Phishing

One of the biggest and most common online risks you need to be aware of is phishing (pronounced ‘fishing’). This scam is called phishing because cybercriminals use all types of methods to 'fish' for usernames, passwords and other sensitive information.

Everyone who goes online or has an email address or a mobile number will have come across a phishing scam at some point.

It’s a very effective type of scam cybercriminals use to steal people’s personal and financial information. For this reason, it’s important to know how to protect yourself.

In this article, you’ll learn about common phishing scams, the warning signs to look for and what you should do if you’re scammed.

What is phishing?

Phishing is a type of scam cybercriminals use to trick you into giving them your personal or financial information, such as your usernames, passwords or credit card details. The cybercriminal is trying to ‘fish’ those details from you by tricking you in some way.

Phishing scams will often:

look or sound like they’re from a trusted person or organisation
use the same design, logos or language as the company or organisation the cybercriminal is pretending to be from
ask you to provide or confirm your personal details
include a link to a fake login page or malicious attachment that will steal your money or information if used.

There are many types of phishing methods, including:

phishing emails
phishing text messages (SMS)
phishing phone calls
phishing QR codes.

In this article, we’ll use the term ‘phishing’ to cover all types of phishing methods.

Types of phishing

There are many types of phishing scams. The most common methods used are phishing emails and phishing text messages (SMS).

Phishing emails and texts

In this phishing scam, cybercriminals will send you an email or text message asking you to click a link or open an attachment.

If you click the link, you’ll be taken to a fake website and asked to enter your personal information, such as your:

credit card information
internet banking details
personal information and documents. For example, your driver licence or passport
usernames or passwords for your online accounts. For example, your social media accounts, email accounts, or Microsoft or Google accounts.

If you click on the attachment, they’ll be able to infect your computer with malicious software (commonly known as ‘malware’). Once it’s infected, they’ll gain access to your personal information without your knowledge.

Text message (SMS) phishing is sometimes referred to as ‘smishing’.

You receive a text message that looks like it’s from your bank. The sender warns you that ‘unauthorised or suspicious activity has been detected on your account’. They urge you to log in and check your account using a link in the text message.
If you click the link and enter your online banking login details, the cybercriminal will be able to steal your login information. They may also be able to access your bank accounts.

Highly-targeted email phishing (spear-phishing)

This type of phishing attack involves cybercriminals sending you a highly-targeted fake email.

For example, instead of using generic information that could apply to many people, the email contains specific information about you. They'll include information like your name, address, bank or credit card details or other sensitive information to trick you into believing the email is legitimate.

It’s important to be aware of these scams because you aren’t expecting a cybercriminal to already know details about you. But they’re able to get this information from incidents like information leaks or data breaches.

Voice call phishing (Vishing)

Voice call phishing, otherwise known as vishing, is a type of phishing attack conducted by telephone. A cybercriminal may call you pretending to be from a trusted organisation. For example, from your bank or service provider.

Or you may be tricked into calling them. Many vishing attacks start with a phishing email, urging you to dial a number. Once in a call, cybercriminals use manipulation tactics to convince you to share your personal details.

QR code phishing (quishing)

This is a newer type of phishing attack where cybercriminals use QR codes (a square barcode-like image) to scam you. The QR codes the cybercriminals create will link to a malicious website or prompt you to download malware.

Quishing can be difficult to detect because you can’t check the legitimacy of the link before scanning a QR code.

What types of organisations do cybercriminals pretend to be from?

Cybercriminals may try to steal your information by pretending to be from:

your bank
your mobile phone and/or internet service provider
a government agency. For example, the Australian Taxation Office (ATO).
a postal delivery service. For example, Australia Post.
a road toll company. For example, Linkt.
a social media platform. For example, Facebook.
an online game
an online service with access to your financial details. For example, PayPal, iTunes, Spotify, Netflix or Google.

How to protect yourself from phishing attacks

While you can’t prevent phishing attacks, there are many things you can do to protect yourself from falling for them.

The most effective ways to protect yourself are learning to recognise the warning signs of phishing and following our expert tips. Keep reading to learn more.

Phishing warning signs to look out for

While you can’t prevent a phishing attack, there are many things you can do to make sure you recognise one.

