MailGuard 30 November 2022 17:08:13 AEDT 13 MIN READ

myGov Phishing Email Claims “A New Document is Available in Your Account”

Throughout the year, in June, October, and at the start of November, we’ve reported on a number of phishing scams which impersonate myGov and promise a refund in an attempt to trick unsuspecting Australians into handing over their personal information and credit card details. However, a new email which MailGuard is now blocking takes a new approach.  

The email has the subject line “MyGovTeam: The application form you submitted is approved.” And comes from the email address “info(at)t-online(dot)de”, but the sender name shows “www-data”. The email address is associated with a German news portal that also offers webmail, although it has no SPF record, so our team believe it was likely spoofed.   

At the top of the email is a heading which states, “Your request has been processed” and then continues on to explain that a new document is available in the recipient’s account. Recipients are also provided with a reference code, and then directed to click on hyperlinked text to “open the form”. Within the email, there’s no mention of myGov or use of their branding, but recipients may be fooled into opening the attachment due to curiosity about what their request was.   

Here's an example of the email: 

image 1-Nov-30-2022-05-35-10-5605-AM

The hyperlinked text uses encrypted PDF documents and redirects to thwart automated checks. Upon opening the PDF, the recipient is shown a page which uses the myGov logo and has a heading that reads “Refund of 688.64 AUD”. The text on the page informs the reader that they are owed a tax refund of $688.64 and adds a time pressure by saying that the linked form needs to be completed before the 31st of December.  

image 2-Nov-30-2022-05-35-10-8833-AM

If the user clicks the link to “complete the form”, they’re redirected to a phishing site which shows a message which states, “Your Refund is ready.” The site closely resembles the myGov login page, and even the tab says, “Sign in with myGov” and uses their logo. However, upon closer inspection, it’s obvious that the URL is not associated with myGov, and appears to be hosted on a compromised WordPress page.   

The recipient is asked to enter their username or email and password to “sign in”.  

image 3-Nov-30-2022-05-35-10-9654-AM

After proceeding, the victim’s credentials will be harvested and they’re directed to another page which again states that their refund of $688.64 is available online. The user is directed to “Add your credit card to get your refund” and is asked for their: 

  • Name on card 
  • Card number 
  • Expiry date 

image 4-4

Next, the victim is instructed to enter their:  

  • First name 
  • Last name 
  • Address line 1 
  • Address line 2 

image 5-3

After proceeding, they’re shown a loading page and instructed to wait.  

image 6-3

In the final part of the scam, the victim is asked to enter a code that’s been sent to their mobile number. Scammers commonly use this tactic so that they’re able to charge the card immediately and verify that it’s active.

image 7-2

After entering the code, the victim is shown an error which claims, “You entered an old sms code”, and the scam does not progress further.  

image 8

Services Australia offers the following myGov advice:  

  • myGov will never ask you to open a link in an email or SMS. It will never ask you to sign in through a link in an email. 
  • You’ll only get links from myGov in a myGov inbox message. You can only see these messages after you’ve securely signed in to your myGov account.  
  • myGov will also never email you asking for your personal or credit card details. 

If you believe you may have already fallen for this scam, we recommend you change your myGov password as soon as possible and contact your bank to put a hold on your credit card. You can also learn where to report the scam here 

MailGuard advises all recipients of this email to delete it immediately without clicking on any links. Providing your personal details can result in your sensitive information being used for criminal activity and may have a severe negative impact on your business and its’ financial well-being.    

MailGuard urges users not to click links or open attachments within emails that:       

  • Are not addressed to you by name.       
  • Appear to be from a legitimate company but use poor English or omits personal details that a legitimate sender would include.       
  • Are from businesses that you were not expecting to hear from, and/or       
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.      

Many businesses turn to MailGuard after an incident or a near miss, often as a result of an email similar to the one shown above. If unwanted emails are a problem for your business, don’t wait until it’s too late.  

Reach out to our team for a confidential discussion by emailing or calling 1300 30 44 30.

One email is all that it takes     

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.  

Keep Informed with Weekly Updates