Is this renewal notice from Medibank a scam?

Genuine messages from Medibank only ever link to medibank.com.au, ahm.com.au.

• Medibank only sends SMS from short codes or named IDs that appear in the member's Medibank app or on their official statements.
• Genuine Medibank emails always come from an address ending in @medibank.com.au or @ahm.com.au.
• Medibank never sends a link asking a member to upload full identity documents or Medicare details.
• Any change to a policy or claim is first visible inside the logged-in Medibank or ahm member portal.
• Medibank contacts members about a data-breach verification process only after the member has already initiated contact via the official app or website.

Crucially, Medibank will never text you a link to claim a premium 'refund', or ask for card details to process one.

• Scammers send SMS claiming a Medibank data-breach review is required and include a link to a fake site such as medibank-secure-verify.com.
• Fraudsters impersonate ahm and ask recipients to 'confirm' personal or bank details after the 2022 Medibank breach.
• Emails pretend to be from Medibank Private and threaten policy cancellation unless identity documents are uploaded to a look-alike domain.

• A message asks for passport, driver's licence or Medicare details via an SMS or email link.
• The sender address uses a domain that is not medibank.com.au or ahm.com.au.
• The SMS contains a shortened URL or a domain containing words such as secure, verify or breach.
• The message creates urgency by saying benefits or claims will be suspended immediately.
• The contact appears from a full mobile number rather than a recognised short code or Medibank app notification.

Here's a real example of a scam message impersonating Medibank, with the tell-tale red flags highlighted. Compare it against anything you've received.

• Log in directly at medibank.com.au or ahm.com.au by typing the address yourself
• Use the official Medibank or ahm mobile app to check messages and claims

Received — or fell for — a message impersonating Medibank? Report it. It helps authorities and carriers shut the campaign down for everyone who gets the next one.

• Scamwatch — Report the scam to the ACCC's national scam service.
• ReportCyber — Report cybercrime and financial loss to the police.
• ACMA — Report scam texts and spam SMS or calls.
• Forward to 7226 (SPAM) — Forward the scam SMS to short code 7226 so your carrier can block the source.
• IDCARE — Free identity and cyber support if your details were taken.