Insight
How to spot a phishing email: the four quick checks that catch most scams, what to do if you clicked, and where to report phishing in Australia.
How to spot a phishing email: the four quick checks that catch most scams, what to do if you clicked, and where to report phishing in Australia.
You can spot most phishing emails by slowing down and checking four things: the sender's real address, any sense of urgency or threat, links that don't match where they claim to go, and requests for passwords, payments or personal details. Phishing is a fake message designed to trick you into handing over information or money, and almost all of them give themselves away if you know what to look for.
Your team is your best filter here, far better than any software, once they know the signs. Here is what to teach them.
Phishing is a scam email, text or message that pretends to be from someone you trust to trick you into acting. The goal is usually to steal a password, get you to pay a fake invoice, or install malware. It works by rushing you, so the best defence is simply to pause.
Note: Almost every phishing email works by creating a rush, so the simple habit of slowing down before you click defeats most of them.
The clearest signs are a mismatched sender address, urgent or threatening language, unexpected attachments or links, and any request for credentials or payment. Rarely will one email have all of them, but even one should make you stop and check.
| Warning sign | What to look for |
|---|---|
| Sender address | The display name looks right but the actual email is odd or misspelled |
| Urgency | "Act now", "account suspended", "pay today or else" |
| Links | Hovering shows a web address that doesn't match the company |
| Requests | Asks for a password, bank details or a gift-card payment |
| Tone or errors | Odd phrasing, or a familiar contact asking for something unusual |
Be especially careful with any email that changes bank details or chases an urgent payment, even from a known supplier. This is business email compromise, where a criminal either fakes or takes over a real account and redirects your money. Always confirm changed payment details by phone using a number you already have, never the one in the email.
Warning: A supplier suddenly changing bank account details is the classic sign of business email compromise, so verify it by voice before you move a cent.
Don't click, don't reply, and report it. Delete the email, and if it claimed to be from a real contact, warn them their account may be compromised.
MFA is what saves you if someone does slip up and hand over a password, which is why it is a cornerstone of the cyber security essentials. If you think an account was already breached, see what to do if your business has been hacked.
Best practice: Run a short phishing drill with your team a couple of times a year, since a trained eye catches scams that no email filter reliably stops.
The short version: check the sender, the urgency, the links and the request. When in doubt, verify through a channel you trust, and report it rather than clicking.
Check the sender's actual email address, not just the display name, and be wary of any message creating urgency or asking for a password or payment. Those two checks catch most scams.
Change the password for any account you entered, turn on MFA, and tell your IT support. If banking details were involved, contact your bank straight away.
Spam is unwanted bulk email, usually just annoying. Phishing is deliberately malicious, designed to trick you into handing over information, money or access.
It helps, but not fully, because phishing targets people rather than software. Trained staff plus MFA are your strongest protection.
Report it to the Australian Cyber Security Centre through ReportCyber at cyber.gov.au, and let your IT support know so they can protect others.
Want to help your team spot scams before they cost you? Take the free business health check and we will flag where you are exposed.
Tell us where your business is at, and we will tell you where we would start.