Cybercriminals are renown for stealing confidential information, like your online banking logins, credit card details, business login credentials or passwords/passphrases, all achieved by sending fraudulent messages called phishing (sometimes called ‘lures’).

These deceptive messages pose as large organisation’s and are sent via email, SMS instant- messaging or social media platforms to make the scams more believable. Victims often trust the big brands name and therefore pop in their credentials via a link to a fake website contained in the message.

So, it’s important to spot these scams to avoid becoming a cybercriminals next victim.

Check out the Australian Cyber Security Centre (ACSC) videos

What is phishing?

How to spot a phishing message

Phishing affects everyone from an individual using email at home, or a business no matter the type or size. It doesn’t matter who you are, you could be a cybercriminals next victim.

How to protect yourself from phishing

For several years Phishing emails have been used by cybercriminals to steal financial details from Australians. First spotted in 2003, phishing emails have become increasingly advanced and numerous since.

Commonly copied Brands include:

  • law enforcement – state and territory police (fake fine scams)
  • power and gas utilities (fake bills and overdue fines)
  • postal services (parcel pick-up scams)
  • banks (fake requests to update your information)
  • telecommunication services (fake bills, fines, or requests to confirm your details)
  • government departments and service providers such as the Australian Taxation Office, Centrelink, Medicare and myGov.

Phishing emails were easy to recognise at first as they included poor grammar and incorrectly spelt words. However, these days phishing messages appear more genuine, almost mimicking the brand flawlessly. In other words, spotting the difference between malicious messages from genuine communication, has become increasingly difficult for people. Phishing campaigns, from first to last victim, take 21 hours on average.

It is now standard policy for many companies that they will not call, email or SMS you to because of phishing or:

  • ask for your username, PIN, password or secret/security questions and answers
  • ask you to enter information on a web page that isn’t part of their main public website
  • ask to confirm personal information such as credit card details or account information
  • request payment on the spot (e.g. for an undeliverable mail item or overdue fee).

To minimise scammers using their branding on victims, some companies have security pages to advise on current scams using their name. This advice can help you tell fake messages from real ones. And often includes examples and pictures of scam messages. Here are the top 10 examples of phishing emails.

Tip: If you are unsure if a message is legitimate contact a person or the business separately to the suspicious message. For instance, use contact details you find through a legitimate source like their website (also check the web address is correct). Ask the legitimate source to tell you what the attachment or link is.

Spear phishing

Spear phishing are a class of phishing messages considered more dangerous as they target specific people and organisations. These messages may contain true information to make them seem genuine. In other words, the messages can prove difficult to spot as they attack when your guard is down. Even trained professionals can have a hard time detecting these messages.

For instance, it appears you’ve received a message from the companies IT desk, the one you’re working for, asking you to click a link and change a password.

That’s to say spear phishing is targeted and often uses ‘social engineering’ for its success. It’s a way to manipulate the target into taking an action ‘by using everyday business occurrences, very realistic in appearance. And called ‘bait’

As a result, more time, money and effort are being put in by criminals who are researching their targets more closely. Criminals learn names, titles, responsibilities, and any personal information they can get their hands on to exploit the targets.

Therefore, criminals are going through your personal information on social media to discover more about their targets. This is because social media is a buzz with information about all types of things about you from events to conferences and travel destinations. So, a criminal approach can seem legitimate and real. Consider carefully what you share online and learn how to use social media safely

Protect yourself from phishing attempts

If you want to stay protected from the attempts of a phishing attack:

  • stay up to date with the current threats.
  • be cautious online
  • block malicious or unwanted messages from reaching you in the first place.

protect yourself from phishing attempts by take the following steps:

  • from people or organisations, you don’t know, don’t click on links in emails or messages, or open attachments.
  • if messages are very enticing or appealing or seem too good to be true be especially cautious also if they threaten you – to make you take a suggested action.
  • Before you decide to click a link delivered in an email or on social media, instant messages, other web pages, or by any other means, hover over that link to see the actual web address. The information usually appears at the bottom of the browser window. If you’re not familiar with or trust the address seen, try doing a search for relevant key terms in a web browser. This allows you to check who it is from without directly clicking on the suspicious link and consider if you’ll open the article or video link.
  • If you’re still not 100% convinced it real, talk it through with a friend or family member. Or alternatively check the suspicious message authenticity by contacting the relevant business or organisation. Most importantly, use the contact details sourced from the official company website. Never click on the link in the suspicious email.
  • to block deceptive messages from even reaching you use a spam filter
  • Understand that your financial institution and other large organisations would never send you a link and ask you to enter your personal or financial details. These large companies include Amazon, Apple, Facebook, Google, PayPal, Ebay and others
  • Learn how to use email safely and browse the web safely.
  • Stay up to date about the latest scams on the Australian Government’s Scamwatch website.
  • Stay informed on the latest threats – sign up for the ACSC Alert Service

What to do if you think you have revealed confidential information

If you’ve fallen victim and entered in your credit card or account details in error to a phishing site:  

  • Contact your bank straight away.
  • Report scams to the ACCC via the Scamwatch report a scam page. It helps warn others about current scams and monitor trends. Please include details of the scam contact you received, for example, the email or screenshot.
  • if you believe your personal information has been put at risk you can also contact IDCare on 1800 595 160 or via for support
  • You should also lodge a report with the Australian Cyber Security Centre’s ReportCyber.

If you think you have fallen victim to a scam you can find more information on where to get help on the Scamwatch website.

How can we make your business better with IT?