Need to know
- Phishing is one of the most common online scams.
- Scammers use email, messaging, fake websites and more to reel you in.
- The goal is usually to steal your identity or banking details.
One of the easiest online scams to fall victim to is phishing. This is when someone pretends to be from a legitimate business organisation to get your login name and password, banking details, credit card number or other personal information.
Cybercriminals are always coming up with new ways to con you, but there are some phishing tricks that are more common than others.
Common phishing techniques
Phishing usually relies on getting you to click a link to a fake website or online form. But you can also be contacted by phone, email, in person, via message or any combination of these. New methods are cropping up all the time, too. More recently, malicious apps have been using smart phone voice assistants (think Alexa smart speakers) to prompt users to say their account passwords out loud.
Scammers play on your emotions, claiming your account has been hacked, service will be terminated, you've won a prize, made an unauthorised payment, or any one of dozens of other fabrications. They may also try to confuse you with complicated jargon or ask you to answer personal questions to 'prove' your identity.
All of this is done with one goal: to get you to give up valuable information so your identity or banking details can be stolen.
A classic phishing tactic is to create a genuine-looking copy of a legitimate website, then prompt you to sign in.
Once you enter your username and password, the criminals can get access to your account for the real service. You might also be asked to fill out a form with personal details, provide banking information, or enter credit card details.
Signs of a phishing website include low-quality images, bad website design, off-centre text, spelling mistakes, bad grammar and suchlike.
Though some fakes might look identical to the originals.
An example of a scam email claiming to be from myGov
Scam emails and messages
Scam emails can look realistic, down to an official email address with logos, contact numbers and professional-looking graphics. They're designed to get you to click on a link that sends you to a phishing website.
They might also include an email attachment, but don't open it, as it might be malicious software that can infect your computer.
An SMS or instant online message could have a link and a short memo crafted to play on your emotions or prompt you to unsubscribe from a (fake) marketing list.
An email or message might ask for your information directly via a reply email, instead of clicking a link. Never give out personal information via email or messages.
Social media platforms and even trustworthy websites can sometimes display ads for products, competitions or articles that take you to a phishing website.
Links can send you anywhere but where you expect
Ever seen linked text in an article that says 'to find out more about this, click here' or something similar? This an embedded link (AKA hyperlink).
It's easy to make one that simulates a web address, such as text that says https://my.gov.au, but goes to a different page. For example: here is the URL for the CHOICE homepage: https://www.choice.com.au. However, clicking it will take you to our laptop review page, because that's the address of the embedded link.
You can even make embedded links in emails, word processor and PDF documents.
To see where a link is sending you, right click on it and select "copy link address" or similar option. Paste it into a text document or word processor to see the real destination address.
Surprise calendar events
A newer way of reeling you in is a fake calendar invitation that links to a phishing website. If one pops up in your calendar out of the blue, especially if it's not in a language you speak, delete it or report it as spam/phishing.
Online and shared documents
You may be invited to share or edit a document via email with someone you've never met. This is done via online storage accounts, such as Google Drive and Dropbox, to name just two.
Report or delete the email and ignore the invitation.
If you get a call from someone asking for personal information or access to your computer, be polite (it might just be someone doing their job), hang up and call the company or organisation back using their public contact details.
Ask for a reference number from the original caller so you can speed things up when you call back, if possible.
Scammers might turn up at your door
If you weren't told to expect a visit from somebody who's turned up on your doorstep and wants personal information, contact their employer using public contact details and verify the visitor's identity first, especially if they don't look official.
This is a rarer phishing technique, but it's still one to look out for, especially with regards to people claiming to be from telcos or NBN Co.
How to spot phishing
There are a few ways to spot phishing, but only a couple are fool-proof: URL checks and contacting sources yourself.
You can't fake a web address
A URL (Uniform Resource Locator) is the address of a website. It's the thing that appears in the address/search bar at the top of a web page, often starting with www., https:// or http://.
The address of a website is unique and absolute. No one can copy anyone else's web address.
However, scammers can make fake URLs that look similar to the original. The myGov website is my.gov.au but a similar URL such as mygov.com.au might be set up by criminals, for example.
If you're suspicious about a website, exit it and do a web search for the real one.
And remember: the real URL shows up in the address bar at the top of the page. Just because you clicked linked text on the main body of the web page, doesn't mean it will take you where it says.
Contact the source directly
If in doubt about a company that has contacted you, look up the company's information independently and get in touch with them yourself, rather than using phone numbers or email addresses provided to you by potential scammers.