Email scams - how to avoid being duped

Email scams are on the rise, but commonsense is the best defence.
Learn more
  • Updated:3 Dec 2008

01 .Australia among top scammers

Man fishing

Every day, masses of spam emails advertising Viagra, Rolex watches or hot investment tips slip into inboxes all around the world.

According to security firm MessageLabs, almost 70 per cent of all email in Australia in August 2008 was spam and we rank in the top 10 list of countries including China, the United States and France with similar volumes of spam.

There’s no doubt that spam is a gigantic pain in the e-butt — after all, who wants all those annoying emails clogging up their inbox?

However, not all spam is innocuous. Some emails are scams that trick you into disclosing personal information by impersonating banks, entice you with special offers, and urge you to click on a link and divulge your details in a separate website. This type of spam is far more serious — and is known as phishing (which alludes to ‘fishing’) for personal information.

Please note: this information was current as of December 2008 but is still a useful guide to today's market.

In brief

  • Scams and phishing emails come in many forms.
  • These emails try to obtain personal or financial information from you.
  • Be cautious at all times with your personal details.
  • Protect yourself by using security software, spam email filters and the security settings in your web browser.

According to the Australian Bureau of Statistics, over 5.8 million Australians were exposed to a scam in the 12 months to December 2007. In dollar terms 453,100 victims lost money, which equates to a combined financial loss of almost one billion dollars ($977 million). Approximately 5.7% (or 329,000 people) became victims by responding to a scam and supplying personal information and/or money, or seeking more information.

Identifying dangerous emails

Scams come in many varieties, such as emails about lottery wins, US Green Card work visa applications or home mortgage applications. And who hasn’t heard about the Nigerian banking scam where you make your account available to hold a large sum of money for a generous fee?

Phishing emails purporting to be from banks, financial institutions and online payment services tell you to update personal details, warn about an imminent account expiry, or urge you to follow a link to check accounts. These emails try to dupe you into believing that they’re from a legitimate organisation about an account or transaction you need to follow up. The email includes a link that is supposed to be the company’s website, but instead directs you to a bogus site that will collect your personal information.

If it sounds alarming that’s because it is — every day, people fall for these simple tricks and give away their vital details. The golden rule for all internet users, novices and experts alike, is to be extremely wary about responding to emails from unfamiliar addresses, people or organisations. As a rule, you should never reveal any personal information to unknown organisations, people or websites.

Commonsense is key

The good news, however, is that commonsense will go a long way to protecting you from falling victim to the scammers: after all, if you didn’t enter a lottery, what’s the chance you will have won millions? But, as with many things on the net, it can sometimes be hard to discern what’s real and what’s fake. And the scammers are constantly trying new and more inventive ways to trick people.

The best protection is to arm yourself with the most up-to-date information on what threats are out there and how to avoid them. And so to help you, your family and your friends we’ve created an easy-to-follow guide to help you recognise the scammers and avoid their traps. The best way to beat the scammers is for all net users to be armed with the right information. After all, knowledge is power.

For more information see the Australian government website Stay Smart Online.

Report a Scam

  • Use the ScamWatch website.
  • You can also report a scam on NetAlert or contact your local police office and let them take it from there.
  • Contact your bank or financial institution to report a phishing attack sent in its name.
  • Contact the Australian Securities and Investments Commission (ASIC) about banking and financial scams on Fido and click on the Scams & warnings tab.
  • Go to the Australian High Tech Crime Centre and click on Technology enabled crime types and then Online fraud to report online fraud.
  • Go to AusCert then click on About AusCERT and then Report Incident to complete an online incident report form.
  • Use ACMA’s spamMATTERS reporting software for Microsoft’s Outlook email client. Go to spamMATTERS and click on For the public > Consumer & community advice > Spam & e-Security.

Sign up to our free

Receive FREE email updates of our latest tests, consumer news and CHOICE marketing promotions.


Scam emails

Scam emails come in many shapes and sizes. For example, an email we received at CHOICE supposedly came from a manager in the international branch of the Bank of China in Kuala Lumpur, Malaysia, with a business proposition valued at US$60,000,000.

