Thousands of MyGov accounts are being suspended each month out of concern they’ve been breached via “scam-in-a-box” kits being sold by criminals on the dark web.
The products were being used to create fake websites and provide the specialist knowledge required to launch phishing attacks on Centrelink, Australian Tax Office and Medicare accounts.
So far this year, more than 4,500 MyGov scams have been confirmed, with thousands of accounts suspended each month due to suspected fraud.
In some cases, the kits come with security controls and allow criminals to run multiple scams at once, before quickly closing them to avoid detection.
Some can identify when they’re being used by more IT-savvy users, and direct them to the official MyGov website. Many fake websites are almost identical to the real version.
The government services minister, Bill Shorten, said Australians had already lost $3.1bn to scams this year and the issue was being taken seriously by authorities.
“These fake sites and criminal gimmicks like ‘scams in a box’ trick our citizens into giving criminals their user ID and passwords,” Shorten said.
“The problem with these hacks, and the proliferation of phishing scams we now see, is that increasing amounts of stolen identifying details end up on the dark web.”
The scams were attractive to cybercriminals as many Australians used one password for their accounts. The attacks require minimum effort for a valuable reward.
One ad tells buyers that most Australians have a MyGov account and that all you have to do is ask for login details and make sure the Australian Tax Office is linked to their account.
“Statistics show that people reuse passwords at least 50% of the time, making it possible for scammers and hackers to use the stolen password to access other online services,” Shorten said.
In 2022 there were 239,247 scams reported to Scamwatch. Of these, 12.1% of victims suffered a financial loss, totalling $569m.
Australians lost the most to investment scams ($377m) then romance scams ($40m) and false billing ($25m).
The largest amount of money, $141m, was lost through scams conducted over the phone, from 63,821 reported scams.
Those conducted over social media were the next most effective, with 13,425 reports and $80m lost.
More scams were delivered via text message than any other means, with 79,835 reports, but they accounted for losses of only $28m.
“MyGov is now the number one digital government service used by Australians and Services Australia is working around the clock to counter scammers and hackers attacks.”
But scam-in-a-box operators are expected to continue targeting MyGov until the government overhauls its ID verification, which it is in the final stages of doing.
“The Albanese government is determined to disrupt malicious actors by bolstering online defences,” Shorten said.
“I am also working closely with my ministerial colleague, Senator Katy Gallagher, to establish a digital ID that will be a key line of defence against cybercrime when established.”
Last year, the government confirmed it was considering using myGov or its myGovID system to centralise digital identity authentication in the wake of the Optus breach.
In August, the Australian Tax Office warned people against clicking on emails and text message scams that directing people to fake myGov websites.
These emails and texts often told people they were owed a tax refund, or that they needed to confirm their bank account, and directed them to a fake website.
“We’re receiving an increased number of reports about several ATO impersonation SMS and email scams,” an ATO spokesperson said.
“These scams encourage people to click on a link that directs them to fake myGov sign-in pages designed to steal their username and password.”
The sale of sensitive identification on the dark web has been a problem for many years. In 2017, Guardian Australia reported on the sale of Medicare patient detail by “exploiting a vulnerability” in a government system.
In 2019, Guardian Australia reported on dark vendors offering Medicare details for US$21 ($33). Other vendors charged up to US$340 for fake Medicare cards alongside other fake forms of identification, such as a New South Wales driver licence.
