JavaScript is required


Learn about what phishing is, the warning signs and how to protect yourself from phishing attacks.

One of the biggest and most common online risks you need to be aware of is phishing (pronounced ‘fishing’). This scam is called phishing because cybercriminals use all types of methods to 'fish' for usernames, passwords and other sensitive information. 

Everyone who goes online or has an email address or a mobile number will have come across a phishing scam at some point. 

It’s a very effective type of scam cybercriminals use to steal people’s personal and financial information. For this reason, it’s important to know how to protect yourself. 

In this article, you’ll learn about common phishing scams, the warning signs to look for and what you should do if you’re scammed.  

What is phishing? 

Phishing is a type of scam cybercriminals use to trick you into giving them your personal or financial information, such as your usernames, passwords or credit card details. The cybercriminal is trying to ‘fish’ those details from you by tricking you in some way.   

Phishing scams will often: 

  • look or sound like they’re from a trusted person or organisation  
  • use the same design, logos or language as the company or organisation the cybercriminal is pretending to be from 
  • ask you to provide or confirm your personal details 
  • include a link to a fake login page or malicious attachment that will steal your money or information if used.  

There are many types of phishing methods, including: 

  • phishing emails  
  • phishing text messages (SMS) 
  • phishing phone calls  
  • phishing QR codes.  

In this article, we’ll use the term ‘phishing’ to cover all types of phishing methods.  

Types of phishing  

There are many types of phishing scams. The most common methods used are phishing emails and phishing text messages (SMS). 

Phishing emails and texts 

In this phishing scam, cybercriminals will send you an email or text message asking you to click a link or open an attachment.  

If you click the link, you’ll be taken to a fake website and asked to enter your personal information, such as your: 

  • credit card information 
  • internet banking details 
  • personal information and documents. For example, your driver licence or passport 
  • usernames or passwords for your online accounts. For example, your social media accounts, email accounts, or Microsoft or Google accounts. 

If you click on the attachment, they’ll be able to infect your computer with malicious software (commonly known as ‘malware’). Once it’s infected, they’ll gain access to your personal information without your knowledge. 

Text message (SMS) phishing is sometimes referred to as ‘smishing’. 

Highly-targeted email phishing (spear-phishing) 

This type of phishing attack involves cybercriminals sending you a highly-targeted fake email.   

For example, instead of using generic information that could apply to many people, the email contains specific information about you. They'll include information like your name, address, bank or credit card details or other sensitive information to trick you into believing the email is legitimate.  

It’s important to be aware of these scams because you aren’t expecting a cybercriminal to already know details about you. But they’re able to get this information from incidents like information leaks or data breaches. 


Voice call phishing (Vishing) 

Voice call phishing, otherwise known as vishing, is a type of phishing attack conducted by telephone. A cybercriminal may call you pretending to be from a trusted organisation. For example, from your bank or service provider. 

Or you may be tricked into calling them. Many vishing attacks start with a phishing email, urging you to dial a number. Once in a call, cybercriminals use manipulation tactics to convince you to share your personal details. 

QR code phishing (quishing) 

This is a newer type of phishing attack where cybercriminals use QR codes (a square barcode-like image) to scam you. The QR codes the cybercriminals create will link to a malicious website or prompt you to download malware. 

Quishing can be difficult to detect because you can’t check the legitimacy of the link before scanning a QR code.   

What types of organisations do cybercriminals pretend to be from? 

Cybercriminals may try to steal your information by pretending to be from:  

  • your bank 
  • your mobile phone and/or internet service provider 
  • a government agency. For example, the Australian Taxation Office (ATO). 
  • a postal delivery service. For example, Australia Post. 
  • a road toll company. For example, Linkt. 
  • a social media platform. For example, Facebook. 
  • an online game 
  • an online service with access to your financial details. For example, PayPal, iTunes, Spotify, Netflix or Google.  

How to protect yourself from phishing attacks 

While you can’t prevent phishing attacks, there are many things you can do to protect yourself from falling for them.  

The most effective ways to protect yourself are learning to recognise the warning signs of phishing and following our expert tips. Keep reading to learn more. 

Phishing warning signs to look out for 

While you can’t prevent a phishing attack, there are many things you can do to make sure you recognise one.  

Key warning signs of a phishing attack include: 

  • Receiving an email, text or phone call claiming to be from a trusted organisation asking you to update or verify your details. 
  • Receiving an email, text or phone call about online accounts you don't have or banks that you don't have accounts with. For example, you get an email from ‘eBay’ about your account even though you don’t have one. 
  • Urgent and time-sensitive threats. For example, ‘your account will be closed if you do not respond immediately'. Or using language like 'immediate action required' or telling you that you need to collect a parcel or pay a toll. 
  • Referring to you in a generic or odd way. For example, ‘Dear Sir/Madam’ ‘Dear account holder’. (Keep in mind that phishing communications might include your name if the cybercriminal gets your information from a data breach). 
  • Spelling and grammatical mistakes. 
  • Unexpected files or downloads. 
  • Links that don't refer to the sender or sender's organisation. If you hover over a link in the email with your mouse, you can see that the website address (URL) doesn’t match the place it’s saying it’ll take you. 
  • The URL doesn’t look like the one you usually use. 
  • You’re asked to provide details the legitimate website doesn’t usually ask for. 

Tips to protect yourself 

  • Don’t click on any links or open attachments claiming to be from a trusted organisation that asks you to update or verify your details. Instead, just press delete.  
  • Don’t provide your personal, credit card or online account details if you receive a call claiming to be from your bank or any other organisation. Instead, ask for their name and contact number. You can then double-check they’re who they say they are before calling back. 
  • You may be able to identify if an email or message you receive is a scam by doing a Google search. Copy the text from any suspicious emails or messages you receive into Google and see if any references to it being a scam show up in the search results. 
  • Avoid downloading apps and files using links or QR codes. Instead, download them from a trusted app store or website. 
  • If you click a link to a webpage that asks you to log in or enter personal details, check the details first before entering any information. You can do this by checking that the domain name in the browser address bar matches the name of the company you expect. 
  • Check Scamwatch for advice about phishing scams.  

What should I do if I’ve been targeted by a phishing attack? 

How do I report phishing? 

Once you’ve done the above, you can report the phishing attack to support services run by the Australian Government: 

  • ReportCyber: If you’ve lost personal information or money to a phishing attack, you can report it to ReportCyber. You can also call them 24/7 on 1300 292 371. Your report will be referred directly to the relevant law enforcement agency. 
  • Scamwatch: We encourage you to report phishing to Scamwatch, even if you didn’t fall for it. Reporting helps Scamwatch to warn other people about current phishing scams, monitor trends and stop scams where possible. Please include details about the phishing attempt or attack. For example, a copy of the email or screenshot. 

You can find more information on our How to report cybercrime and online scams page. 

Get support 

Being phished is a horrible experience. If you need to talk to someone, visit our Get support page. You'll find many useful resources to help you through the process.