You might – only might – start to see fewer MyGov scam emails and texts in your communications soon, with the Australian Federal Police announcing that it’s busted a scam ring operating out of Malaysia that developed phishing kits designed to fool users of Australian Government websites.
You know, like the services that you and I use pretty much every single day, because so very many government services are available online.
The existence of online government services is super handy when you need to file a tax return at 3am, although I will admit maybe that’s just a personal need, but it’s brought with it an extreme level of risk, because government logins are rich pickings for scammers.
According to the AFP, it worked from its Joint Policing Cybercrime Coordination Centre (JPC3) unit to provide intelligence to the Royal Malaysian Police (RMP) about the group, which was selling phishing kits specifically targeting the MyGov website.
Simultaneously, the US FBI were able to link the hosting services – claimed by the scammers to offer “bulletproof” hosting – to an organised criminal syndicate.
Eight people were arrested by Malaysian authorities and will face Malaysian law in relation to the phishing kits. As per the AFP, there’s more than a little bit of evidence to go on as well, with authorities siezing four servers, power cables, monitors and a modem. Sure, that doesn’t sound like much, but they allegedly contained more than 60 terabytes of data. That’s not a small quantity of allegedly illegal activity, right there.
The problems of scammers targeting government sites via phishing attacks is a massive one, with the AFP’s Acting Detective Superintendent Darryl Parrish noting that Australians lost over $24.6 million to phishing attacks last year.
“Cybercriminals will use any tools and tricks to exploit people for their own profit – in this case, it is mimicking trusted government websites” he said.
“The AFP is committed to working with our valued law enforcement partners to track down cybercriminals and bring them to justice, regardless of where they are in the world. This case highlights how vital it is for law enforcement agencies to share intelligence and resources globally, as crime is borderless.”
It’s certainly good to see groups like this shut down — with a little luck co-ordinated efforts like this, tied into newer systems that try to limit the spread of SMS phishing scams might start having a solid effect on scam numbers going forward.
How can I tell if a message is a MyGov phishing scam?
The classic way to spot a scam message – especially true for text messages – is if it’s got a URL within it.
A standard MyGov message will typically say nothing more than (for example) “You have a new message in your MyGov inbox”. If it says anything more than that, and especially if there’s a “handy” link that you’re urged to click then it’s a scam.
Be on the lookout also for offers of free cash – one recent scam doing the round was promising support payments from the government – or suggestions that you’re about to be arrested or face big fines. They’re classic scare tactics designed to get you to click, enter your details – and have your accounts compromised.
Why do scammers target MyGov for scams?
It’s a question I’m asked often, because a lot of people presume that the value for scammers might be in bank accounts and the like. There’s no doubt that there’s a lot of value in that, which is why you shouldn’t go shouting your credit card number out in the streets – but government services can be just as lucrative, if not more.
With the centralisation of government services – federally sites like MyGov, plus the various state-based services for matters like registrations and licences – comes convenience, but also a prime market for scammers to access hugely valuable sensitive data. A scammer accessing MyGov, for example, could file fraudulent tax returns, or change banking details to get support payments sent to their accounts. There’s also scope once they have access to ID information to attempt to get false identity papers – passports and licences and so on – created as well.
What can I do if I think I’ve been compromised through a MyGov phishing scam?
Speed is of the essence, because most of these scams will try to get financial benefit as rapidly as possible. If you think you’ve been a victim of a scam there’s a few key steps to work through to try to minimise the damage.
Firstly, if it’s bank or credit card related, contact your bank immediately.
Look up the number online (or on the back of your credit card) – don’t use any number given to you in a text or email message, as this is just another way for scammers to get your information.
You’ll most likely have to cancel credit cards and arrange replacements, which is annoying – but it beats having your bank accounts drained.
If the scam involves your personal identity care documents, contact IDCARE on 1800 595 160 or via its web site.
It’s also a good idea to register the details with ScamWatch. That’s the National Anti-Scam Centre’s consumer-facing reporting service; while it doesn’t handle the messy aspects of financial repair per se, it does track prevalence of scams and help educate consumers on how to avoid them. Your experience isn’t great, of course, but it’s useful, where feasible, to help others not fall into the same traps.