Insight

How to spot a phishing email

How to spot a phishing email: the four quick checks that catch most scams, what to do if you clicked, and where to report phishing in Australia.

Published

June 17, 2026

Reading time

5
min read
Operate
How to spot a phishing email

How to spot a phishing email: the four quick checks that catch most scams, what to do if you clicked, and where to report phishing in Australia.

In this article

You can spot most phishing emails by slowing down and checking four things: the sender's real address, any sense of urgency or threat, links that don't match where they claim to go, and requests for passwords, payments or personal details. Phishing is a fake message designed to trick you into handing over information or money, and almost all of them give themselves away if you know what to look for.

Your team is your best filter here, far better than any software, once they know the signs. Here is what to teach them.

What is phishing?

Phishing is a scam email, text or message that pretends to be from someone you trust to trick you into acting. The goal is usually to steal a password, get you to pay a fake invoice, or install malware. It works by rushing you, so the best defence is simply to pause.

Note: Almost every phishing email works by creating a rush, so the simple habit of slowing down before you click defeats most of them.

What are the signs of a phishing email?

The clearest signs are a mismatched sender address, urgent or threatening language, unexpected attachments or links, and any request for credentials or payment. Rarely will one email have all of them, but even one should make you stop and check.

Warning signWhat to look for
Sender addressThe display name looks right but the actual email is odd or misspelled
Urgency"Act now", "account suspended", "pay today or else"
LinksHovering shows a web address that doesn't match the company
RequestsAsks for a password, bank details or a gift-card payment
Tone or errorsOdd phrasing, or a familiar contact asking for something unusual

What about invoice and payment scams?

Be especially careful with any email that changes bank details or chases an urgent payment, even from a known supplier. This is business email compromise, where a criminal either fakes or takes over a real account and redirects your money. Always confirm changed payment details by phone using a number you already have, never the one in the email.

Warning: A supplier suddenly changing bank account details is the classic sign of business email compromise, so verify it by voice before you move a cent.

What should you do if you spot one?

Don't click, don't reply, and report it. Delete the email, and if it claimed to be from a real contact, warn them their account may be compromised.

  • Do not click links or open attachments.
  • Do not reply or forward it around the office.
  • Report it to whoever handles your IT, and to the ACSC via ReportCyber.
  • If you already clicked or entered a password, change it immediately and turn on MFA.

MFA is what saves you if someone does slip up and hand over a password, which is why it is a cornerstone of the cyber security essentials. If you think an account was already breached, see what to do if your business has been hacked.

Best practice: Run a short phishing drill with your team a couple of times a year, since a trained eye catches scams that no email filter reliably stops.

The short version: check the sender, the urgency, the links and the request. When in doubt, verify through a channel you trust, and report it rather than clicking.

Frequently asked questions

What is the easiest way to spot a phishing email?

Check the sender's actual email address, not just the display name, and be wary of any message creating urgency or asking for a password or payment. Those two checks catch most scams.

What should I do if I clicked a phishing link?

Change the password for any account you entered, turn on MFA, and tell your IT support. If banking details were involved, contact your bank straight away.

How is phishing different from spam?

Spam is unwanted bulk email, usually just annoying. Phishing is deliberately malicious, designed to trick you into handing over information, money or access.

Can antivirus stop phishing?

It helps, but not fully, because phishing targets people rather than software. Trained staff plus MFA are your strongest protection.

Where do I report a phishing email in Australia?

Report it to the Australian Cyber Security Centre through ReportCyber at cyber.gov.au, and let your IT support know so they can protect others.

Want to help your team spot scams before they cost you? Take the free business health check and we will flag where you are exposed.

June 17, 2026
Ryan Pigram
Ready when you are

One partner.
Marketing and technology, run as one.

Tell us where your business is at, and we will tell you where we would start.