You login to your myGov account to find that your activity statements for the last 12 months have been amended and GST credits of $100k issued. But it wasn’t you. And you certainly didn’t get a $100k refund in your bank account. What happens now?
In what is rapidly becoming the most common tax scam, myGov accounts are being accessed for their rich source of personal data, bank accounts changed, and personal data used to generate up to hundreds of thousands in fraudulent refunds. For all intents and purposes, it is you, or at least that’s what it seems. And, the worst part is, you probably gave the scammers access to your account.
But it’s not just activity statements. Any myGov linked service that has the capacity to issue refunds or payments is being targeted. Scammers are using the amendment periods available in the tax law to adjust existing data and trigger refunds on personal income tax, goods and services tax (GST), and through variations to pay as you go (PAYG) instalments. In some cases, the level of sophistication and knowledge of how Australia’s tax and social security system operates is next level.
Once the scammers have access to your myGov account, there is a lot of damage they can do.
So, how does this happen and why is it so pervasive? Humans are often the weakest link.
Common scams utilise emails (78.9% of reported tax related scams in the last 12 months) or SMS (18.4% of reported scams) that mimic communication you might normally expect to see. The lines of attack used by tax related scammers are commonly:
Fake warnings about attempted attacks on your account (and requiring you to click on the link and confirm your details);
Opportunistic baiting where some form of reward is flagged, like a tax refund, that you need to click on the link to confirm and access; and
Mimicking common administrative notifications from the Australian Taxation Office (ATO) like a new message accessible from a link.
Approximately 75% of all email scams reported to the ATO to March 2024 were linked to a fake myGov sign in page.
How to spot a fake
Often the first sign that something is amiss is alerts about activity on your myGov account or a change in details – which might seem a little ironic if the way in which scammers got into your account in the first place is via these very same messages. But, there are ways to spot a fake:
The ATO, Centrelink and MyGov don’t use hyperlinks in messages. If you receive a message with a link, it’s a fake.
The ATO will not use QR codes as a method for you to access your account.
The ATO will never ask for your tax file number (TFN), bank account details or your myGov login details over social media. Some scammers have used fake social media accounts mimicking the ATO and other Government agencies. When a query comes in, they respond by asking for information to verify it’s you. The ATO will never slide into your DMs. ATO Assistant Commissioner Tim Loh said, “it’s like giving your house keys to a stranger and watching them change your locks.”
The ATO do not use pre-recorded messages to alert you to outstanding tax debt. The ATO will not cancel your TFN. Some scammers suggest that your TFN has been cancelled or suspended due to criminal activity or money laundering and then tell you to either pay a fee to correct it, or transfer your money to a ‘safe’ bank account to protect you against your corrupted TFN.
The ATO will not initiate a conference call between you and your tax agent and someone from a law enforcement agency. In one case, the taxpayer was told that the caller was from the ATO and a person from her accounting firm was on the call as well to represent her and work through a problem. The ATO caller and the tax agent were fake. Just hang up and call our office if you are ever concerned. The ATO will never initiate a conference call of this type.
The ATO will also not ask you to reconfirm your details because of security updates to myGov. The link, when activated, takes you to a fake myGov web page that can look very convincing.
In general, you should always log into your myGov account directly to check on any details alerted in messages rather than clicking on links. This way, you know that you are not being redirected to somewhere you should not be.
And, don’t log into your myGov account on free WIFI networks. Ever.
