In what is rapidly becoming the most common tax scam, myGov accounts are being accessed for their rich source of personal data, bank accounts changed, and personal data used to generate up to hundreds of thousands in fraudulent refunds. For all intents and purposes, it is you, or at least that’s what it seems. And, the worst part is, you probably gave the scammers access to your account.
But it’s not just activity statements. Any myGov linked service that has the capacity to issue refunds or payments is being targeted. Scammers are using the amendment periods available in the tax law to adjust existing data and trigger refunds on personal income tax, goods and services tax (GST), and through variations to pay as you go (PAYG) instalments. In some cases, the level of sophistication and knowledge of how Australia’s tax and social security system operates is next level.
Once the scammers have access to your myGov account, there is a lot of damage they can do.
So, how does this happen and why is it so pervasive? Humans are often the weakest link.
Common scams utilise emails (78.9% of reported tax related scams in the last 12 months) or SMS (18.4% of reported scams) that mimic communication you might normally expect to see. The lines of attack used by tax related scammers are commonly:
- Fake warnings about attempted attacks on your account (and requiring you to click on the link and confirm your details);
- Opportunistic baiting where some form of reward is flagged, like a tax refund, that you need to click on the link to confirm and access; and
- Mimicking common administrative notifications from the Australian Taxation Office (ATO) like a new message accessible from a link.
Approximately 75% of all email scams reported to the ATO to March 2024 were linked to a fake myGov sign in page.
HOW TO SPOT A FAKE
Often the first sign that something is amiss is alerts about activity on your myGov account or a change in details - which might seem a little ironic if the way in which scammers got into your account in the first place is via these very same messages. But, there are ways to spot a fake:
- The ATO, Centrelink and MyGov don’t use hyperlinks in messages. If you receive a message with a link, it’s a fake.
- The ATO will not use QR codes as a method for you to access your account.
- The ATO will never ask for your tax file number (TFN), bank account details or your myGov login details over social media. Some scammers have used fake social media accounts mimicking the ATO and other Government agencies. When a query comes in, they respond by asking for information to verify it’s you. The ATO will never slide into your DMs. ATO Assistant Commissioner Tim Loh said, “it’s like giving your house keys to a stranger and watching them change your locks.”
- The ATO do not use pre-recorded messages to alert you to outstanding tax debt. The ATO will not cancel your TFN. Some scammers suggest that your TFN has been cancelled or suspended due to criminal activity or money laundering and then tell you to either pay a fee to correct it, or transfer your money to a ‘safe’ bank account to protect you against your corrupted TFN.
- The ATO will not initiate a conference call between you and your tax agent and someone from a law enforcement agency. In one case, the taxpayer was told that the caller was from the ATO and a person from her accounting firm was on the call as well to represent her and work through a problem. The ATO caller and the tax agent were fake. Just hang up and call our office if you are ever concerned. The ATO will never initiate a conference call of this type.
- The ATO will also not ask you to reconfirm your details because of security updates to myGov. The link, when activated, takes you to a fake myGov web page that can look very convincing.
In general, you should always log into your myGov account directly to check on any details alerted in messages rather than clicking on links. This way, you know that you are not being redirected to somewhere you should not be. And don’t log into your myGov account on free Wi-Fi networks. Ever.
WHO IS GETTING SCAMMED?
There is a pervasive view that older, technology challenged individuals are the most at risk. And while this might be the case generally, scamming is impacting all age groups.
The ATO says that the demographic who most reported providing personal information to scammers was 25- to 34-year-olds. And the younger generation are more likely to fall for investment scams. According to the AFP-led Joint Policing Cybercrime Coordination Centre (JPC3), people under the age of 50 are overtaking older Australians as the most reported victims of investment scams. Australians reported losing $382 million to investment scams in the 2023-24 financial year. Nearly half (47%) of the investment scam losses involved cryptocurrency.
WHAT TO DO IF YOU HAVE BEEN SCAMMED
myGov
If you have downloaded a fake myGov app, have given your details to a scammer, or clicked on a link from an email, text message or scanned a QR Code, contact Services Australia Scams and Identify Theft Helpdesk on 1800 941 126, or get help with a scam here.
Tax scams
If you have already acted, contact the ATO to verify or report a scam on 1800 008 540. The Government use external agency recoveriescorp for debt collection but will advise you if you have a tax debt outstanding.