Scammers are targeting myGov accounts during tax time. How can users protect their ATO refunds?
Scammers are duping Australian taxpayers out of thousands of dollars by fraudulently accessing online government accounts during the annual rush to complete tax returns.
Federal government platforms are not immune to scams – with users of myGov being targeted in recent weeks. How do victims fall prey to those criminal scammers and how can people protect themselves?
It’s tax time – are tax scams on the rise?
MyGov users – who use the platform to access the Australian Taxation Office’s online services – say their accounts have been fraudulently accessed in July with tax refunds diverted to scammers.
The ATO received 2,464 reports of impersonation scams in June, the last month of the financial year and the latest available data. That’s a 48% increase from the previous month. The tax office said there were no reports of payments being delivered to scammers in June.
In June 2023, there were 1,793 reports of impersonation scams and the following month the ATO revealed more than $557m had been paid to scammers engaging in identity fraud between July 2021 and February 2023.
Dr Henry Cheung, a lecturer in cybersecurity, risk and privacy at the University of New South Wales, said tax season came with heightened scam activity related to the ATO and myGov.
Sign up for Guardian Australia’s free morning and afternoon email newsletters for your daily news roundup
“You can expect scams about tax from June to October,” he said this week, adding that after that time scammers continued to target taxpayers by shifting their messaging to falsely warn individuals they have missed the tax window and needed to take action.
What kind of scams are they?
Generally, it’s phishing. Methods include individuals receiving a text message which contains a link to a fake myGov site. Victims are then prompted to enter their details, unwittingly giving criminals access to their genuine myGov accounts linked to their ATO accounts.
The scammers immediately change phone and email details preventing the real user from receiving any notifications from myGov, before altering tax returns and bank account details so that falsely inflated tax refunds are redirected to the scammers’ accounts. The entire process takes just minutes.
In online forums, victims have in recent weeks reported having their ATO accounts hacked, losing from $3,000 to $8,000 to criminals.
Another myGov user said she had been repeatedly blocked from her account in the past week after scammers had attempted to access it “many, many times”. She was notified by email and then encouraged to change her password by an automated phone system, but was unable to speak to a human to seek advice about improving her account security.
How secure is myGov?
Last year, Services Australia and partners responded to more than 6,000 scams attempting to impersonate myGov, the federal minister Bill Shorten said in April.
MyGov users have queried why the site does not require users to sign up for two-factor authentication or to use passkeys – secure alternatives to passwords such as a fingerprint. Neither are compulsory and users can choose to use secret questions and answers instead.
A spokesperson from Services Australia, which runs myGov, confirmed the platform only holds names and phone numbers along with email and postal addresses. Bank account and other sensitive details are held by the individual agencies linked to myGov accounts – such as the ATO, Medicare and Centrelink.
Who do myGov scammers target?
Cheung said that the most susceptible people were first-time users of ATO’s online platform and older people. The Services Australia spokesperson suggested many victims were onlinesavvy and used to sharing personal details remotely.
“It’s everyone, scammers target everyone,” they said. “All demographics.”
Cheung said scammers operated seasonally and responded to policy changes. In February, a high number of Medicare scams were reported, possibly the result of changes to bulk billing practices. Scammers were also targeting superannuation accounts.
What is myGov doing to reassure users?
The Services Australia general manager, Hank Jongen, said tax season was a “timely reminder” for everyone to keep their myGov accounts secure in a “challenging global security environment”.
Jongen said myGov was continually evolving to combat increasingly sophisticated scams, identity theft and other cybersecurity threats.
A new myGov personal security overview will prompt users to update settings to better secure accounts. The overhaul was funded in the 2024-25 budget.
How can myGov users protect themselves?
Never click on a hyperlink that has been texted or emailed. Both myGov and the ATO have policies to never send a hyperlink in a text message or email – part of a growing recognition by large organisations and businesses that links are used by fraudsters.
Enable two-factor authentication and set up a passkey – such as facial or fingerprint recognition. Both myGov and the tax office encourage users to use the myGovID authentication app.
MyGov encourages anyone with security concerns to contact its specialised scams and identity theft helpdesk. The ATO urges those who believe they may have divulged personal information to call its helpline.
Are scams in general on the rise?
The number of scams is on the rise – 601,000 scams were reported in 2023 up from 507,000 in 2022. However, losses from scams are decreasing, according to a National Anti-Scam Centre report published in April.
The crime is believed to be under-reported. The centre’s Scamwatch received reports of 143,106 scams in 2024 to June, amounting to financial losses of $134.47m. Phishing – such as the scams targeting myGov – accounted for $9.65m with text messages the top contact method. NSW was the most scammed state.