What is Phishing?

Phishing is a way for criminals to attempt to steal sensitive information, such as credit card details, online banking credentials, business passphrases or passwords. This is done by sending fraudulent messages, usually via electronic mail, which are sometimes referred to as ‘lures’.

Phishing emails are designed to appear that they come from a real financial institution, e-commerce site, government agency, or any other service, business, or individual. The email may request personal information such as account numbers and emails. When a user responds to the email with the information or click on a link, criminals use this to gain access to users’ accounts or personal computer.

How Criminals lure you in

Phishing emails have been a staple for criminals to steal financial details from Australians since they were first observed in Australia in 2003, and have continued to become more and more sophisticated which is why it is imperative for all Australians to understand what phishing is, how to spot it and then how to protect yourself from it.

“We suspect an unauthorised transaction on your account. To ensure that your account is not compromised, please click the link below, and confirm your identity.”

  1. “During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”
  2. “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
  3. “To see examples of actual phishing emails, and steps to take if you believe you received a phishing email, please visit “
  4. The following messages are examples of what criminals may email or message when attempting to phish for sensitive information.

The following is a list of brands that are commonly used to attempt phishing.

  1. State and territory police or law enforcement (fake fine scams)
  2. Utilities such as power and gas (fake bills and overdue fines)
  3. Postal services (parcel pick-up scams)
  4. Banks (fake requests to update your information)
  5. Telecommunication services (fake bills, fines or requests to confirm your details)
  6. Government departments and service providers such as the Australian Taxation Office, Centrelink, Medicare and myGov

It used to be easy to recognise and ignore a phishing email because it was badly written or contained spelling errors, but current phishing messages appear more genuine. It can be very difficult to distinguish between genuine communications and phishing attempts.

Because of phishing, it is now standard policy for many companies to not call, email or text message you asking for the following:

  1. Your username, PIN, password or secret/security questions and answers
  2. For you to enter information on a web page that isn’t part of their main public website
  3. The confirmation of personal information such as credit card details or account information
  4. Requesting payment on the spot (e.g. for an undeliverable mail item or overdue fee).

Many companies now have security pages that identify active scams using their branding to help mitigate phishing. These pages often include examples and pictures of scam messages to help you tell fake messages from real ones.