Knomi
All articles Identity & Privacy

Securing Your MyGov Account from Takeover

7 min read

Your MyGov account is a central hub for accessing essential Australian government services, from tax and Medicare to Centrelink and the NDIS. Given the sensitive personal information it holds, a MyGov account takeover can have devastating consequences for your financial and personal life. Cyber criminals are increasingly targeting these accounts. This guide provides practical steps to harden your MyGov account against these ever-present threats.

The Risk of a MyGov Account Takeover

A MyGov account takeover occurs when an unauthorised person gains access to your account. This can lead to a range of severe problems, including identity theft, fraudulent claims, and redirection of payments. Once inside, criminals can change your contact details, access your personal documents, or apply for benefits in your name. The impact can take months, or even years, to fully resolve and can cause significant financial and emotional distress.

Scammers often use sophisticated phishing techniques, fake websites, or malware to trick you into revealing your MyGov login credentials. They might impersonate government agencies, banks, or even KNOMI, trying to convince you to share your username, password, or multifactor authentication (MFA) codes. Always be vigilant about unsolicited communications asking for personal details.

Strong Passwords and Usernames are Just the Start

The foundation of any strong cyber defence is a robust password. For your MyGov account, this means a unique, complex password that you don't use for any other service. It should be long, combine upper and lowercase letters, numbers, and symbols. Avoid easily guessed information like birth dates or pet names. Consider using a reputable password manager to generate and securely store these complex passwords.

While a strong password is essential, it's rarely enough on its own. Cyber criminals are adept at bypassing single-factor authentication. Always be suspicious of requests to confirm or change your password outside of the official MyGov website or app. If you ever suspect your password has been compromised, change it immediately and review your account activity for any suspicious logins.

Mandatory Multi-Factor Authentication (MFA) for MyGov

MyGov has mandatory Multi-Factor Authentication (MFA) to protect your account, which is a fantastic security measure. This means that even if a criminal gets hold of your password, they'll still need a second piece of evidence – like a code from your phone – to log in. MyGov offers several MFA options, and it's essential to set up one that works well for you.

The MyGov Code Generator app, available on Android and iOS, is generally considered the most secure and convenient option because it generates codes directly on your device, even without an internet connection. SMS codes are also offered, but are slightly less secure due to risks like SIM-swap fraud. Make sure your nominated phone number for SMS codes is current and secure. Always double-check any SMS codes you receive are for an action you are actually performing.

Recommended MyGov MFA Options:

  • MyGov Code Generator App: Best for security and convenience.
  • SMS Codes: A viable option, but ensure your phone number is secure.
  • Security Questions: A fallback, but choose unguessable answers.

Keeping Your Recovery Options Secure

Beyond MFA, MyGov provides recovery options in case you lose access. These often include security questions or a recovery contact method. Treat your security answers with the same secrecy as your password. Avoid using easily guessable information, and if a question is too common (e.g., 'What is your mother's maiden name?'), consider inputting a deliberately incorrect but memorable answer.

Regularly review and update your contact details and recovery options within your MyGov account. If your phone number or email address changes, update it promptly on MyGov. This ensures that any legitimate recovery processes will reach you and not fall into the wrong hands. Neglecting these details can make it much harder to regain access if you are locked out, or worse, allow a criminal to use them against you.

What to Do If You Suspect a MyGov Takeover

If you notice any unusual activity on your MyGov account – suspicious logins, changed details, or unexpected communications – act immediately. First, try to log in and change your password. If you can't access your account, contact Services Australia's MyGov helpdesk straight away. They can help you regain control and investigate the breach.

Beyond MyGov support, it's crucial to consider the broader impact. If your MyGov was compromised, other accounts could be at risk too. This is where KNOMI comes in. As your cyber first-responder, we can help you understand the extent of the breach, secure other online accounts, and guide you through reporting the incident to relevant authorities like ReportCyber, IDCARE, and your financial institutions. Calling KNOMI means you don't have to navigate a complex cyber incident alone.

After addressing the immediate security concerns, continue to monitor your financial statements, credit reports, and other online accounts for any signs of fraudulent activity. A MyGov compromise can be a gateway to broader identity theft, so ongoing vigilance is key.

Frequently asked questions

What should I do if I can't log into my MyGov account?

First, carefully re-enter your username and password. If that fails, use the 'Forgot username' or 'Forgot password' links on the MyGov login page. If you still have trouble, immediately contact the MyGov helpdesk at Services Australia.

Is using SMS for MyGov MFA secure enough?

SMS MFA provides an additional layer of security over just a password, making it much harder for criminals. However, it's slightly less secure than an authenticator app due to risks like SIM-swap fraud. For the highest security, the MyGov Code Generator app is recommended.

How often should I review my MyGov security settings?

It's a good practice to review your MyGov security settings, including your contact details, recovery options, and MFA setup, at least once every six to twelve months, or whenever you change your phone number or email address.

MyGov's 'Sign in with Digital ID' option using Face Verification (e.g. from my driver's licence) – is this secure?

Yes, 'Sign in with Digital ID' using facial verification is a very robust and secure method for accessing MyGov, as it relies on biometric data and verified government credentials, significantly reducing the risk of unauthorised access. This is generally considered a highly secure option.

Who do I call if my identity is compromised through MyGov?

If your identity is compromised via MyGov, first contact MyGov support. Then, call KNOMI. We will help you report the incident to ReportCyber, IDCARE, and other relevant bodies, and guide you through the recovery process to minimise further damage.

Related articles

Identity & Privacy
Email on the Dark Web: What to Do Next

Receiving an alert that your email address has appeared on the dark web can be alarming. It doesn't automatically mean your accounts have been compromised, but it's a strong indicator that proactive steps are needed. This guide explains what a dark web alert signifies and provides clear, actionable advice to help you secure your digital life.

Read article Identity & Privacy
Stolen Driver Licence? Your Steps to Recovery & Protection

Discovering your driver licence is stolen or leaked is unsettling. This guide outlines the urgent steps Australians need to take to replace their licence, inform authorities, and safeguard their identity from potential fraud.

Read article Identity & Privacy
Medicare Card Leaked? Your Essential Guide to What's Next

A leaked Medicare card number can be unsettling. While it might seem less critical than a driver's licence or passport, it still opens doors for potential misuse. Understanding the actual risks and knowing the right steps to take is crucial for your peace of mind and security.

Read article