Skip to main content

Phishing - scam emails

Phishing is a way that cybercriminals steal confidential information, such as online banking logins, credit card details, business login credentials or passwords/passphrases, by sending fraudulent messages (sometimes called ‘lures’).

These deceptive messages often pretend to be from a large organisation you trust to make the scam more believable. They can be sent via email, SMS, instant messaging or social media platforms. They often contain a link to a fake website where you are encouraged to enter confidential details.

Watch our videos to find out what a phishing message looks like and how they work.

How to spot a phishing message

It doesn’t matter if you are an individual using email at home, or what type or size of business you are in, phishing affects everyone.

How to protect yourself from phishing

Phishing emails have been used by cybercriminals to steal financial details from Australians for a number of years (phishing emails were first observed in Australia in 2003) but have become increasingly sophisticated since then.

Brands that are commonly copied include:

  • state and territory police or law enforcement (fake fine scams)
  • utilities such as power and gas (fake bills and overdue fines)
  • postal services (parcel pick-up scams)
  • banks (fake requests to update your information)
  • telecommunication services (fake bills, fines or requests to confirm your details)
  • government departments and service providers such as the Australian Taxation Office, Centrelink, Medicare and myGov.

It used to be easy to recognise and ignore a phishing email because it was badly written or contained spelling errors, but current phishing messages appear more genuine. It can be very difficult to distinguish these malicious messages from genuine communications.

Because of phishing, it is now standard policy for many companies that they will not call, email or SMS you to:

  • ask for your user name, PIN, password or secret/security questions and answers
  • ask you to enter information on a web page that isn't part of their main public website
  • ask to confirm personal information such as credit card details or account information
  • request payment on the spot (e.g. for an undeliverable mail item or overdue fee).

Many companies also have security pages that identify active scams using their branding. These pages often include examples and pictures of scam messages to help you tell fake messages from real ones.

Tip: If a message seems suspicious, contact the person or business separately to check if they are likely to have sent the message. Use contact details you find through a legitimate source and not those contained in the suspicious message. Ask them to describe what the attachment or link is.

Spear phishing

More dangerous still are a class of phishing messages known as ‘spear phishing’. These messages target specific people and organisations, and may contain information that is true to make them appear more authentic.

These messages can be extremely difficult to detect, even for trained professionals, as they catch people with their guard down.

For example, you might get a message that appears to be from your own company’s IT help desk asking you to click on a link and change your password because of a new policy.

Spear phishing often uses a technique called ‘social engineering’ for its success. Social engineering is a way to manipulate people into taking an action by creating very realistic ‘bait’ or messages.

Criminals are getting better at social engineering and putting more time, effort and money towards researching targets to learn names, titles, responsibilities, and any personal information they can find.

Social media accounts provide rich information about events, conferences and travel destinations that can be used to make an approach seem real and accurate. So consider what personal information you share online and learn how to use social media securely.

Protect yourself from phishing attempts

The best way to protect yourself from phishing attempts is to stay abreast of current threats, be cautious online and take steps to block malicious or unwanted messages from reaching you in the first place.

Take the following steps to protect yourself from phishing attempts:

  • Don’t click on links in emails or messages, or open attachments, from people or organisations you don’t know.
  • Be especially cautious if messages are very enticing or appealing (they seem too good to be true) or threaten you to make you take a suggested action.
  • Before you click a link (in an email or on social media, instant messages, other web pages, or other means), hover over that link to see the actual web address it will take you to (usually shown at the bottom of the browser window). If you do not recognise or trust the address, try searching for relevant key terms in a web browser. This way you can find the article, video or web page without directly clicking on the suspicious link.
  • If you're not sure, talk through the suspicious message with a friend or family member, or check its legitimacy by contacting the relevant business or organisation (using contact details sourced from the official company website).
  • Use a spam filter to block deceptive messages from even reaching you.
  • Understand that your financial institution and other large organisations (such as Amazon, Apple, Facebook, Google, PayPal and others) would never send you a link and ask you to enter your personal or financial details.
  • Use secure behaviour online. Learn how to use email securely and browse the web securely.
  • Stay informed on the latest threats – sign up for the ACSC Alert Service. You can also find information about the latest scams on the Australian Government’s Scamwatch website.

What to do if you think you have revealed confidential information

If you think you’ve entered your credit card or account details to a phishing site, contact your financial institution immediately.

Report scams to the ACCC via the Scamwatch report a scam page. Your report helps to warn people about current scams, monitor trends and disrupt scams where possible. Please include details of the scam contact you received, for example, the email or screenshot.

You can also contact IDCare on 1800 595 160 or via for support if you believe your personal information has been put at risk.

You should also lodge a report with the Australian Cyber Security Centre's ReportCyber.

Find more information on where to get help if you think you have fallen victim to a scam on the Scamwatch website.

Content complexity
This rating relates to the complexity of the advice and information provided on the page.