The myGov Scam Costing Australians Thousands — How to Spot It in 2026

myGov impersonation scams have become the most reported scam category in Australia, with the ACCC receiving tens of thousands of reports annually. The sophistication of these scams has increased dramatically in 2025-2026, with criminals using AI to generate emails that are virtually indistinguishable from genuine myGov communications — and combining phishing with social engineering to overcome scepticism.

How the Scam Works

You receive an email appearing to be from myGov, telling you that you have a new message in your inbox, that your account has been accessed from an unusual location, or that you need to verify your identity. The email looks exactly like genuine myGov communications — correct logos, formatting, and legitimate-looking links. When you click the link to log in, you are taken to a fake website that looks identical to the real myGov. You enter your username and password, which criminals capture immediately. They then log in to the real myGov and redirect your tax refund or Centrelink payments to a different bank account.

The Advanced Versions of This Scam

More sophisticated versions of the myGov scam involve multiple steps. After capturing your credentials, attackers may call you posing as a Services Australia security officer, saying they have detected suspicious activity on your account and need to verify your identity. They use the information already in your myGov account to answer any questions you might ask, making the call seem entirely legitimate. This call-plus-phishing combination is designed to overcome any scepticism you might have after seeing your account balance or payment details accessed.

The Key Signs of a myGov Scam Email

• The email asks you to click a link to log in — real myGov emails direct you to go to the website yourself
• The link in the email does not go directly to my.gov.au
• The email creates urgency — "your account will be suspended" or "verify within 24 hours"
• The email asks you to confirm personal details or bank account information
• The sender address is not from a government domain, or uses a confusingly similar domain

What to Do If You Think You've Been Scammed

Act immediately. Go directly to my.gov.au (type it yourself — do not click any link) and change your myGov password. If you cannot log in, use the account recovery process. Contact Services Australia on 13 23 00 to report that your account may have been compromised. Contact your bank if your payment details were changed. Report the scam to Scamwatch at scamwatch.gov.au. Enable MFA on your myGov account once you have regained access — this prevents future attacks even if your password is later compromised.

The Golden Rule

Never click links in emails claiming to be from myGov, the ATO, Centrelink, or Medicare. Always go directly to the website by typing the address yourself: my.gov.au. This one habit renders every myGov phishing email completely harmless — they can only succeed if you click the link they provide.

MFA on myGov — The Most Important Protection

The single most effective protection against myGov phishing is enabling multi-factor authentication on your myGov account. With MFA active, even if a scammer captures your myGov username and password through a phishing attack, they cannot log in to the real myGov because they also need your phone. Set up MFA through the Security settings in your myGov account — you can use an authenticator app or receive codes by SMS. The authenticator app option is more secure than SMS. Once enabled, any login attempt that does not include the second factor will be blocked.

Helping Vulnerable Family Members

Older Australians and those who are less familiar with digital systems are disproportionately targeted by myGov phishing. If you have parents or family members in these groups, offer to sit with them and enable MFA on their myGov account. Explain clearly: "Any text or email that contains a link and says it is from myGov is a scam. Real myGov messages appear in your myGov inbox — we can check those together." This simple, memorable rule, repeated regularly, provides strong protection. For family members who may struggle with MFA, consider whether you can be listed as an authorised representative on their myGov account to help manage security settings. IntrusionX provides family security consultations — contact us for support.