A convincing scam is making the rounds targeting Aussies with an ABN and myGov account, and worse, mail services are none the wiser.
Scammers are a relatively frustrating scourge of modern life, and not a day goes by that we don’t get frustrated by yet another example hitting our email addresses.
These days, some of them are so convincing, even the spam and scam blocking features from mail inboxes are struggling to filter them. Worse, some are actively promoting them, moving them to the top of the pile and making you actively do the job of working it out for yourself.
That’s what happened this week when this journalist received an email about an ABN being blocked, and Gmail’s normally decent app filters shunting it to the top of the pile as if it was suddenly important. It comes amidst scammers and cyber criminals moving with speed to do what they can to break into more myGov accounts, potentially locking some in the process, and shows just how far scammers will go to get your logins to a government system.
And the latest myGov scam could well be convincing if you don’t pay attention to the details.
The details on the myGov scam email
Government emails tend to be simple, particularly when they’re simply alerting you to visit the myGov site to check a message in your government inbox. Unfortunately, that’s an approach the scammers have seized upon.
This email we received was simple in much the same way, noting a small message and a link to “View cancellation notice”.
It’s an example of saying just the right amount of detail that could make you think twice.
Fortunately, scammers have a tell that anyone can seize upon, and while Google’s Gmail filters may not always be cluey to the grift, you definitely can: check the sender email.
Checking the sender email is important because while scammers can change their sender name to be anything they want, they can’t change the actual sender address. It has to come from somewhere.
And in this case, it came from nothing at all like a government email address.
We clearly weren’t convinced, and we’re probably not the overall target. But with research last year painting the early hours as a crucial time for when scammers hit to get people to click without thinking, that was the point: scammers want you to click without thinking, and to just assume their site is legit.
So for the sake of writing an article and explaining why you shouldn’t, we clicked.
You definitely shouldn’t click on a scam link, but if you did, how convincing is this new wave of myGov scams?
The details on a myGov scam website
The answer, as it turns out, is quite convincing, particularly if you don’t know how to look at the code underlying everything.
A simple glance at this website could have fooled someone since it works well on both mobile and desktop. It isn’t difficult to build websites, particularly phishing sites, but this one could have convinced a passing glance easily.
The simple modern blue myGov site was imitated clearly, as was the standard form. By now, we expect all myGov logins would include a form of multi-factor authentication preventing automatic login, but it can still be problematic handing over your email address and password to scammers, particularly as so many people keep them the same across sites.
Peeking into the code, we found almost nothing on the scam site was designed to work except for the fake form, which regardless of what detail you enter will report a fairly official looking error noting your sign in details are correct, complete with a thoroughly convincing error message.
But the code doesn’t lie, and neither does another telltale trait common in every scam. So, how can you work out you’re at a scam site when it looks so legitimate?
How to tell you’re at a myGov scam
The good news is that the exact same methods we normally use to work out whether a website is real or not work here, as well.
Simply put, check out the domain. That’s the www dot whatever that appears in the URL bar, more affectionately known as the “omnibar” in any web browser (“omni” because you can type in a URL and do searches directly from it).
A fun fact about websites is that scammers can’t just use the website domain of the real website, so they’ll either choose something designed to be close enough to be convincing, or just opt for something outlandish and filled with numbers and letters in the hopes that you don’t pay attention.
For the latest convincing myGov scam, the criminals had gone with the former. It wasn’t completely convincing, but with a passing glance, we could see that someone could be fooled.
Pay attention to what you’re being sent
A bit of education can get you out of being scammed, and this tidbit of knowledge always works.
Much like the email address not coming from the real organisation, the same situation applies with the website itself. Scammers can’t just send an email from the real company or host a website at the real organisation, so they come up with an alternate approach. One they hope you aren’t paying attention to.
The solution is to do that: pay attention to your emails and the messages you’re sent.
Even if Gmail and other email services struggle to decipher what’s real and what’s not — and Apple Intelligence has mistakenly served up scams to the top of our email, too — you can still be the force of change and pay attention to messages that you’re sent, doing the following:
- Take a moment to look at an email before clicking anything
- Check the email addresses sending information to you to see whether they seem legit
- Don’t click without thinking. Instead, hover over a link and see where the URL is supposed to go.
- And if you do find yourself at a site that looks real, study that URL carefully before you type anything in.
If you do manage to find yourself somewhere that you’re not sure is real or not, close down the tab or browser window, and rely on another thing scammers can’t touch: a search engine search. Call on Google or Bing or anything else, and search up the real website.
Much like how you can check the back of your bank card to find a real number to call back on if you’re not sure the person you’re talking to is from a bank, you can also use search engines to find the real website.
Scammers can’t make a dent on the real websites in search for much the same reason: they’re not the real organisation, and they can only get you to come to their websites by tricking you in email and text messages.
Don’t fall for it. Use a bit of education and prevent yourself from becoming another statistic.