Key warning signs of a phishing attack include:

Receiving an email, text or phone call claiming to be from a trusted organisation asking you to update or verify your details.
Receiving an email, text or phone call about online accounts you don't have or banks that you don't have accounts with. For example, you get an email from ‘eBay’ about your account even though you don’t have one.
Urgent and time-sensitive threats. For example, ‘your account will be closed if you do not respond immediately'. Or using language like 'immediate action required' or telling you that you need to collect a parcel or pay a toll.
Referring to you in a generic or odd way. For example, ‘Dear Sir/Madam’ ‘Dear account holder’. (Keep in mind that phishing communications might include your name if the cybercriminal gets your information from a data breach).
Spelling and grammatical mistakes.
Unexpected files or downloads.
Links that don't refer to the sender or sender's organisation. If you hover over a link in the email with your mouse, you can see that the website address (URL) doesn’t match the place it’s saying it’ll take you.
The URL doesn’t look like the one you usually use.
You’re asked to provide details the legitimate website doesn’t usually ask for.

Tips to protect yourself

Don’t click on any links or open attachments claiming to be from a trusted organisation that asks you to update or verify your details. Instead, just press delete.
Don’t provide your personal, credit card or online account details if you receive a call claiming to be from your bank or any other organisation. Instead, ask for their name and contact number. You can then double-check they’re who they say they are before calling back.
You may be able to identify if an email or message you receive is a scam by doing a Google search. Copy the text from any suspicious emails or messages you receive into Google and see if any references to it being a scam show up in the search results.
Avoid downloading apps and files using links or QR codes. Instead, download them from a trusted app store or website.
If you click a link to a webpage that asks you to log in or enter personal details, check the details first before entering any information. You can do this by checking that the domain name in the browser address bar matches the name of the company you expect.
Check Scamwatch for advice about phishing scams.

What should I do if I’ve been targeted by a phishing attack?

You can remove malware using an antivirus or security scan software on your devices. Read the Australian Cyber Security Centre's guide for more information about the steps you can take to detect and remove malware.
To avoid more attacks and protect your personal information, you should:
- change passwords for your most important accounts using a different (non-infected) device
- turn on multi-factor authentication (MFA) where possible
- be alert about potential scams
- learn how to protect yourself after an information leak
If you’re struggling to remove the malware or you’re not tech-savvy, talk to your IT support person or a local computer services company.
For any accounts you think may now be at risk:
- immediately contact your bank or financial institution to report the transaction(s) and ask how they can help.
- change the account password, including any other accounts that use the same password. Turn on MFA if it’s available.
You can also get a free credit check. Reviewing your credit report can show any instances where your personal information has been used illegally to apply for loans or credit for big purchases. Your bank might be able to give you one, or you can request one from each of the reputable consumer credit reporting agencies.
If there’s any suspicious activity on your credit record, you can ask to have it corrected. For more information about credit checks, read our Information leaks and data breaches page.
- Contact your bank or financial institution to secure your financial accounts. 
- Contact any other services where the personal information could be used to access accounts. For example, the Australian Taxation Office (ATO) or Services Australia.
- Change the passwords to any accounts which might be impacted by a phishing attack. For example, your banking, superannuation, MyGov and email accounts. 
- Turn on multi-factor authentication (MFA) if it’s available.
- Contact a credit reporting agency to see if anyone has tried to open accounts in your name.
- Contact your email, telecommunications or social media provider for advice on how to block future phishing attempts.
- Check IDCARE for a list of steps you can take to minimise the effects of identity theft.
- Read our Information leaks and data breaches page for more information on the steps above.

How do I report phishing?

Once you’ve done the above, you can report the phishing attack to support services run by the Australian Government:

ReportCyber: If you’ve lost personal information or money to a phishing attack, you can report it to ReportCyber. You can also call them 24/7 on 1300 292 371. Your report will be referred directly to the relevant law enforcement agency.
Scamwatch: We encourage you to report phishing to Scamwatch, even if you didn’t fall for it. Reporting helps Scamwatch to warn other people about current phishing scams, monitor trends and stop scams where possible. Please include details about the phishing attempt or attack. For example, a copy of the email or screenshot.

You can find more information on our How to report cybercrime and online scams page.

Get support

Being phished is a horrible experience. If you need to talk to someone, visit our Get support page. You'll find many useful resources to help you through the process.