Scammers are after your MyGov access because it’s worth something. So what can you do about it, and are you at risk?
It happened at 2AM. I was sleeping. I didn’t have a care in the world, and someone tried breaking into MyGov. Not just any MyGov, but my MyGov.
They didn’t get far, but they did manage to lock me out. With just a few failed attempts of entering an email and password, my account was locked, forcing me to talk to someone to find out what the next steps were.
Those next steps would be inconvenient, specifically finding a way back in to your account after criminals tried their best to gain access.
But why would a criminal want to access a MyGov, and what can anyone do about it?
Why criminals want your MyGov access
You may have heard that your data is worth money to criminals… because it is.
Email addresses come with a cost, but so do other parts of your life. Your phone number, your birthdate, your credit and debit card numbers, and all manners of hints that help inform what your passwords will be, if not the passwords themselves.
This data has a price largely because it can be used to break into your accounts and transfer whatever money you have, and take ownership of your life to keep doing that. It can be used to find people connected to you, and do the same to them.
You have value, and to a criminal, that value is measured in dollars and cents. More of it than you might expect.
“Between July 2021 and February 2023, the ATO reported that more than $500 million was fraudulently claimed by cybercriminals exploiting weaknesses in the myGov ID system,” said Tyler McGee, Head of APAC for McAfee.
“In one instance, scammers accessed an account and fraudulently lodged five refunds from the ATO amounting to $25,000,” he said.
That’s a lot of money lost to the scourge of scammers, so it’s no wonder why criminals want access to your accounts. For them, it’s a gateway to money-making at your expense.
It’s why protecting yourself from clicking a dodgy link is so important.
Being a victim of anything is never fun, but dealing with monetary and identity loss feels like it would be a horrible drama you could do without.
“Cybercriminals will seize any opportunity to gain access to your personal accounts and information. And they’re getting better at it thanks to the growth of AI,” said McGee.
“MyGov, which links an individual with dozens of online services including, access to your tax and Medicare has a huge store of personal information including your tax file number or Centrelink customer reference number,” he said.
“Which makes it a big target for scammers.”
Where your details come from
I don’t click on phishing or SMS links and then enter my details at the fake websites.
You’d expect a security writer to know better, and I practice what I preach. Every time I need to access MyGov, I don’t click on a link from an SMS or email. I type the actual website into my browser’s URL bar and go to the real site.
That’s what you’re supposed to do. If you never want to be scammed out of any website’s details, always type in that website location directly into your browser. Mobile or desktop, you’ll get the real deal, because scammers can’t just use the real website for their fake exploits. The web just doesn’t work that way.
So I wondered where my personal email had come from for scammers to use in this attempt. Truth be told, it could have been any one of the ridiculous number of breaches in the past decade.
Run your personal email through fellow Australian Troy Hunt’s Have I Been Pwned, and you’ll quickly find out where your email address has made its way out into the hands of potential hackers (as opposed to hacks, because that’s what writers are also called).
However, my likely bet is that it came as a result of another breach, so lucky me, I guess.
Why the hack attempt failed
Your email address could ultimately come from anywhere, but if you’ve been good and followed advice on this website and others, your passwords won’t line up, which will make things more difficult for criminals.
With MyGov, Australians also typically have two-factor authentication (2FA) involved, which in turn makes things even more difficult for criminals.
Also known as multi-factor authentication or “MFA”, 2FA means you have at least two mechanisms to prove you are who you say you are. That’s typically a password and a code sent to a phone, or a password and a code sent to an email, and so on and so on.
Multi-factor authentication means covering yourself with more than just passwords, which is important because it means being more secure in general.
MyGov accounts provide that, with the Australian government requiring a code either through its authenticator system on a phone, or via SMS.
“Cybercriminals will not be able to log into your MyGov just knowing your mobile number. Having your mobile number set up for two factor authentication helps protect you and your account,” said Dean Williams, Senior Systems Engineer for Norton.
“Two factor authentication is really important to set up when you are setting up a MyGov account, which is something you will need to opt into, it is not compulsory,” he said.
“If this isn’t set up, cybercriminals can exploit other vulnerabilities, such as weak passwords or phishing scams, to gain access to your account, where you unwillingly give away your information.”
How to fix getting locked out of MyGov
I got a story out of this failed hack attempt, but I still had to deal with the repercussions.
Hopefully this doesn’t happen to you, but if it does, your options are largely to hope you’ve prepped everything in advance, or hit the reset switch and start again.
Prep ahead of time
The first and most obvious approach is to set up multi-factor in a way that doesn’t go to just SMS.
The MyGov Code Generator app is the handy way of doing that, but be aware it’s tied to the phone you use. If you decide to switch phones or upgrade, you may need to go through an additional step or two to switch the Code Generator app accordingly and login again.
Call someone
Mind you, this doesn’t always work. Sometimes when hacks occur, you still need to call up someone at MyGov’s support desk and go through the motions.
You may be on hold for some time, and truth be told, the answers mightn’t be as easy as clicking on a few buttons, much like they are on your phone.
Hit the reset switch
Unfortunately, the Australian government hasn’t thought THAT far ahead for what its citizens will need to do if they’re locked out of a MyGov account through no fault of their own. It’s a shame, too, because the MyGov support person we spoke to said this is happening to more people lately.
If this is you, and you find yourself locked out with a litany of messages all saying the same thing, your choices are rather limited.
You can:
- Wait for the system to clear the error (support said it can happen), or
- Release your email and reconnect all your services once again.
You will probably need to do the latter, which can be enormously frustrating. It’s a process, too, but one you can’t really escape from at this time.
The one upside is you can prepare for it ahead of time, ensuring you use multi-factor authentication to hold back any would-be criminals from breaking down your government ID doors.
Stay vigilant in the face of it all
For everything else, there’s the act of staying vigilant throughout it all. Practice safe internet hygiene by paying attention to what you might be clicking on. Don’t click aimlessly on links you don’t trust, and look at those links before you consider opening them up.
There are other things you can do, such as not responding to the bait of urgency, reporting scams to the ACCC’s Scamwatch, and simply hanging up on scammers and criminals.
“Scammers are unfortunately a reality of our digital world, and Aussies need to make sure they’re doing all they can to protect themselves and their information,” said McGee.
“As technology continues to advance, especially with the advancement of AI, the risk of online threats is growing, posing significant challenges to Australians.”
Practice as many safe internet standards as you can. It’s true that like in this case, scammers and criminals could still find a way to lock you out of a system. However, if they’ve also been locked out, you’ll have been saved, and it will only be an inconvenience to fix things, as opposed to an inconvenience that can cost you big time.