Fake Medicare Inbox Notification Aims to Steal myGov Credentials

MailGuard has identified a phishing campaign impersonating Medicare in the form of a fake inbox notification designed to trick recipients into surrendering their myGov login credentials and personal information. The scam arrives as a simple email claiming that the recipient has received a new message in their Medicare inbox. While the email appears straightforward, clicking the embedded link redirects victims through a series of convincing phishing pages designed to harvest sensitive information. This attack demonstrates how cybercriminals continue to exploit trust in government services and essential public platforms to increase the likelihood of user engagement. What the Scam looks like The phishing email uses the display name "Medicare" and carries the subject line: "You have a new task in your medicare inbox" The message itself is brief and designed to create curiosity: "You have a new message in your medicare inbox." Recipients are encouraged to click an "Open Inbox" link to view the alleged message. However, the email does not originate from Medicare, myGov, or any Australian Government domain. In the examples intercepted by MailGuard, the display address used was hello(at)westtvshow(dot)us The actual sending addresses varied between messages and contained unique identifiers, making the campaign more difficult to track using traditional sender-based blocking techniques. The email attempts to impersonate Medicare communications while directing recipients to an unrelated domain. How it works Once the recipient clicks the link, they are redirected to a phishing website designed to closely resemble the legitimate myGov sign-in experience. Step 1: Fake myGov Login Page The first page presents a convincing myGov login screen featuring Australian Government branding and the myGov logo. The page offers options such as: •    Sign in with Digital ID •    Sign in with Passkey •    Username or email •    Password At first glance, the page appears legitimate. However, careful inspection reveals a significant warning sign. The website is hosted on: atobizmyltd(dot)co. This is not an official Australian Government domain and has no affiliation with myGov. Recipients who enter their credentials are effectively handing their login details directly to cybercriminals. Step 2: Collection of Additional Personal Information After credentials are submitted, victims are redirected to a second page requesting their mobile phone number. The page again uses myGov branding and attempts to maintain the appearance of a legitimate verification process. This additional step allows attackers to collect further personal information that may be used for: •    Account takeover attempts •    Identity theft •    Multi-factor authentication targeting •    Social engineering attacks •    Fraudulent account recovery requests Step 3: False Verification Process Following submission of the phone number, users are presented with a "Verifying your details" page displaying a loading indicator and messages such as: "We're securely processing your request. Please wait..." This stage appears designed to reassure victims that a legitimate verification process is underway while providing attackers sufficient time to collect submitted information. In the samples analysed by MailGuard, the process did not progress beyond this page. Why this scam matters Unlike many phishing campaigns that rely on urgency or threats, this attack leverages familiarity and trust. Australians regularly receive communications relating to: •    Medicare •    myGov •    Taxation matters •    Government benefits •    Health records •    Linked government services Because many users interact with these services routinely, a notification claiming that a new message is waiting can appear entirely plausible. The attack also demonstrates several characteristics commonly seen in modern phishing campaigns: •    Minimalist email content •    Legitimate-looking branding •    Credential harvesting websites •    Collection of secondary personal information •    Use of unique sender addresses •    Multi-stage victim interaction These techniques help attackers evade detection while increasing the likelihood of success. Stay Safe, Know the Signs MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses. Avoid emails that: Aren’t addressed to you personally. Are unexpected and urge immediate action. Contain poor grammar or miss crucial identifying details. Direct you to a suspicious URL that isn’t associated with the genuine company. Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30. One Email Is All That It Takes    All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.      For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters!  Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.   Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.   Keep Informed with Weekly Updates