myGov "account locked" scam Australia: how to spot the Medicare, Centrelink and ATO phishing wave in 2026

Why myGov is the highest-value Australian credential

For most Australians, my.gov.au is not one account, it is the front door to a bundle. A single myGov sign-in typically reaches Medicare (card number, claim history, bank account), Centrelink (JobSeeker, Age Pension, Family Tax Benefit, Parenting Payment, Youth Allowance, with payment-direction control), the Australian Taxation Office (Tax File Number, notice-of-assessment history, refund routing), the Department of Home Affairs / Australian Immigration (visa records, passport scans, citizenship status), Child Support, the National Disability Insurance Scheme and in most cases My Health Record.

That bundle is why scammers spend more on myGov lures than on ANZ or Commonwealth Bank ones. A single successful phish enables tax-refund redirection, Centrelink-payment redirection, fraudulent visa enquiries, synthetic identity creation against the TFN and bank changes inside Child Support. ReportCyber and Scamwatch trend summaries show government-impersonation reports outranking banking-impersonation reports by margin across 2024 and 2025.

The play: what the myGov locked-account message looks like

The lure arrives by SMS, email or both, often in the same 24-hour window. The structure is short:

"myGov: Your account has been locked due to suspicious activity. Confirm identity within 24h or your Medicare and Centrelink payments will be suspended. Verify now: my-gov.online/verify"

The visual identity copies the real myGov palette: navy header band (#10266F), yellow accent stripe, lower-case "myGov" wordmark, Commonwealth Coat of Arms at the top. SMS variants spoof an alphanumeric sender ID like "myGov" or "ServicesAU" so the lure lands inside the same thread as legitimate Services Australia messages, a weakness the ACMA is closing via the Australian SMS Sender ID Registry.

The common templates in rotation 2026

Scamwatch advisories and Services Australia scam-alert posts through 2025 and 2026 show four core templates being rotated daily. They share the same trap, only the trigger story changes.

1. Account locked / suspicious activity. "Your myGov account was accessed from an unrecognised device. Confirm identity within 24 hours or access will be suspended." Default and highest-volume framing.
2. Identity confirmation request. "Your myGov identity needs to be re-verified following an update to the identity strength check. Upload your Medicare card and driver licence to keep your account active." This variant harvests scanned ID for synthetic-identity fraud.
3. Centrelink / Medicare payment suspended. "Your Centrelink payment scheduled for [date] cannot be processed. Update your bank account to receive your payment." Targets pensioners, JobSeeker recipients and Family Tax Benefit families. The bank-account field is the payload, the attacker redirects the next pay cycle to a mule account.
4. Immigration / visa under review. "Your visa application status has changed. Sign in to my.gov.au to view a message from the Department of Home Affairs." Targets recent migrants, international students and 482 visa holders conditioned to drop everything for a visa-status email.

All four route the click to a lookalike sign-in page that captures the myGov username, password and the 6-digit myGov Code sent by SMS as a second factor.

The trap page: lookalike myGov sign-in

Clicking the link lands the victim on a near-perfect clone of the real my.gov.au sign-in screen, with the navy header, the "Sign in to your myGov account" heading, the username and password fields and the "Forgot username or password" link all replicated. A second screen then asks for the 6-digit myGov code, mirroring the real two-step flow. Behind the scenes a reverse-proxy or credential-relay forwards both factors to the real my.gov.au and captures the authenticated session for the attacker.

Lookalike domains observed in Services Australia takedown notices and Scamwatch alerts across 2025 and 2026 fall into recognisable patterns:

• my-gov.online, my-gov.click, my-gov.live use cheap new gTLDs to mimic the my.gov.au format.
• mygov-australia.com, mygov-aus.com, mygov-au.com append an "australia" qualifier to soften the typosquat.
• mygov-secure.net, mygov-verify.com, mygov-id.net piggyback on the security framing of the lure.
• mygov.com.au-verify.[random].com abuses subdomain order so the real-looking text sits on the left while the registered domain sits on the right.
• servicesaustralia-verify.com, centrelink-update.com, medicare-claim.net drop the myGov wordmark and hook on a single linked-service name.
• IDN homograph variants substitute a Cyrillic "о" inside "mygov" or "gov" to produce a string that renders identically in the address bar.