Apart from the obvious ludicrous nature of the email (if it sounds too good to be true, it is) the ‘Reply’ address (not the ‘From’ address) which you can see in some email clients just by highlighting the From address with your mouse, wasn’t to a real bank (see Spoofing, below for more on this).

Then there are the Nigerian 419 scams which supposedly come from the Governor of a Central Bank in Nigeria. The ‘419’ refers to the section of Nigeria’s Criminal Code which outlaws the practice, but they can come from anywhere in the world. These emails ask you to pay money, such as fees or taxes, or give your bank account details to help them transfer large sums of money. In return, you are promised a large share of money.

There are, however, more plausible sounding scams — fake lottery scams tempt you into sending money or your personal details to claim your winnings, while an up-front payment scam asks you to provide bank account details or pay fees to gain access to what the scammer is offering. For example:

  • Employment scams trick you into paying an up-front fee for a business plan or materials that never arrive or are worth nothing.
  • Credit card scams try to trick you into giving your credit card details.
  • Dating scam emails from lonely Russian or Eastern European girls try to entice you to write back and pay to use the scammer’s fake dating website.

Phishing emails

Phishing emails purport to be from banks, online payment services and other financial institutions and warn you about supposedly expired passwords, accounts that need updating and security breaches.

Kathryn Kerr, manager of Analysis and Assessments at AusCERT, the Australian Computer Emergency Response Team, says “Popular phishing involves trying to capture the usernames and passwords from online banking customers.” Phishing attacks might also impersonate the Australian Tax Office (ATO) around tax time, while others try to capture your credit card information or impersonate universities to try to capture your email username and password. They may also purportedly come from a site you could have used previously, such as PayPal, eBay or Western Union.

The purpose of a phishing email is usually to lure you to a fake website to enter personal details, like bank account numbers, passwords or credit card numbers. The website appears as an authentic site to convince users that the request is legitimate. If you enter your details, they are captured by the website and can be sold and used by criminals in identity theft. If this happens, you could find your credit card being used without your knowledge and they may even gain access to your online bank accounts to withdraw funds or use the account to launder money.

Sadly, there are a plethora of phishing attacks. The domain name renewal scam will send an invoice for the registration or renewal of a domain name with a link to a fake site aimed at capturing your domain login and password. You can spot these because the domain name listed is similar to your real domain name, but may have a different ending; or the domain name may be correct, but the letter is not from the company that registered your domain.

Emails with free offers use dodgy websites that require you to provide credit card, bank account or other personal details, or they require you to pay an upfront fee to claim your ‘free’ prize or product. Emails about cheap online shopping scams will try to dupe you by selling products very cheaply so they can capture credit card or bank account details. Emails with links to online pharmacies offering drugs and medicine at very cheap prices or without the need for a doctor’s prescription are set-up to steal credit card details.

Virus warning

And if that wasn't bad enough, if you follow these links, you may also inadvertently download malware, like viruses, Trojans or spyware. Scammers can use spyware, for example, to see what you are doing on your computer. Recently there has been a wave of spam emails with links to fake news or celebrity sites. Once on the fake website, you are asked to download a program, such as ‘Flash Player’, to view images or video and this actually contains viruses or Trojans.

Some fake sites may also contain files with a malicious program called a keylogger which captures your keyboard strokes, including any typed information such as bank login details, email addresses and passwords. It can send your personal information to an external site or email address that has been created by the criminals to use the details for nefarious purposes such as money laundering, credit card fraud or identity theft.

Spoofing addresses

Spoofing is where an email or website address that appears in an email program or on a website actually links to a different address than the one you see. For example, you may get a phishing email ostensibly from Westpac telling you to click on a link to ‘validate’ your account. The link might look legitimate, such as However if you highlight the link with your mouse, any good email client or web browser will show the real link it points to in the program’s status bar.

This will not be the legitimate site (it can’t be, for example only Westpac owns although it may still be worded to sound or look similar. If you get an email like this and the address is being spoofed, it is a phishing email and should be deleted.

The government, policing groups and security organisations are well aware of the criminal opportunities created with email and the internet. The Australian High Tech Crime Centre (AHTCC), which is part of the Australian Federal Police, was launched in 2003 to combat technology-enabled crime.

