General
How to spot a fake email
Hundreds of billions of emails are sent each day around the globe – and it’s no wonder when email is a fast, efficient, and free way to communicate. But how can you tell when an email is from a scammer?
Fake or phishing emails range from the downright obvious to the alarming lookalikes. Their goal is to trick you into thinking the sender is an organisation you’re familiar with or someone you know in order to get your personal information.
In this guide we explore the things you should look out for when you receive an email that encourages you to share personal information including your usernames and passwords, bank account or credit card numbers or answers to security questions like your mother’s maiden name. There are also a couple of quizzes at the end of this guide to test your scam spotting skills.
In this article:
- What is a phishing email?
- How to tell if an email is from a scammer
- Tips to protect yourself against phishing emails
- What to do if you think you’ve received a phishing email
- Where to go for help if you’re the victim of a scam
- Test your skills: take the quiz
What is a phishing email?
A phishing email is a type of scam that’s designed to look like it comes from an organisation you’re familiar with, like your bank, service providers for things like power or internet, a government agency, or even someone you know.
Scammers ‘fish’ for personal information by emailing thousands of people hoping a portion of unsuspecting victims will take the bait. Their goal is to obtain enough information to be able to access your finances, commit fraud or identity theft.
Links or attachments in emails can also download malware or viruses that infect your device and allow scammers access to sensitive information.
Phishing scams come in many forms including text messages, phone calls, and ads or posts on social media.
How to tell if an email is from a scammer
Some email scams can be easy to spot by poor grammar and spelling or blurry company logos. For trickier emails that look more like the real thing, there are other clues you can look for.
Mismatched sender details
Look at the email address. Does the domain name (the part of the email address that comes after the @ symbol) match the name in the From field? If you can’t see the email address, tap or click on the sender’s name. An obvious mismatch would be an email that claims to be from Microsoft but the email address reads microsoftcustomerhelp8@gmail.com. No large legitimate organisation will send you an email from a free webmail address such as Gmail, Yahoo or Outlook.com.
Unfortunately, mismatched details are not always so obvious. Scammers can use technology to disguise their email address to make it look more like a company’s domain name – this is known as spoofing. Look out for misspellings, extra characters, numbers, or words in a domain name that make it look similar but not the same as the official domain. For example, @nabbank.com.au or @nab.com compared with the official @nab.com.au domain.
If you’re unsure whether an email address is legitimate, check for other clues in the email or do an online search to see what comes up.
From: NetBankNotification@cba.ϲоm.au <margie.byrd@vanderhillsunsets.onmicrosoft.com> 1 Email claims to be from CBA (NetBank) but doesn't match the email address (margie.byrd@vanderhillsunsets.onmicrosoft.com)
Sent: Thursday, 1 August 2024 12:22 PM To: ernie.trendgrove@gmail.com Subject: Re: Notification of Server Update and Account Verification CommBank will never ask for your banking information like your Client ID, password, or NetCode; or include a link to log on directly from an email or SMS. Always search CommBank in a browser or use the CommBank app to securely access your banking. View this email online.Notification of Server Update and Account Verification
Dear Valued Client, 2Generic greeting
We hope this message finds you well. We are writing to inform you of an important upcoming server update. This update is essential to enhance the security and performance of our services, ensuring your continued satisfaction and safety.
As part of this update, we are required to re-verify all client accounts. This step is mandated by local government regulations to ensure that all data and information stored on our servers remain secure and protected.
We kindly ask for your cooperation in re-verifying your account 3 Email asks you to verify your details by clicking on the Click here button (link) by clicked the button bellow. This verification process will involve confirming your account information and, if necessary, updating certain details.
We appreciate your attention and cooperation in this matter. Should you have any questions or require further assistance, please do not hesitate to contact our customer support team.
Fig. Example of a real phishing email. Subject lines that create a sense of urgency
Scammers use language to incite emotions such as fear, curiosity, or excitement to get your attention and create a sense of urgency. Here are some examples of what they may say to encourage you to open their email:
- Unusual activity has been detected on your account
- Your account has been suspended
- You are due to receive a refund
- Your refund failed due to incorrect bank details
- Congratulations, you’ve won a prize.
