myGov Security Breach: What You Need to Know — and How to Protect Yourself
A recent investigation by the Commonwealth Ombudsman has exposed a serious flaw in the security of the myGov platform, affecting linked services like Medicare, Centrelink, and the ATO.
Fraudsters have exploited this weakness through a process known as unauthorised linking — creating fake myGov accounts and linking them to real people's services, allowing them to steal refunds, redirect Centrelink payments, or make false claims. The consequences for victims have included frozen accounts, delayed assistance, and even loss of income.
If you access the ATO or Centrelink online via myGov, this directly affects you.
What Is "Unauthorised Linking"?
This scam doesn’t require direct access to your actual myGov login. Instead, fraudsters use stolen personal details to create a fake myGov account — then link that account to your real services (like the ATO or Medicare). They’re effectively entering through a “side door” in the system.
Once linked, they can:
Make false tax return claims in your name
Redirect Centrelink or Medicare payments
Change your bank account details
The Ombudsman’s report confirms that current safeguards do not do enough to prevent this from happening.
How You Can Protect Yourself
Scammers often rely on a few key pieces of personal identifying information (PII) — like your full name, date of birth, TFN, email, or address. Here are the top ways to protect yourself:
✅ Do:
Use strong passwords and enable two-factor authentication on your myGov account and email.
Access government services only by typing the URL manually (e.g. my.gov.au). Never click links in texts or emails.
Protect your Tax File Number — only give it to trusted sources like your tax agent, employer, or bank.
Use secure devices with up-to-date software and antivirus protection.
Consider using a Digital ID like myID, which has strong encryption and privacy controls. Learn more here: Protect your myID.
❌ Don't:
Share your passwords or myGov login details — not even with friends or family.
Send ID documents via email unless you're absolutely certain it’s safe.
Leave sensitive mail (like tax or bank letters) sitting in your mailbox.
How Will the ATO or Government Contact You?
Scammers often pose as the ATO or Services Australia, so here’s what to expect from real government contact:
The ATO will never:
Ask for your bank details, TFN, or myGov password via text, email or social media.
Send you direct links to login pages in emails or texts.
Demand urgent payments via Bitcoin, gift cards or money transfer.
The ATO may:
Send SMS alerts to let you know new correspondence is available in your myGov inbox.
Call you — but they won’t be aggressive or threaten you with arrest.
Ask you to log into myGov directly at www.my.gov.au to view correspondence.
If you're ever unsure, contact the ATO directly on 1800 008 540 or visit their Verify or Report a Scam page here:
👉 ATO: Protecting Your Identity
Further Reading
Final Thoughts
While the government works to fix these vulnerabilities, the best protection starts with you. Knowing what to look out for — and how to keep your information secure — is key