The real myGov domain is exactly two strings: my.gov.au for sign-in and servicesaustralia.gov.au for information. Anything else, on any TLD, is not myGov.

How to verify a genuine myGov contact in 60 seconds

One tight rule collapses the entire scam family: real myGov messages live inside the myGov Inbox after you sign in yourself. SMS and email previews do not contain payment links, sign-in buttons or identity-upload forms. The routine is:

1. Do not tap any link in the SMS or email. Close it. Open a fresh browser tab on a device you trust.
2. Type my.gov.au manually. Do not search for myGov during a phishing wave, because paid ads occasionally point to lookalike domains before Google ad-review catches them.
3. Sign in normally and read your Inbox. If the message described in the SMS or email exists, it will be there. If it is not, the message was a scam.
4. Check the Sign-in history tile in Account settings. Real lock events list date, time, IP and device. Nothing unusual listed means the "suspicious activity" claim is fabricated.
5. If still unsure, call 1800 941 126 (Mon to Fri 8am to 5pm AEST). Staff verify whether any message was sent to your record.

servicesaustralia.gov.au/scams states explicitly that Services Australia never sends SMS or email links asking customers to sign in, verify identity, restore Medicare access or update bank details. Any message doing those things is not from Services Australia.

The 7 red flags inside the locked-account message

• Sender domain is not my.gov.au or servicesaustralia.gov.au. Real Services Australia always sends from those two domains. Phishing senders use lookalikes like noreply@my-gov.online or support@mygov-secure.net.
• A 24-hour suspension countdown. Services Australia uses business-day timelines, never 24-hour shutdown threats resolved by clicking a link.
• Link destination is not my.gov.au. Long-press on mobile or hover on desktop. The real domain is whatever sits before the first single slash after https://. Only my.gov.au is genuine.
• Asks for full Medicare card number, TFN, driver licence number or passport number by reply or upload. Genuine myGov never collects identity documents via inbound email or SMS link.
• Specific dollar figure tied to Centrelink or Medicare. "Your $812.50 JobSeeker payment is held" creates urgency. Real Services Australia routes payment disputes through the Centrelink phone line.
• Generic greeting. Services Australia uses the name on file. "Dear Customer" or "Dear myGov user" indicates a bulk send to a leaked email list.
• Mixed-language wording or odd punctuation. Phishing kits translate via machine and slip phrases like "Kindly verify" that do not match Services Australia's plain-English style.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1, Local detection. 60+ URL patterns plus a 550+ brand-specific signature database, including myGov, Services Australia, Medicare, Centrelink, the ATO and the Department of Home Affairs, plus a community whitelist and blocklist. All of this runs directly in the extension before the page renders. The lookalike families above, including my-gov.online, mygov-australia.com, mygov-secure.net, servicesaustralia-verify.com and Cyrillic homograph variants of "mygov" and "gov", are caught instantly at this layer.
• Layer 2, API checks. Aggregates Google Safe Browsing, PhishTank and URLhaus for known-bad domains, plus a curated list of 30+ scam-heavy TLDs.
• Layer 3, AI deep scan (Premium). Content-aware analysis covering 100+ languages catches novel lookalikes within seconds by detecting myGov sign-in UI rendered on any domain other than my.gov.au.

Detection signatures are derived from threat-intelligence research and brand-database analysis, not from user browsing data. Page contents are never stored against a user account and per-user URL history is never retained.

What to do if you already gave credentials

Move fast. Attackers use captured myGov sign-ins within 5 to 30 minutes to redirect the next Centrelink cycle or lodge a fraudulent ATO refund. Work from a device that is not the one you clicked the link on.

