New phishing emails are impersonating the Australian Taxation Office, designed to steal myGov login credentials, SMS verification codes, personal information, and passport details. The email claims that a “new statement is ready” and tells recipients that information submitted does not correspond with existing records. It asks the recipient to check and correct any discrepancies by clicking a link labelled “VIEW NOTICE STATEMENT.”
While the email purports to come from the ATO, it is not legitimate. The display name is “ATO”, but the sender address observed by MailGuard is Mohsin(at)quasemgroup(dot)com.
Recipients who click the link are taken to a fake myGov-branded website hosted on a non-government domain.
Example phishing content shown using ATO & myGov branding. Not affiliated with or endorsed by the ATO or myGov.
The site asks for myGov sign in details, including the user's username or email, and password.
Example phishing content shown using ATO & myGov branding. Not affiliated with or endorsed by the ATO or myGov.
With a common tactic, at first the details are rejected as incorrect, a tactic designed to verify the user's lucrative sign in details before proceeding.
Example phishing content shown using ATO & myGov branding. Not affiliated with or endorsed by the ATO or myGov.
The user is then prompted for an SMS code, indicating that the scammers are using the sign in credentials to access the legitimate myGov website.
Example phishing content shown using ATO & myGov branding. Not affiliated with or endorsed by the ATO or myGov.
The next page tells the recipient they are expected to prepare a Medicare card and passport for verification. This is designed to make the request for sensitive identity documents seem legitimate before the victim proceeds.
Example phishing content shown using ATO & myGov branding. Not affiliated with or endorsed by the ATO or myGov.
Initially the user is prompted to complete their personal information, including their full name, address and date of birth.
Example phishing content shown using ATO & myGov branding. Not affiliated with or endorsed by the ATO or myGov.
Next, they are prompted to upload a copy of their passport.
Example phishing content shown using ATO & myGov branding. Not affiliated with or endorsed by the ATO or myGov.
Once more, in a highly unusual step, users are prompted for yet another SMS code.
Example phishing content shown using ATO & myGov branding. Not affiliated with or endorsed by the ATO or myGov.
Once entered, a loading page is displayed while the scammers verify the credentials.
Example phishing content shown using ATO & myGov branding. Not affiliated with or endorsed by the ATO or myGov.
And finally, a verification page is displayed, before redirecting to the legitimate myGov website.
This campaign is concerning because it goes well beyond basic credential theft. By combining myGov login details, SMS codes, personal information, and passport images, attackers may be attempting to collect enough information to support identity theft, account takeover, financial fraud, or further targeted scams.
The campaign also uses a familiar government services theme. Many Australians are used to receiving messages about tax, myGov, Medicare, statements, records, and identity verification. That familiarity can lower suspicion, particularly when the message suggests an issue needs to be corrected.
The fake workflow is also deliberately staged. Rather than asking for everything at once, it moves the victim through several steps, each of which appears to build on the last.
This makes the experience feel more procedural and less suspicious.
There are several warning signs in this campaign:
The email is not addressed to the recipient by name.
The sender address is not an official ATO or Australian Government domain.
The message uses vague language about records not corresponding.
The link directs users to a non-government website.
The site asks for myGov credentials outside the official myGov domain.
The site asks for SMS codes, personal details, and passport images.
The final page redirects to the real myGov website, which can make the scam appear legitimate after the fact.
Australians should never access myGov, ATO, Medicare, or other government services through links in unexpected emails. Instead, users should type the official website address directly into their browser or use the official app.
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.