Australia’s MyGov has seen a design change, and scammers are ready for it. What does the message look like, and is it dangerous?
Scammers are always out to make money, and falling for a scam is made all the easier when one is so convincing, you have trouble working out the legitimacy.
That’s one reason why scammers go to such trouble engineering a fake website, because even if the initial text message has you curious and doesn’t quite work, the scam website can make you think twice. You might even forget you’re at the fake site and just assume it’s legit.
Websites designed to look real and yet aren’t employ a tactic known as phishing, whereby they use fraudulent details based on the real thing in the hopes that they look authentic enough to make you fall for them.
Phishing websites are frustrating messes for people, and their nefarious messages make them concerning for all, but because websites change over time, scammers are known to change their designs, too.
And that appears to be happening right now.
A new nasty realistic MyGov scam in 2023
We’ve seen some nasty MyGov scams imitating the Australian government with surprising realism before, and the latest follows in its footsteps.
In the back half of last year, MyGov saw a design change and page refresh for its website ahead of the same happening in the app, bringing a minimalist look to system made to make things easier. That change would have meant phishing sites made to look like the older MyGov were out of date, and scammers have been paying attention.
This week, we’ve seen a new MyGov scam site, and as you can probably imagine, it borrows more from the new look rather than the old one.
The design of the 2023 MyGov scam is straight from the official page, complete with a field to let you log in, provided you know your email or username to MyGov.
But while some phishing scams are looking to capture your login information so they can log in on your behalf, MyGov’s forced used of multi-factor authentication would make this extremely difficult, so instead, they’ve gone back to an old vector: credit card refunds.
How the 2023 MyGov scam works
You’ll get your way there from an SMS like any other scam, and we imagine heaps of these are going out to Australian mobile numbers from any other random Australian mobile number. There’s no official sender ID for this one, not like the MyGov ID you’ll get with a real message.
In the SMS we’ve seen, the wording was flipped around — GovMy as opposed to MyGov — but a passing glance could trick someone, so we suspect scammers aren’t always sticklers for accurate details.
The link is definitely fake, though, and even takes you to a site that has been set up for multiple scams. The initial message we see asks if we want notifications from Shiels, which likely means scammers are using the same website to build fakes of that website and company, too.
This convincing MyGov website sure looks real, but there are some telltale signs just like any other scam website.
The first is that URL, the website address, which is clearly not a government address, something scammers hope you’ll avoid, especially if you don’t know what to look for.
Any email or username can log you into this fake MyGov site, which would be the second sign: MyGov uses two-factor authentication, but this website lets you straight in. That’s not how MyGov works at all.
The third is that every link goes back to the main site, so all the extra stuff like Privacy Policy and any other link, none of it goes to the right place. That’s a very typical trait for a scam website, with these extra links either being simply text or a basic link.
Scammers hope you don’t look for the extra details when they plan these vectors.
But the most obvious sign is how the scam has been designed to work. When you’re asked to add a card to get your refund, every time you enter one, an error will pop up saying:
The current bank card is not supported. Switch to another card and try again.
The scam is pretty clear: scammers want every bank and debit card you have so they can charge things to it.
Refunds don’t work this way
Of course, if you did have a refund waiting for you in MyGov, it wouldn’t be processed this way. You don’t enter your card details to get a refund. That’s the equivalent of handing someone else your credit card, which you clearly wouldn’t do.
Bank refunds happen with bank information, which is what government organisations will store on your account for refunds via Medicare and the ATO, among others.
But they don’t happen on bank or credit cards, and not with details such as your expiration date and card number. That’s just not how a refund works.
When you see a fake website, close it down
There are plenty of telltale signs for this MyGov scam, and checking the website address in your browser should be the most obvious: if it doesn’t look like the official MyGov website (which should read asmy.gov.au), you’re not at the real deal.
If you find yourself at something that looks convincing, yet lacks that one official looking detail, shut it down quickly.
It can be all too easy to fall into a trap a scammer has set, with simply a few details grabbing your attention and leading you into a lie. Close that window and move on.
