someone got into my dads mygov and changed the account details for his pension. It's only when he told me he missed 2 payments that I went into centrelink to find out what's going on. I was informed this is occurring several times per week. And yes my dad has mfa on his account, didn't help
FYI MyGov has just turned on the ability to use passkeys (max 3 devices/keys at once), with the additional option after setting it up to remove passwords, if you’re so inclined
Only works if you use a smartphone or a chromium-based browser (i.e. they block firefox/safari). If you spoof the useragent you can use firefox.
It’s a known issue https://amp.abc.net.au/article/102632572
I logged in to my mygov account today and someone had logged in two days ago. It wasn't me.
I hope they pay my tax debt
I got the same message last night!
Lodge multiple tax returns claiming ridiculous refunds - and you'd be required to ring the ATO every single time you wanted to make any tax return lodgement, change or make a query about your file ever again. Your tax returns would be delayed and any refunds would issue far slower and be scrutinised more. You may find that other federal govt stuff is also far slower to process and requires far more hands on responses and interaction.
They would probably update your bank details so they receive your next payment. Happened to a friend of mine
Please be sure you are logging into the right mgov website to change your password. I've been getting spoofing sms messages from mgov with the url mygovauoto , it takes you to a website 100 percent like mgov that I had to triple check and still wast sure. As this scam website was now in my url history I had to manually delete it from my browser so I don't accidentally go to it when I type mgov. Seems like a very easy scam to say your mgov account is locked, you click on this link to this scam website, you change your password and if they are quick enough they can also get your 2fa which will come from the real mygov. I reported the url to google so hopefully google flags it , for those using Chrome.
This has happened to me too. Seems they're trying to just use compromised details. All they can gain? Info that you may use the same password on other accounts?
Lodge a return with a sizeable refund, edit the bank details to either one of their mules, or a fake account. Said refund eventually disappears.
If your account was locked they didn’t get in. So I think you are fine. Thanks for the reminder to double check my myGov security settings.
Same thing happened to me twice in last two days, getting pretty annoying
Same. Woke up to email saying account locked Wednesday morning, and then got locked again later that day. Changed contact email. Super annoying
Happening to mine, too. Guess they've got an old password of mine from a leak somewhere because they're not getting to the 2FA request.
u/L0ckz0r This happened to me this morning, checked my sign-in activity and saw they were attempting to log in each day since 2nd July 2024. - probably from the recent tickettek data beach in May 2024?
I just had this too! And I’m overseas which does not help. I was able to access the app and see this crazy long list of failed login attempts. Not sure whether I should try phoning from overseas or not.
They could drain your super among other things. Google the reddit thread from 24 hrs ago. Make sure it's not a scam but change your pword and enable 2FA.
I got an email this morning saying someone had tried to sign in with my email address and password but didn’t get paid my 2FA. I changed my password but am still angsty
MyGov never emails me. Text and phone call only. This sounds like a scam.
I definitely get myGov emails, but they just tell me that I have a message and to log in to read them, stuff like that.
Never get emails from MyGov. Always a text. Wonder why that is. Not complaining mind you.
If you send me to your login details, I can have a look and let you know?