Phishing

What is phishing?

Phishing is a method of stealing confidential information by sending fraudulent messages to a victim. It is one of the most prevalent scams reported in Australia.

These messages can be sent via email, SMS, social media, instant messenger or phone call. They can look extremely sophisticated and convincing, replicating legitimate messages from reputable senders.

As well as featuring official-looking logos and disclaimers, phishing emails typically include a ‘call to action’ to trick us into giving out our most sensitive personal information, from passwords to bank details.

Some examples of phishing techniques include sending malicious links or attachments to a victim, and requesting personal information such as name, date of birth, credit card number or even usernames and passwords.

Identifying these messages can be very difficult as scammers, criminals and hackers go to great lengths to make them appear legitimate. If you feel a message you have received is not legitimate there are techniques you can use to verify the message.

How do I recover from phishing?

  • Change any passwords you have revealed.

  • Inform the organisation the scammer pretended to be from.

  • If you’ve sent money or personal banking details to a scammer contact your bank immediately. Most big banks will cover any loss if someone makes an unauthorised transaction on your account, as long as you have protected your client number and passwords.

  • IDCare is Australia and New Zealand’s national identity and cyber support service and is available on 1300 432 273 if you believe your personal information has been put at risk.

  • Report scams to the Australian Competition and Consumer Commission’s Scamwatch. Include as much information as possible about the scam message in your report (e.g. the email itself, or a screenshot).

  • If the phishing has led to a crime, file a report with Australian Cybercrime Online Reporting Network (ACORN).

How do I prevent phishing scams?

  • Be aware: don’t open or click on links in emails or messages from people or organisations you don’t know.

  • Don’t open attachments in unsolicited messages.

  • Remember that reputable businesses locally and overseas (such as Amazon, PayPal, Google, Apple, and Facebook) don’t call or email to verify or update your personal information.

  • Before opening an email, consider who is sending it to you and what they are asking you to do. If you’re unsure, call the organisation you suspect the suspicious message is from using contact details from a verified website or other trusted source.

  • Use email, SMS or social media providers that offer spam and message scanning.

  • Don’t provide personal information to unverified sources.

  • Use two-factor authentication on all essential services such as email, bank and social media accounts.

Verifying email, SMS or social media messages

  • Read the message carefully, extracting any unique information such as tracking numbers, names, attachment names, sender, message subject and URLs. Hover your mouse over links to see the web address (usually shown at the bottom of the browser window).

  • Google the extracted information to see if others have reported it as malicious.

  • Call the organisation of the sender and provide them details from the message.

  • Use other methods such as the organisation’s mobile phone app, web site or social media page to verify details from the message

Verifying phone calls

  • Write down specifics of the call asking questions like the caller’s name, contact numbers, business unit and case number.

  • Ask the caller to verify your details such as customer reference number or any other unique information that you use for that organisation.

  • If you are still unsure, hang up the phone and call the organisation back using a phone number listed in the phone book or on their website or mobile application.

Stay ahead of the latest cyber threats. Sign up for Stay Smart Online alerts, a free service to inform you of the latest cyber threats and how to manage them.