1. Sign in to my.gov.au manually and change your password to a long unique one. Enable the myGov passkey, or fall back to SMS code plus a strong unique password.
2. Audit Account settings, Linked services and Sign-in history. Remove any linked service you do not recognise. Note any unfamiliar sign-in event.
3. Call Services Australia Scams and Identity Theft Helpdesk on 1800 941 126 (Mon to Fri). For Centrelink-specific issues, 132 717 also routes through Services Australia.
4. Call the ATO Client Identity Support Centre on 1800 467 033 if your TFN may have been exposed. The ATO can apply identity-protection markers and block fraudulent refunds.
5. Call IDCare on 1800 595 160, Australia and New Zealand's free government-funded identity-recovery service (idcare.org).
6. Lodge a ReportCyber report at cyber.gov.au or 1300 292 371 with the SMS sender, email headers and screenshots. Lodge a Scamwatch report at scamwatch.gov.au/report-a-scam.
7. Replace any uploaded ID. New Medicare card via Medicare inside myGov. Driver licence via your state or territory road authority. Passport via the Australian Passport Office on 131 232.
8. Change bank passwords and set a verbal password on the phone line if you bank with one of the Big Four. Scam-fund moves often run through bank-impersonation calls immediately after a myGov phish.
9. Set a credit ban with Equifax, Experian and illion. A ban prevents new credit applications in your name for 21 days minimum and is renewable.

Protection: locking down your real myGov

• Turn on a myGov passkey as your second factor (Account settings, Sign-in options). A passkey bound to your device cannot be relayed through a phishing page.
• Enable sign-in alerts from Account settings. myGov will email you when a new device signs in.
• Audit Linked services regularly. Unlink any service you no longer use. Fewer linked services means a smaller blast radius.
• Use a unique password for myGov. A password manager makes this trivial. Password reuse across myGov and a breached retailer hands attackers your myGov credential too.
• SMS Sender ID changes are in progress. Carriers and the ACMA are tightening the Australian SMS Sender ID Registry to block unregistered alphanumeric senders impersonating "myGov", "ATO" and "Centrelink". Until then treat any myGov-thread SMS as suspicious until verified inside my.gov.au.
• Install SafeBrowz on the browser you use for myGov. The extension blocks lookalike sign-in pages before they render.

Australian numbers and links to keep handy

Services Australia Scams and Identity Theft Helpdesk 1800 941 126 (servicesaustralia.gov.au/scams). Centrelink 132 717. Medicare 132 011. ATO Client Identity Support Centre 1800 467 033. Department of Home Affairs 131 881. IDCare 1800 595 160 (idcare.org). ReportCyber via cyber.gov.au or 1300 292 371. Scamwatch via scamwatch.gov.au. Australian Passport Office 131 232.

Install SafeBrowz free

SafeBrowz blocks the lookalike myGov, Medicare, Centrelink, ATO and Department of Home Affairs pages described in this article before they finish loading. Free forever on Chrome, Firefox and Edge. Premium adds the AI deep-scan layer for $14.99 AUD per year covering 3 devices. See pricing.

Add to Chrome Add to Firefox Add to Edge

Frequently asked questions

Does myGov ever lock an account and email you about it?

myGov can lock an account temporarily after multiple failed sign-in attempts or after Services Australia flags a security event, but the notification always directs you to sign in at my.gov.au or call Services Australia. A real notification never links to a non-my.gov.au domain, never asks you to upload ID via the email, and never threatens 24-hour suspension of Medicare or Centrelink payments. If the message contains any of those things, treat it as phishing.

I clicked the link but did not enter my password. Am I safe?

Almost certainly yes. Modern browsers sandbox web pages, so visiting a phishing page does not by itself transmit credentials. Change your myGov password as a precaution from a clean device by typing my.gov.au manually. If the page asked you to install a profile, app or extension, check your device for it and remove anything you do not recognise. If the SMS link auto-downloaded any file, do not open it.

