Gabi Power 16 June 2022 14:47:50 AEST 13 MIN READ

Australians Targeted in a New myGov Refund Scam

Each year as end of financial year (EOFY) draws closer, scammers come out in troves looking to score a quick buck, and it's apparent 2022 is no different. The latest phishing scam that MailGuard has now intercepted claims to come from myGov and could steal your account and credit card credentials.  

If you’re not a MailGuard user, it’s highly likely someone in your business will receive this email. Be on the lookout for an email with the subject line “You have an outstanding refund from myGov”. The sender name shows “MyGov – Refund Service”, and the display address is “support(at)informationconsultancyservices(dot)co(dot)uk. However, even the display address has been edited, and the sending address is a jumble of letters and numbers with a domain that has been linked to other scams.

If you've received an email similar but the sender had a different email address, we urge you to remain cautious. In August 2022, the MailGuard team blocked this same scam once again, although this time the sender's displaying email address showed 'news(at)mygov(dot)au', but was actually being sent from 'news(at)irmau(dot)com', which may have been a compromised account. As the scam is so well crafted, the fraudsters will likely continue to use other accounts to try and con more victims. 

The email itself has been craftily designed to appear as one you could expect to receive from myGov. Although there are a few minor grammatical errors, it’s convincing enough to potentially fool many unsuspecting individuals. The body of the email again alerts the recipient that they have an outstanding refund of $736.98 AUD, and in order to “accept fast payment online” they’re instructed to click a link.  

Here's what the email looks like:  

You have an outstanding refund from myGov - Mozilla Thunderbird_924

 

After clicking the link, the user is taken to the first phishing site which is an almost exact replica of the myGov login page, the only immediately obvious difference being the URL.  The user is directed to enter the email and password they use for their myGov account to “sign in”, although these details will be harvested by the attacker.  

Similarly to the email addresses, the phishing page in the version of the scam that was blocked in August 2022 had a different URL from what's shown below. 

Sign-in - myGov — Mozilla Firefox_925

 

Next, the user is taken directly to a page where they’re instructed to update their information in order to receive their refund. The authentic myGov login page uses multi-factor authentication (MFA) when you sign in, meaning on top of your password, you’ll have to answer a secret question or enter a code that’s received on your mobile. This step is skipped by the scammers, although this could easily be overlooked by someone who is eager to receive a refund.  

On this page, the victim is asked to enter their:  

  • Name on the card 
  • Card number 
  • Expiration date 
  • CVV 
  • Date of birth 
  • Phone number 

They are then expected to click the button which says “Valider” (validate in French). 

myGov — Mozilla Firefox_926

On the next page, the user is directed to enter the SMS verification code they would have received. It’s expected by the MailGuard team that the attacker will use this in an attempt to try to charge their credit card.  

SMS - myGov — Mozilla Firefox_928

The victim is then shown a loading screen which will eventually take them back to the previous page.  

Mozilla Firefox_927

Given that interest rates are rising, and the cost of living continues to increase, many Australians will be facing anxieties coming into this EOFY and would welcome a payment of $736.98. This scam preys on the heightened emotions that tax time brings, and given the attention to detail at every stage, it has potential to be very damaging.   

Although myGov’s MFA process should limit what access the criminal gets to a victim’s personal information and government services, you can never be certain of what they’re capable of. It’s especially important to ensure all of your passwords are unique, so if one were to be compromised in a situation such as this, the attacker can’t use it to access any of your other accounts.  

 myGov offers the following advice in order to protect your account:  

  • Don't share your myGov sign in details with anybody else 
  • Use a strong password that is easy for you to remember but hard for others to guess 
  • Use a different password to your other online accounts 
  • Change your password and myGov PIN regularly 
  • Don't let other people see your computer screen when you use the 'show password' option 
  • Don't send your password and myGov PIN to anyone by email or text message 
  • Don't tell anyone your email account password 
  • Always sign out of your myGov account when you have finished using it 
  • Check for the Extended Validation Certificate indicator in your browser's address bar when accessing myGov. Each browser shows the Extended Validation Certificate in a different way. Usually this is a green box or bar with a padlock icon. 

MailGuard advises all recipients of this email to delete it immediately without clicking on any links. Providing your personal details can result in your sensitive information being used for criminal activity and may have a severe negative impact on your business and its’ financial well-being.     

MailGuard urges users not to click links or open attachments within emails that:       

  • Are not addressed to you by name.       
  • Appear to be from a legitimate company but use poor English or omits personal details that a legitimate sender would include.       
  • Are from businesses that you were not expecting to hear from, and/or       
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.      

Many businesses turn to MailGuard after an incident or a near miss, often as a result of an email similar to the one shown above. If unwanted emails are a problem for your business, don’t wait until it’s too late.  

Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One email is all that it takes     

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.  

Keep Informed with Weekly Updates