How to Spot Phishing SMS and Emails
97,831 phishing scams were reported to Scamwatch in 2024, resulting in $13.7 million in losses. Learn to recognise and avoid these deceptive messages.
Phishing scams are becoming increasingly sophisticated. Even tech-savvy Australians fall victim to convincing fake messages from banks, government agencies, and delivery services. The criminals behind these scams use psychological pressure and urgency to bypass your critical thinking. What makes these attacks particularly dangerous is their volume and their precision. Millions of messages go out daily, each one designed to catch you at a vulnerable moment when you're expecting a package delivery, waiting for a bank notification, or concerned about a tax matter.
What is Phishing?
Phishing is a cybercrime where attackers impersonate legitimate organizations to steal your personal information, passwords, or money. These attacks arrive via SMS (called smishing), email, or even phone calls (called vishing). The goal is always the same: trick you into revealing sensitive information or clicking malicious links that install malware or lead to fake websites designed to harvest your credentials.
The statistics are sobering:
According to the latest Scamwatch data , phishing remains one of the most common scam types in Australia. 97,831 reports in 2024 alone, with losses totaling $13.7 million. What's more alarming is the acceleration. Phishing losses in the first four months of 2025 reached $13.7 million compared to just $4.6 million in the same period in 2024 — a threefold increase. Behind each of these numbers is a real person who thought they were protecting their account or resolving a legitimate issue.
How Phishing Works
Modern phishing attacks exploit trust and create artificial urgency. Scammers craft messages that appear to come from organizations you know and trust: your bank, Australia Post, the ATO, myGov. These messages often claim there's a problem requiring immediate attention — a suspended account, a failed delivery, unpaid taxes, or unusual activity. The pressure to act quickly is deliberate. They want you clicking before you have time to think critically about whether the message is legitimate.
The messages contain links to fake websites that perfectly replicate the login pages of real organizations. When you enter your username and password on these fake sites, criminals capture your credentials in real-time. Some sophisticated attacks then redirect you to the real website, so you don't immediately realise you've been compromised.
By the time you notice unauthorised transactions or account changes, the criminals have already moved your money or used your identity for fraud. The technical execution has become remarkably polished. Fake websites copy the exact fonts, colors, logos, and layout of legitimate sites. Scammers are now using AI-generated content, deepfake videos, and perfect replicas of official websites. Without careful examination, the difference is nearly impossible to spot.
SMS Phishing (Smishing) Red Flags
Text message phishing has exploded because SMS feels more immediate and trustworthy than email. We're conditioned to read texts quickly and respond. Scammers exploit this habit with messages that look like legitimate notifications from banks, delivery services, or government agencies. The sender name often appears as the real organization because criminals can spoof sender IDs. Your phone might show "CommBank" or "AusPost" or "myGov" even though the message comes from scammers.
Unexpected links in SMS
This represents the single biggest red flag. Legitimate organizations rarely send links via SMS anymore precisely because of phishing concerns. The link often uses a shortened URL like bit.ly or tinyurl.com that hides the real destination, or a domain that's slightly different from the real organization like auspost-au.com instead of auspost.com.au.
Manufactured urgency
Messages claiming your account will be suspended in 24 hours, your package returned tomorrow, or your tax refund forfeited unless you act immediately. Real organizations give you reasonable time to respond to legitimate issues and use official channels like postal mail for important account matters. The urgency is designed to trigger your fight-or-flight response, shutting down the rational part of your brain.
Requests for sensitive information via SMS
No legitimate organization asks you to verify your password, PIN, credit card number, or full account details via SMS. Banks already have this information. Government agencies use secure portals. There are no exceptions to this rule.
Too good to be true offers
Messages about tax refunds you didn't know you were owed, prizes from competitions you didn't enter, or exclusive deals requiring immediate payment are classic phishing bait. Real unexpected refunds come through official channels with detailed explanations, not surprise text messages with links.
Generic greetings and poor grammar
Real messages from your bank or service providers use your actual name. Scam texts use generic greetings like "Dear customer" or "Valued member." Many scams still contain subtle errors: unusual phrasing, missing articles, or slight misspellings. Legitimate organizations have professional communications teams who proofread carefully.
Real Phishing SMS Examples
Understanding what these scams actually look like helps you recognise them instantly:
Fake Bank Alert
"CommBank: Suspicious activity detected on your account. Verify your identity immediately [link]"
Red flags: Unsolicited link, manufactured urgency, security threat. Real banks never ask you to verify identity via SMS links. If there were actual unusual activity, you'd receive an authenticated notification in your banking app.
Fake myGov Verification
"myGov: Your account requires verification. Click here to avoid suspension [link]"
Red flags: Suspension threat and link. Government portals don't send verification links via SMS. If there were a genuine issue, you'd receive official communication through registered mail or see notifications when you log into the portal directly.
Fake Delivery Fee
"Australia Post: Pay $2.50 delivery fee to receive your parcel [link]"
Red flags: Unexpected fee and payment link in SMS. Australia Post removed links from SMS notifications in March 2025 to combat exactly this scam. Any message claiming to be from Australia Post with a payment link is fraudulent. The small amount makes it seem reasonable, which is exactly the point.
Email Phishing Red Flags
Email phishing attacks can be more sophisticated than SMS because scammers have more space to build credibility. Modern phishing emails often look nearly identical to real emails from banks, online retailers, or government agencies. However, there are still telltale signs that reveal the deception if you know what to look for.
Fake sender email addresses
The display name might say "Commonwealth Bank" but the actual email address is something like notifications@secure-commbank.net or support@comm-bank-au.com. Legitimate organizations only send from their official domains. Hover over the sender name without clicking to see the real email address. A real email from Commonwealth Bank comes from @commbank.com.au, not variations like @comm-bank.com.