The AHTCC investigates a range of e-crimes including phishing, fraud, email scams and hacking and is part of the Joint Banking and Financial Sector Investigation Team that aims to prevent and disrupt organised crime groups from accessing personal information. The team has successfully prevented significant fraud against consumers by sharing information among organisations.

Federal Agent Peter Sykora, AHTCC director, says that, on average, there are 400 different phishing emails sent per month. “They come from unique IP [website] addresses. That means millions sent every day to email addresses all over the world.” However, Sykora admits that the numbers are hard to aggregate because the environment changes quickly, and most originate outside Australia, so tracing them is a worldwide collaborative effort.

The AHTCC broadly defines two categories of technology related crimes — traditional crimes (such as theft of money and/or personal information) that use technology, and crimes committed directly against computers. As well as phishing and online fraud, it also includes:

  • Computer intrusions, such as malicious hacking.
  • Unauthorised modification or destruction of data.
  • Denial-of-service (DoS) attacks.
  • Distributed Denial of Service (DDoS) attacks using botnets.
  • Malicious software, such as viruses, worms and Trojans.

Sykora admits the task of tracking phishing and email scams is “very difficult” because most of the sites are based overseas. “The Centre works with financial institutions and ISPs to block the IP addresses that are used to send scam and phishing emails. We also use our international partnerships to blacklist the address and pass on the information so that the authorities overseas can pursue it.”

The stolen information has a market value and is traded in online forums. Sykora says that “there are hundreds of forums where you can buy stolen information. There’s a whole black economy in trading data.” A stolen credit card number can sell for as little as $5 to $10 dollars, but the information from whaling attacks will be sold for much more.

New, more sophisticated types of phishing attacks are also starting to appear. For example, Sykora says “spear-phishing” targets users more directly and “whaling” is where criminals target CEOs, CFOs and senior managers to get platinum credit card numbers and other highly valuable personal information.

Cyber crime is keeping up with the web and utilising the new phenomenon of social networking sites, such as Facebook, MySpace and Second Life, to collate a great deal of personal information for more specific, targeted phishing attacks. “Criminals can aggregate a lot of information about someone and then send them an email that looks like it comes from a friend,” warns Sykora. You might more easily fall victim to this type of phishing attack by opening an email and following a link because it appears to come from a personal contact.

Keep up with the latest internet threats

Identity theft

Phishing and email scams can also be part of a more significant crime — identity theft. Last year, nearly half a million Australians were victims of identity theft, and email and the internet can provide rich pickings for criminals. Identity theft happens when criminals obtain some, or all, of your personal information which can then be used for money laundering using bank accounts, credit card scams, stolen passports and many other illegal activities.

Identity theft can pose serious problems if it happens to you because it may be some time before you realise and you may never know where your personal information has been traded. You may also need to have all personal details, such as bank account, passport and credit card numbers, renewed — a difficult and time consuming task. See our Identity fraud report.

  • Botnet: A group of computers running programs (worms or Trojans) that attack computers to obtain information or use them for nefarious purposes.
  • DoS: A denial-of-service (DoS) is an attack on a computer system, network or service, which interferes with its operation, attempting to make it unavailable.
  • Keylogger: A program or device that records keystrokes to capture passwords or email addresses.
  • Malware: Short for malicious software, which is intended to damage or disrupt a system, such as a virus or a Trojan.
  • Phishing: Emails that try to lure the user into surrendering private information that will be used for identity theft. The email directs the user to visit a fake website and update personal information, such as passwords and credit card or bank account numbers.
  • Spam: Unwanted emails that are sent in large quantities around the internet. Email spam targets users with direct mail messages. Email spam lists are often created by scanning newsgroup postings, stealing internet mailing lists or searching the web for addresses.
  • Trojan: A malicious program hidden in a benign application. Often used by hackers to enable access to the victim’s computer.
  • Spyware: Software that monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about email addresses and even passwords and credit card numbers. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the internet, although the majority of these applications are safe.
  • Virus: A program or piece of code that is loaded onto your computer without your knowledge. A virus can use all available memory and bring the computer to a halt. Viruses can be transmitted across networks and bypass security systems.
  • Worm: A self-replicating computer program, often used as a means to propagate viruses or other malware.

Cheat sheet
Your say - Choice voice

Make a Comment

Members – Sign in on the top right to contribute to comments