While waiting patiently for the Australian government to pass legislation to receive a refund on my student loan (which was unfairly overcharged in the first place), my MyGov account suddenly became locked.
I received an email from myGov that looked legitimate. There were no hyperlinks. The email was correct. The myGov help desk phone number was correct (I double-checked it on the website). There were no spelling mistakes. The writing was formal and boring – so it hit the right tone of voice.
MyGov Email
The email was titled: “Your myGov account is locked”.
It was sent from: myGov noreply@my.gov.au
The body of the email said:
Dear myGov user,
You entered the incorrect sign-in details too many times. Your account is locked.
You can unlock your account in myGov.
Find out how you can protect your myGov account in the privacy and security section of the myGov website.
If this wasn’t you, call the myGov helpdesk on 132 307. Call charges may apply. The myGov helpdesk is open during local Australian time zones, from:
- Monday to Friday, 7 am to 10 pm
- Saturday to Sunday, 10 am to 5 pm
Regards, myGov team
Do not reply to this email.
Message reference: UE010
Phishing Red Flags
However, I had not logged into my myGov account recently. So, the only logical reason would be that someone else was trying to log into my account and they had locked it!
Unfortunately, soon after I received the email, I received a suspicious text message on my mobile phone. Fortunatetly, my TrendMicro security software immediately blocked it.
It read: “You have a new notification from ATO regarding your 2024 lodgement, visit ….services-au-return.info/2024/”. You’ll notice that this web address doesn’t have the usual Australian government format. It’s a fake address!
The hackers had a cunning plan. You receive an official-looking email when they attempt to hack your online account. Then several minutes later, they send a text message containing a dodgy hyperlink to reset your password.
This is a classic example of a phishing attempt. (Yes, you pronounce it like “fishing”).
Please report phishing attempts
If you receive a similar dodgy message, please report it using your mobile phone software. Just select the 3 dots in the upper right hand corner and then select “Block and report spam”.
Resetting my password
Fortunately, I could reset my password using security questions and a security code via SMS. But since my would-be hacker has both my email address and mobile phone number, there is nothing to stop them from attempting this foul play again next week!
To unlock my account, I had to reset my password to something new.
Be careful of suspicious activity on your important online accounts. Do not place all of your eggs in one basket with one password for all of your accounts.
