Can You Spot a Phishing Email?
Test your skills with 10 real-world email scenarios based on common Australian scams. See if you can tell the difference between legitimate emails and phishing attempts.
Australian Taxation Office
refunds@ato-gov-au.com
Action Required: Your Tax Refund of $2,847.00 is Pending
Dear Taxpayer, Your tax return for the 2024-25 financial year has been processed and a refund of $2,847.00 is pending. To receive your refund, please verify your bank details by clicking the link below within 48 hours or your refund will be cancelled.
Is this email legitimate or phishing?
Phishing: Australia's Biggest Cyber Threat
Phishing remains the number one method cybercriminals use to compromise Australian businesses. The Australian Cyber Security Centre (ACSC) receives tens of thousands of phishing reports each year, and the actual number of attacks is many times higher as most go unreported. For small businesses, a single successful phishing email can lead to data breaches, financial loss, and significant operational disruption.
Why phishing works
Phishing attacks are effective because they exploit human psychology rather than technical vulnerabilities. They create urgency ("your account will be suspended"), fear ("suspicious transaction detected"), or authority ("your CEO needs this done now") to bypass rational thinking. Even security-aware individuals can be caught off guard when they are busy, stressed, or distracted - which is why ongoing training is more effective than one-off awareness sessions.
Common Australian phishing scams
Australian businesses and individuals are frequently targeted with scams impersonating trusted Australian organisations. The most common include:
- ATO and myGov scams - Fake tax refund notifications or account lockout alerts designed to steal login credentials and personal information.
- Australia Post delivery scams - Fake missed delivery notices with links to malicious tracking pages.
- Bank impersonation- Fake security alerts from major Australian banks asking you to "verify" your account.
- Telstra and utility scams - Fake overdue billing notices threatening service disconnection.
- Business Email Compromise - Attackers impersonating executives or suppliers to request urgent payments or data transfers.
Building a phishing-resistant workplace
Protecting your business from phishing requires a combination of technology and human awareness. On the technology side, deploy email security tools that filter phishing before it reaches inboxes, configure email authentication (SPF, DKIM, DMARC), enable MFA on all accounts so stolen passwords alone are not enough, and implement web filtering to block known malicious sites.
On the human side, conduct regular security awareness training with simulated phishing exercises. Quarterly training has been shown to reduce phishing click rates by 50-75%. Create a culture where staff feel comfortable reporting suspicious emails without fear of embarrassment - the faster a phishing attempt is reported, the faster it can be contained.
Better Networks provides security awareness training and simulated phishing programs for small businesses across Geelong and the Bellarine Peninsula. Our programs are practical, engaging, and tailored to the real threats facing Australian businesses.
Frequently Asked Questions
What is phishing?
Phishing is a type of cyber attack where criminals send fake emails (or texts or calls) that appear to come from legitimate organisations. The goal is to trick you into clicking a malicious link, opening an infected attachment, or providing sensitive information like passwords, credit card numbers, or bank details. Phishing is the most common type of cyber attack in Australia.
What are the most common phishing scams in Australia?
The most common phishing scams targeting Australians include fake ATO tax refund notifications, myGov account locked alerts, Australia Post delivery failure notices, bank security alerts (particularly Commonwealth Bank, ANZ, Westpac, and NAB), Telstra billing scams, and business email compromise where attackers impersonate a boss or supplier to request payments.
What should I do if I click a phishing link?
If you click a phishing link: immediately disconnect from the internet, change passwords for any accounts you may have entered credentials for (using a different device), enable MFA if not already active, run a full antivirus scan, notify your IT support team, and monitor your accounts for suspicious activity. If you entered financial details, contact your bank immediately.
How can I protect my business from phishing?
The most effective protection combines technology and training: deploy dedicated email security with anti-phishing filters, configure SPF, DKIM, and DMARC for your domain, enable MFA on all accounts (so stolen passwords alone are not enough), and conduct regular security awareness training with simulated phishing tests. Businesses that run quarterly phishing simulations see significantly lower click rates over time.
What is Business Email Compromise (BEC)?
Business Email Compromise is a sophisticated phishing attack where criminals impersonate a senior executive, supplier, or trusted contact to trick employees into transferring money or sharing sensitive data. BEC attacks often use spoofed or look-alike domains (e.g. replacing an 'o' with a '0'). The ACSC reports that BEC is one of the most financially damaging cyber threats in Australia, with losses in the millions annually.
How effective is security awareness training?
Very effective. Studies show that regular security awareness training reduces phishing click rates by 50-75% within the first year. The key is consistency - one-off training has limited long-term impact. Quarterly training sessions combined with simulated phishing tests keep staff alert and build a security-conscious culture. Many cyber insurance providers now require evidence of staff training.
Train Your Team to Spot Phishing
Regular security awareness training dramatically reduces your risk. We provide practical phishing training programs for small businesses in Geelong and surrounds.
Book a Free Call →