Generic greetings and poor grammar
"Dear customer" or "Dear user" instead of your name suggests the email isn't from an organization that actually knows you. Poor grammar and spelling errors are another giveaway. Professional organizations proofread their communications.
Links that don't match claimed destinations
Hover over links without clicking to see the actual URL. If an email claims to be from PayPal but the link goes to paypa1.com (with a number 1 instead of the letter l) or secure-paypal-au.net, it's a scam. Scammers count on you clicking without checking where the link actually goes.
Unexpected attachments
Files ending in .zip, .exe, or .scr are dangerous. Even PDF or Word documents can contain malware. If you weren't expecting an attachment from this sender, don't open it. Real organizations increasingly avoid email attachments, preferring to direct you to secure portals to download documents.
Payment method verification requests
Emails claiming your payment method has expired, failed, or needs verification are common phishing tactics. Real services send these notifications through their secure apps or portals, not email with links to update payment information.
Security breach panic messages
Messages about unusual login attempts or required password changes are designed to panic you. Legitimate security notifications never include links to reset your password. A real security alert will tell you to go to the official site directly, not provide a convenient link that could be malicious.
QR codes in emails
The ATO and myGov never send QR codes for logging in to services. When you scan with your phone, it takes you to a credential-harvesting site.
Inconsistent branding
Logos that look slightly off, wrong colors, or poor quality images suggest the email wasn't created by the organization's actual design team. Real corporate emails maintain strict brand consistency across all communications.
How to Protect Yourself
Verify with SafeAus before clicking
Before clicking any link in a message, verify it with SafeAus. Our smart detection analyzes URLs and message content to detect phishing attempts in under 5ms. This takes seconds and can prevent catastrophic financial loss or identity theft.
Never click links in unexpected messages
Type the official URL directly into your browser instead. If you receive a message claiming to be from your bank, open a new tab, type the bank's website address yourself, and log in. Real problems don't disappear when you access your account directly instead of clicking the link in the message.
Contact organizations directly
If you receive a message about account problems, delivery issues, or security alerts, contact the organization using phone numbers from their official website. Call your bank using the number on the back of your card, not the number in the suspicious message.
Enable multi-factor authentication (MFA)
Even if scammers steal your password through phishing, MFA prevents them from accessing your accounts. Use authenticator apps rather than SMS-based MFA when possible, as SMS can be intercepted through SIM swapping attacks.
Hover before you click
On computers, hover your mouse over links to see the real URL before clicking. Look at the actual email address or phone number, not just the display name. These small verification habits take seconds and prevent most phishing attempts.
Be skeptical of urgency
Scammers create false emergencies to bypass your rational thinking. Legitimate organizations give you time to respond. If a message is pressuring you to act immediately, that pressure itself is a red flag.
Use official apps
Download official banking and government apps from your device's app store. These apps provide authenticated notifications that can't be spoofed by scammers. Keep your software updated regularly to patch security vulnerabilities.
Educate your family
Many successful phishing attacks target older Australians who are less experienced with online scams. Use SafeAus Family Protection to help protect loved ones. A quick conversation can prevent a family member from losing their life savings to a convincing scam.
What to Do If You've Clicked a Phishing Link
If you've clicked a phishing link or entered information on a fake website, immediate action can limit the damage. Don't panic, but do act quickly. Time is critical in preventing or minimising financial loss and identity theft.
Disconnect from the internet
If you downloaded anything suspicious or you're still on the fake website, disconnect and close your browser completely. If you only clicked the link but didn't enter any information, the risk is lower, though you should still run a full antivirus scan.
Change your passwords immediately
Change passwords for all affected accounts, especially if you entered credentials. Do this from a different device if possible, or after running antivirus software. If you used that same password on other accounts, change it everywhere. Scammers test stolen credentials across multiple platforms within minutes of capturing them.
Contact your bank
If you entered financial information, call the number on the back of your card immediately. They can block your card and monitor for fraudulent transactions. Most banks have 24/7 fraud lines specifically for these situations.
Enable MFA and scan for malware
Enable MFA on all accounts that support it. Run anti-virus and anti-malware scans on your device. Monitor your accounts for suspicious activity over the next few months. Set up account alerts for transactions, login attempts, and profile changes.
Report to authorities
Report to Scamwatch and ReportCyber so authorities can track patterns and potentially shut down the fake website. Contact IDCARE at 1800 595 160 if personal identification information was compromised. Check your credit report for unauthorised credit applications. For detailed recovery steps, see our guide on what to do if you've been scammed.
Specific Phishing Threats to Watch For
Government impersonation scams
Over 10,000 myGov and ATO impersonation scams were reported last year. These scams exploit trust in government institutions and fear of tax penalties. Learn more in our government impersonation guide.
Australia Post delivery scams
These messages affect 9 in 10 Australians. The sophistication has increased dramatically, with fake websites perfectly replicating the Australia Post design. Read our Australia Post scams guide to understand why Australia Post removed all links from SMS notifications in March 2025.
Banking phishing scams
Scams impersonate all major Australian banks: CommBank, NAB, ANZ, Westpac, and others. Fake banking websites capture your login credentials and sometimes your full account details including card numbers and security codes. Get protection tips in our banking scams article.
With phishing scams tripling in early 2025, awareness and verification are your best defences. Scammers are using AI, sophisticated replicas, and psychological manipulation to bypass your defences. The golden rule: when in doubt, don't click. Verify first through official channels. Use SafeAus to check suspicious messages before engaging, and share this information with family and friends to help protect your community. The $13.7 million lost in just the first four months of 2025 represents real Australians whose lives were disrupted by these scams. Every person who learns to recognise and avoid phishing reduces the profitability of these criminal operations and makes the internet safer for everyone.