MailGuard 07 May 2025 09:49:05 AEST 9 MIN READ

Multi-Stage Super Scam Mimics myGov to Harvest Credentials

MailGuard has intercepted a new wave of phishing emails impersonating the Australian Government’s myGov platform and Australian superannuation funds, in an elaborate scam designed to steal sensitive identity and financial data, including credentials for access to super funds. The emails aim to exploit public trust in large institutions with phishing pages that lend branding assets from the official sites, in order to gain access to victims valuable personal information and accounts.

A closer look at the scam

The phishing email—shown below—appears to come from the Australian Records Office with the subject line: “Action Required Under Section 12B – Personal Records Audit.”

mygov-email

It contains a “View Document” button that links to a fake myGov-branded login page hosted at a malicious URL: pazenesaction(dot)org(dot)es/ato-mygov-su/tax(dot)html.

What follows is a multi-stage phishing journey designed to systematically extract:

1.) myGov login credentials – The fake login page requests your username and password. Even if incorrect, the page pretends the first attempt fails, then proceeds on the second attempt.

mygov-sign-in-details

2.) 2FA SMS code – To trick users into providing authentication codes, which scammers can use for real-time account hijacking.

mygov-enter-code

3.) Personal identity information – Including name, DOB, phone number, driver’s licence details (front and back), Medicare card, and tax file number.

mygov-personal-info-page

4.) Official ID uploads – Users are prompted to submit a passport, National ID, or driver's licence...

mygov-upload-ID-select-one-of-three

5.) ...and a selfie holding the selected ID document.

mygov-upload-ID-click-here-passport-photo

6.) Super Fund verification – The final step directs users to choose from a list of well-known superannuation funds before harvesting login credentials and additional 2FA codes.

mygov-super-fund-verification

7.) Super Fund sign-in – After selecting their fund, users are asked to sign-in with their credentials. The example below is for ‘Australian Retirement Trust’.

mygov-aust-retirement-trust-welcome-login

8.) Super Fund Failed Sign-in Attempt – A common tactic employed by scammers to confirm that the credentials are correct, is to fail the first sign-in attempt to ensure that both attempts are the same.

mygov-aust-retirement-trust-unsuccessful-login

9.) Super Fund MFA – After selecting their fund, users are asked to sign-in with their credentials. The example below is for ‘Australian Retirement Trust’, demonstrating the fund requesting ‘Phone Verification’.

mygov-aust-retirement-trust-phone-verif

10.) myGov Re-direct – After all of the targets information is captured, users are redirected to the legitimate myGov site—completing the illusion.

To demonstrate the breadth of this scam, here are some examples of the fraudulent Super Fund sign-in pages for some of the other funds:

Hesta

HESTA

OnePath

ONEPATH

Aware Super

AWARE

CareSuper

caresuper

UniSuper

unisuper

Telstra Super

telstrasuper

HostPlus

HOSTPLUS

CBus

cbus

 

Why is this scam dangerous?

This attack stands out due to both the volume and the sensitivity of the information being requested. A single successful compromise could allow attackers to:

  • Assume a person’s identity, with comprehensive personal information including passport details, stolen
  • Steal access to financial and government services – myGov and Superannuation Funds
  • Drain retirement funds
  • Launch further attacks across your business or supply chain

It’s a sobering reminder that a convincing façade is often all it takes to trick even vigilant users.

 

Red flags to watch for

While the fake pages mimic myGov and Super fund branding, there are telltale signs of fraud:

  • Unfamiliar sender domain (e.g. mnadeau(at)pshift(dot)com)
  • Generic or mismatched ‘To:’ fields, and
  • Links leading to non-government URLs

Stay Safe - Know the Signs

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.

Avoid emails that:

  • Aren’t addressed to you personally.
  • Are unexpected and urge immediate action.
  • Contain poor grammar or miss crucial identifying details.
  • Direct you to a suspicious URL that isn’t associated with the genuine company.

Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late.

Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One Email Is All That It Takes   

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters!  Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.  

Keep Informed with Weekly Updates