skip to log on skip to main content
VoiceOver users please use the tab key when navigating expanded menus
Article related to:


What is phishing, and how can you protect yourself?

Security specialist

2024-04-03 00:00

Estimated reading time
5 min

Jump to

‘Ping!’ It’s an SMS from the road toll company, asking you to update your payment information to avoid a penalty fee. You’re in the middle of something at work, but this seems urgent, so you click the link and give them what they need. You may be able to guess what happens next – that’s right, you’ve fallen for a ’phish’.

If this scenario sounds familiar, you’re not alone. It’s a common misconception that you need to be gullible to fall for a ’phishy’ message, but it’s far more common than you might realise. Between 2022–23, the Australian Signals Directorate (ASD), a government organisation responsible for fighting cybercrime, received a report every six minutes, with phishing being one of the most common types of cybercrime targeting individuals.

We’re going to take you through what phishing is, how it works, and most importantly, how to create a safer online life.


What is phishing?

If you spend time online, it might feel like phishy messages are unavoidable, and there’s good reason for that. In their most recent report (2022), the Australian Competition and Consumer Commission (ACCC) listed phishing scams as the most frequently reported cybercrime in 2021.

But despite their name, they have nothing to do with dropping a line off the side of your tinny on a clear day. Phishing typically involves cybercriminals trying to lure you in by impersonating a brand or company you trust. They phish for your information to try and swindle you out of your hard-earned money.

Cybercriminals might send you an email, message or targeted social media post that appears to be from a legitimate company. They will generally provide a link, which appears to be taking you to a trusted website but is instead controlled by the cybercriminal. They can use this link to harvest your personal data for their own use - it may even deliver malware to your device.

It’s as simple as that – one small mistake and your data or finances are compromised.


How can you spot a phish?

Phishing attacks can come from a variety of channels, including phone call, email, message, and social media, and it’s important to remember that any company can be impersonated. Cybercrime is also becoming harder to spot, as cybercriminals harness advancing technology, like artificial intelligence, that helps them craft their approach to sound more credible.

Some of the most common scenarios you might encounter are:

  • Postal service impersonation: A message or email from the postal service claiming they urgently need you to update your personal information so you can receive your package. This message will contain a link for you to follow where you will be prompted to share your personal data. They may even claim you’ve missed a delivery, and you’ll need to visit a link to reschedule.

  • Tax office or other government agency fraud: A message or email from the tax office claiming they can’t refund your tax return until you update your banking information. This will contain a link for you to follow prompting you to fill out your banking details.

  • Toll service suspension threat: Contact from a toll company about an outstanding toll payment, prompting you to follow a link to make your payment.

  • Direct contact from a cybercriminal: A message or post on social media, or an SMS with a malicious link that, when clicked, can mine your personal information.

Some reg flags to watch out for include:

  • Any email or message asking you to follow an external link.

  • Being asked to verify your account details like your PIN, username and password.

  • A sense of urgency or threat that you will lose money or items, or even face prosecution if you don’t immediately perform the action that they want you to do.

  • A message that calls you by a generic name or title rather than using your name. For example, ‘Dear account holder’.

  • Any unusual characters or numbers added to an email domain name or website address that could indicate it is only impersonating a legitimate company.

  • Being prompted to fill in personal details or financial details to win a prize or enter a competition.

  • “Similar but misspelt email addresses are common in phishing,” says Erica Hardinge, ANZ’s Product Area Lead in Staff & Customer Security Education & Resilience Enablement. “So it’s important to check the email address that’s contacting you.”


How to prevent phishing 

Unfortunately, it won’t always be possible to spot a phishing message. Some messages or emails will appear almost identical to those sent by legitimate companies.

“Our email inboxes are loaded with emails often including a lot of irrelevant information, like junk mail,” says Erica. “Checking our emails can become a task we do without paying a lot of attention. But we must look out for unexpected, emotive calls to action and always check legitimacy before clicking on links, attachments or before providing personal information.”

 Cybercriminals are intelligent and innovative, so the best way to protect yourself is by always practicing good digital hygiene, even when you think you can trust the source of your correspondence.

How to protect yourself:

  • Take extra time and consideration when responding to ‘urgent’ correspondence. Cybercriminals often use an urgency as a tactic to hope you will either miss or ignore the flaws in their username, website or email address.

  • Never follow a link sent to you by any company via message or email. Instead, go directly to the relevant section of that company’s website and log in securely to see if your details actually need updating.

  • Never share your passwords, bank details, credit card details or personal details after following a link, or when you have been contacted over the phone.

  • Enable multi-factor authentication for all accounts you have, where possible.

  • Don’t click on links or download attachments from an unexpected message or email.


What can you do if you think you’ve been phished?

If you think you have been phished, firstly, don’t blame yourself. Even the most tech-savvy among us have clicked the wrong link without thinking and found ourselves on a criminal’s hook.

  • If you have shared financial information or believe you have transferred money to a cybercriminal, notify your bank immediately. If you’re an ANZ customer, contact us immediately to report the fraud.

  • If you shared credit card details, block or cancel those cards immediately. If your cards are with ANZ, you can do this through the app. Learn more


Who can you contact if you’ve been phished?

  • Report the scam to the Police through the Australian Signals Directorate’s ReportCyber portal. This resource is there for reports of scams where money or personal information has been lost.

  • You can contact the Australian Cyber Security hotline, 24 hours a day, seven days a week on 1300 CYBER1 (or 1300 292 371).

  • Help others by reporting to Scamwatch  to help them prevent future losses, monitor trends and educate the population about emerging threats.

  • For phishing or identity theft associated with government accounts such as Centrelink, Medicare, or Child Support, contact the Services Australia scams and identity helpdesk on 1800 941 126 or visit their website.

  • You can also contact IDCare, a not-for-profit organisation that provides support to those experiencing identity and cyber security concerns.
What is phishing, and how can you protect yourself?
Security specialist

Protect your virtual valuables

Stay safe online and protect yourself with the cyber security PACT – simple guidelines to help you stay one step ahead of the scammers.

Learn more



This information seeks to raise awareness and provides general information only. It may be necessary or appropriate  to ensure that measures are taken in addition to, or in substitution for, the measures presented having regard to your particular personal or business circumstances.