MyGov Email Scam

This is a Covid-related scam which popped up in 2021 and is known to the Australian Tax Office,
it is officially known as the MyGov Impersonation Email Scam and it is perpetrated as follows

You receive an email apparently from MyGov

The sender name is MyGovID
However the sender email address in this case is zaryko@forexnews.bg which is clearly not a Government email address
This is important because on a computer screen you can usually see the email address as well as the sender name
However on a smartphone you can often only see the sender name at first glance
The context of the email is an offer of a modest refund related to your tax refund

You are encouraged to log into a "Secure Form"

The link takes you to a form which is anything but secure!
So, you click on the link (which is bogus)
The link takes you to a very realistic MyGov page (which is also bogus)
The web page is an accurate reproduction (copy) of the genuine MyGov web page
The only indication that the page is not genuine is the web address
However most people look at the content of the web page rather than the (usually complex) web address
Which is why these scams work

The scammer receives your MyGov email address and password

They will immediately test the combination against your email login which might be their main intention
Or they will try and get into your MyGov account which contains a bunch of private identification
If they get into your mailbox they will attempt to steal money from you
If they get into your MyGov account then they can steal your identity and use that to defraud others

The email header

Clearly not an official email from the Government
Poor grammar in the subject line

The email body

They don't know who you are
The tax year ending date is not correct
Ironically, they are actually attempting to steal your identity!
The "Secure Form" is not secure

The "Secure Form" web address

Contains the expression MyGovID and au twice! Some may be reassured by this
However justns.ru is a Russian hosting site

Note the padlock symbol which denotes a Secure web page

Scammers are now using SSL certificates on web pages just like most companies around the world do
They are using the legitimate "Connection is secure" status to confirm the security of the web page itself
In reality, the connection to the web page is indeed secure, but that does not mean the content is secure
But you can see the segue to the notion that the content is secure when it clearly is not

The scam web page is a very accurate replica of the genuine MyGov web page

As above, the web address is clearly dodgy, but only if you notice it
The rest of the page is an exact replica, check out the genuine page here
All of the links on the page direct back to the same scam page so you can't get off the scam page easily

So, how do you protect yourself from this type of scam?

The problem is that even genuine web addresses look dodgy!
For example https://my.gov.au/LoginServices/main/login?execution=e2s1 is a genuine web page
If you click the Forgot username link, the genuine web page address is
https://my.gov.au/CredentialManager/credentialManager.htm?_flowId=mgv2RecoverUserIdEmail-flow&_flowExecutionKey=e1s1
Same with the Forgot password link, the genuine web page address is
https://my.gov.au/CredentialManager/credentialManager.htm?_flowId=mgv2ResetPassword-flow&_flowExecutionKey=e2s1
The scammers take advantage of this and you can see why it is tough to work out the genuine from the false

The genuine MyGov web page

Your web browser will try and highlight the domain name of the web page you are visiting
The domain will be ever so slightly more prominent and the prefix & suffix components of the address will be slightly less prominent
As you can see from this screenshot, you could hardly say the difference in font style is pronounced!
my.gov.au is clearly the genuine web page address, but only if you know it is the genuine web page address...

The fake MyGov web page

You will notice that the fake web page address does contain the expression MyGovID as part of the suffix which looks somewhat convincing
The /au/au as part of the suffix is also designed to convince you it is an Australian website
However, as you can see the domain name is justns.ru which is clearly not an Australian domain, it is in fact Russian
Note that the web page itself may not have been created by someone from Russia, that's just where it is hosted
It is even quite safe to browse to justns.ru it looks like a genuine internet hosting business in Russia

The bottom line

Scam web pages are becoming ever more sophisticated
Make yourself aware of what genuine web page addresses look like
Check with someone you know personally before entering any information on any website if you are unsure

Contact us at Lincoln Computer Centre if you need additional information

Report abuse