NATIONAL SCAM ALERT
NATIONAL SCAM ALERT- Phishing email spoofing myGov claims users are eligible for refund.
myGov, the government services portal servicing millions of Australians accessing benefits such as Medicare, JobSeeker and JobKeeper, is the subject of the latest email phishing scam seeking to steal sensitive data and credentials from unsuspecting users.
A well-executed scam which carries the subject, “Updates regarding your account”, and uses a display name of “myGov”. However, the actual sender email address doesn’t use a domain belonging to myGov at all, instead, the email originates from a compromised 3rd party email account. The email body looks neat but it doesn’t follow the layout used in legitimate notifications from myGov that are largely in plain-text. It informs recipients that they are “eligible to receive $130.81 AUD” and directs them to submit an “eForm” to claim their refund.
A ‘Secure Form’ button is provided, and its destination is somewhat obscured by the use of a URL shortener. To add to the perceived legitimacy of the email, it includes an “Important info” note, stating that ‘Your refund will not be processed unless you confirm your identity’, and it is signed “Sincerly, © myGov Team”.
Here is a screenshot of the email:
When users click the “Secure Form” button they are presented with a fake myGov login page. This is a very faithful replication of the actual myGov login page, complete with high-quality branding elements (including the myGov and Australian Government logos) and support links. However, the domain used in the page URL doesn’t belong to myGov or the Australian government. Instead, the page URL begins with “airenherbals[dot]com” – a red flag pointing to its illegitimacy.
This is actually a phishing page that is hosted on a compromised website in India. Once users “sign in” to their myGov accounts using their username or email, along with their password, those credentials are harvested for later use.
The user is then redirected to another webpage that asks for more personal details, including their full name, DOB and home address. Just as with the previous login page, this page also looks quite legitimate, as you can see below:
The scam doesn’t stop there. Users are taken to another phishing page where they are asked to enter “financial institution details”, i.e. their credit card details.
The final page informs users that their details are being processed and that they should not close the window, as seen in the example below:
We encourage all email users to be extra vigilant against this kind of email and whatever happens, do not open or click the links.
With more than 18.7 million active accounts, there’s a high chance the recipients of the phishing email have a myGov account, increasing the likelihood of the scam being successful. In addition, myGov is the central access point for a range of government online services, including Medicare, myTax and Centrelink, in the one place using a single login and password. Anyone falling victim to this scam will be vulnerable to having all of these government accounts compromised and their identity stolen which can lead to serious repercussions. Since this scam also targets users’ financial information, their credit card credentials can be used to make fraudulent purchases, potentially leading to significant financial losses. Credentials are also likely to be harvested for use in future cyber–attacks, for identity fraud and sold on the dark web.
This is a particularly sinister scam as cybercriminals are attempting to exploit vulnerable Australians, many of whom are suffering economic hardship as a result of the economic uncertainty caused by COVID-19. Scammers are well-aware that many users and businesses are in desperate need of economic assistance, applying for government relief & benefit packages like JobSeeker via myGov. By falsely claiming that users are eligible for a refund, the cybercriminals behind the attack are cruelly capitalising on those unfortunate circumstances.
Here are some ways this email scam has attempted to exploit users:
- The use of an official government service to inspire false trust; and the “myGov” display name boosts the email’s credibility,
- Inclusion of high-quality branding elements like myGov’s logo and colour palette to make the pages & notifications appear authentic, and
- With false urgency; a subject line like “Updates to your account” and an email body about an eligible refund creates a sense of curiosity and excitement, motivating users to act immediately without checking on the email’s authenticity.
Despite these techniques, recipients may spot several red flags that point to the email’s illegitimacy. These include the fact that the email doesn’t address the recipient directly, and that the URL domains used to host the phishing pages don’t belong to myGov, as mentioned above. Spelling errors like “Sincerly” are also a giveaway that the email is, in fact, a fraud.
myGov and other Australian government agencies are regularly the subject of email fraud and scams, due to their large user base and the trust invested in their identity. Earlier this month, the Australian Taxation Office also issued an alert warning locals of a phishing email scam involving JobKeeper and backing business investment claims.
If you’ve received a suspicious message purporting to be from myGov, the Australian Government issues the following advice:
“Don’t click on links in emails or text messages claiming to be from myGov. myGov will never send you a text, email or attachment with hyperlinks or web addresses. We will never send you an email or SMS asking for:
- your username
- your password
- your myGov PIN
- your secret questions and answers.”
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
Make sure your staff is constantly reminded of what is safe to click on and keep your firewalls and email security system up to date.
The above information was provided by MailGuard.