Skip to main content

Would you 'click here' and enter your bank account or credit card numbers, passwords or birth date because you received an email or text that looks like it's from a bank or government department?

If you answered 'yes', there's no need to feel ashamed. Cyber criminals are tricking more and more of us into sharing our most sensitive information. It's the most common type of scam reported in Australia, according to the latest data.

In the latest example, the Department of Human Services issued a scam alert on Twitter about a Medicare-themed phishing campaign via SMS, with scammers seeking to elicit personal information from members of the public.

It's easy to be taken in if you're not aware of the techniques being used against you. These phishing scams are designed to look genuine. You may be contacted by email, social media, phone call or text message by a scammer pretending to be from a company or organisation.

'Phishing campaigns can pretend to be from government services such as myGov or from various Australian financial institutions.' the Head of the Australian Cyber Security Centre (ACSC), Alastair MacGibbon, said.

The messages often copy the format used by the organisation the scammer is pretending to represent, including branding and logo. They will take you to a fake website that looks like the real deal, but has a slightly different address, and then capture your personal information.

'Phishing might be the most common scam reported in Australia, but we can all get smarter online and better protect ourselves, and there are steps you can take to protect yourself too.'

'The first step is to be aware. The second is to do something about it,' Mr MacGibbon said.

Attempts are also made to compromise businesses through targeted phishing attacks.  Small businesses in particular are targeted by themed phishing emails from contractors whose systems have been compromised.

Protect yourself and report the scam

You can better protect yourself by following these tips:

  • Don't open or click on links in emails or messages from people or organisations you don't know.

  • Don't open attachments in unsolicited messages.

  • Remember that reputable organisations locally and overseas -- including banks, government departments, Amazon, PayPal, Google, Apple, and Facebook -- don't call or email to verify or update your personal information.

  • Before opening an email, consider who is sending it to you and what they are asking you to do. If you're unsure, call the organisation you suspect the suspicious message is from using contact details from a verified website or other trusted source.

  • Use email, SMS or social media providers that offer spam and message scanning.

  • Don't provide personal information to unverified sources.

  • Use two-factor authentication (2FA) on all essential services such as email, bank and social media accounts, because this way of 'double checking' identity is stronger than a password. With 2FA, you need to provide two things, your password and something else such as a code sent to your mobile device or your fingerprint, before you -- or anyone pretending to be you -- can access your account.

If you feel a message you have received is a fake, here are some ways to verify the message:

  • Read the message carefully, looking for tracking numbers, names, attachment names, sender, message subject and URLs. Hover your mouse over links to see the web address.

  • Google the extracted information to see if others have reported it as malicious.

  • Call the organisation that appears to have contacted you and check the details or the request.

  • Use other methods such as the organisation's mobile phone app, web site or social media page to verify the message.

To recover from phishing:

  • Change any passwords you have revealed.

  • Inform the organisation the scammer pretended to be from.

  • Contact your bank immediately if you've sent money or personal banking details to a scammer.

  • If you believe your personal information has been put at risk, IDCare is Australia and New Zealand's national identity and cyber support service and is available on 1300 432 273.

  • Report scams to the Australian Competition and Consumer Commission's Scamwatch to help protect your friends, family and workmates.

  • For more advice about the latest threats and how to protect yourself online, sign up to the free Stay Smart Online Alert Service.

To report a cyber security incident, visit or call 1300 292 371 (1300 CYBER1).