The SMS appeared in the same conversation thread as real myGov messages. How is that possible?

Australian SMS networks have historically allowed alphanumeric sender IDs without strong verification, which means an attacker can spoof "myGov" or "ServicesAU" and the message lands inside the existing genuine thread on the phone. The ACMA and the Australian SMS Sender ID Registry are progressively closing this gap, but the gap is not yet fully closed. Until then, treat any SMS asking you to click a link as suspicious regardless of the thread it appears in. Verify by signing in at my.gov.au yourself.

I entered my username, password and the 6-digit myGov code on the fake page. What is the worst that can happen?

The attacker can sign in to your real myGov, change linked-service bank accounts to redirect Centrelink or an ATO refund, lodge a fraudulent tax return, view Medicare claim history and order replacement cards to an alternate address, view immigration records, and start synthetic-identity fraud against your TFN. Move immediately. Call Services Australia 1800 941 126, ATO 1800 467 033 and IDCare 1800 595 160.

If a scammer has my TFN, how bad is it?

Serious but recoverable. The ATO can apply identity-protection markers to your tax file that block fraudulent refund lodgements and require additional verification on changes to your record. The TFN itself is not replaced lightly, the ATO issues a new TFN only in confirmed identity-fraud cases on application. Call the ATO Client Identity Support Centre on 1800 467 033 to start the process. IDCare on 1800 595 160 can run case management through the same process at no charge.

I am on a 482, 500 or 820 visa. The email said my visa was under review. Is the risk different for me?

Phishing risk is the same, consequences differ. Department of Home Affairs only contacts visa holders through ImmiAccount and through correspondence inside my.gov.au, never by SMS link or external email. If the message claims a visa-status change, sign in to ImmiAccount via immi.homeaffairs.gov.au manually. If you already handed credentials over, call Home Affairs on 131 881 to flag possible unauthorised access, then follow the same Services Australia and IDCare steps.

How do I report a myGov phishing SMS or email so the page gets taken down?

Forward suspicious myGov emails with full headers preserved to reportascam@servicesaustralia.gov.au. Forward SMS scams by following the steps at servicesaustralia.gov.au/scams (or copy the SMS and lodge it via Scamwatch). Lodge a ReportCyber report at cyber.gov.au with the lookalike URL, screenshots and timing. Services Australia routinely files registrar takedown requests against confirmed lookalike domains and updates its public scam-alert list. Every report shortens the takedown window for the next victim.

Is SafeBrowz approved by Services Australia or the Australian Cyber Security Centre?

SafeBrowz is an independent browser security extension. It is not a government product, not endorsed by Services Australia, and not a substitute for following Services Australia's published guidance at servicesaustralia.gov.au/scams or the ACSC's guidance at cyber.gov.au. SafeBrowz adds a browser-layer block on lookalike myGov, Medicare, Centrelink, ATO and Home Affairs pages before they render, alongside the protections the government already provides. Pricing for the Premium AI scan layer is $14.99 AUD per year for 3 devices, with a free tier that includes all local and API detections.

Related reading

• ATO "tax refund waiting" scam Australia, the tax-office-only sibling of this campaign family.
• CRA tax-refund scam Canada, the same playbook run against Canada Revenue Agency credentials.
• HMRC tax-refund scam UK, the equivalent UK government-impersonation lure.
• iCloud signed-out email scam, the Apple ID version of the lookalike sign-in trap.

Bottom line. The myGov locked-account scam works because it weaponises real fear of losing Medicare, Centrelink, ATO and immigration access. The defence is mechanical and never changes. Do not click links inside SMS or emails about myGov. Type my.gov.au yourself. Read your real Inbox. If anything looks off, call Services Australia on 1800 941 126 and IDCare on 1800 595 160. And install a browser-layer scanner like SafeBrowz so the lookalike page never finishes loading in the first place.