Emails that require urgent action
Once the scammer has your attention, their goal is to encourage you to click on a link in the email or download an attachment. Usually, the link takes you to a fake website that’s designed to capture your login details to important online accounts or your banking or credit card details.
Be wary of emails that deliver urgent news (good or bad) that ask you to click on a link to provide some sort of personal information. For example, they may ask you sign in to your account, update or verify your personal details.
Generic greetings
Some phishing email scams use generic greetings such as ‘Dear customer’, ‘Dear user’ or no greeting at all. While it’s not unusual to receive generic emails that don’t include your name, most legitimate organisations like your bank, service providers or government agencies will use your name in the greeting. The type of greeting alone won’t give a fake email away so be sure to look for other signs that tell you whether the email is real.
Tips to protect yourself against phishing emails
As a general rule, you should guard your personal information online the same way you would in person. Treat requests for things like your passwords, banking information, driver licence or Medicare number with great care.
Here are a few other tips to help you stay savvy against scammers:
- When asked to provide personal information online (or even over the phone) take a moment to ask yourself whether it sounds right to you.
- Never sign in to an online account via a link in an email unless you are certain about the sender. Instead, visit the website directly by typing in the URL in the web browser or use the mobile app to access your account.
- Never provide your passwords, multi-factor authentication codes or one-time passcodes over email, even if the sender claims to be from your bank or a government agency.
- If you’re unsure about an email, contact the organisation it claims to be from directly – don’t use the contact details provided in the email.
- If you’ve clicked on a link that takes you to a website, always check the URL to see whether it’s the official company web address.
- Use anti-virus software to protect your devices.
What to do if you think you’ve received a phishing email
If you’ve opened what you think could be a phishing email, don’t panic. Just be sure not to click on any links or download attachments. Instead, report phishing or suspicious emails to your email provider to help them update their filters, protect users, or move the email from your inbox to the spam folder.
There should be an option to report the email when it’s opened. For example, in Gmail you can select More (the three vertical dots next to Reply) to see Report phishing. Similarly, Outlook.com (previously Hotmail) has a Report option in the email’s menu bar next to Reply.
If you’re not entirely sure whether an email is a phishing scam but it looks suspicious, you can try blocking the email.
For more tips on how to keep your email account secure, see our short course, How to avoid common email scams.
Where to go for help if you’re the victim of a scam
If you’ve lost money or provided personal information to a scammer, you are not alone. It can cause extreme financial and emotional stress so it’s important to seek help. There are steps you should take if you think you’ve been scammed.
- Act quickly and contact your bank or card provider immediately to report the scam and stop any further transactions from happening.
- Change your passwords, remembering to ensure they are strong.
- Contact IDCARE, a free support service for people who have been impacted by scams or identity theft. They can help you make a plan to limit the damage. Call 1800 595 160 or visit their website idcare.org
- Report the scam to Scamwatch to warn others at scamwatch.gov.au/report-a-scam
- Get support for yourself. If you don’t feel comfortable speaking to friends or family, contact Lifeline or Beyond Blue for a confidential chat.
- If you’ve lost money to a scam, watch out for follow up scams, especially someone offering to help you get your money back.
If you’ve been the victim of a scam, it’s important to share your story – it could be with your friends, family, colleagues, or community. By doing so, you can help others to spot a scam or prevent someone from having their money or personal information taken by a scammer. The more stories we hear, the better equipped we are to protect ourselves.
Test your skills
It’s time to put your phishing skills to the test. Take these quizzes to see how well you do at spotting a scam.
Australian Cyber Security Centre (ACSC)’s Think you can spot a scam? quiz includes a range of email and social media scams (you’ll need to scroll down to the bottom of the page to access the quiz). There’s also a wealth of information and advice on their website to help you secure your devices, email, and general safety online.
This phishing quiz from Google’s Jigsaw program is a little trickier, testing you on a range of current scam emails. It asks you for a made-up name and email address to make the quiz seem more realistic, so there’s no need to enter your real details.
For more information
The best protection against scams is staying up to date with current scams so you can spot the signs when you see one. Here are a few websites to help you do just that.
Scamwatch - run by the National Anti-Scam Centre, it not only collects reports about scams to help warn others, but it also provides up to date information about current scams and ways you can spot them.
ABC News Scams and Fraud page - a collection of scams related news articles.