What Is Phishing?

Phishing emails impersonate trusted organisations — banks, the ATO, Australia Post, Netflix, Amazon — to trick you into clicking a malicious link, entering your password on a fake website, or providing personal information. They are the most common entry point for identity theft and account compromise.

The Warning Signs

  1. 1

    Check the sender’s actual email address

    The display name can say anything (“Commonwealth Bank”, “ATO”, “PayPal”) but the actual email address reveals the truth. Click or hover over the sender name to see the full address. A real CBA email comes from @commbank.com.au. A phishing attempt might come from commbank-security@gmail.com, support@commbank.au.co, or any other non-official domain. If the domain does not exactly match the organisation’s official website, it is phishing.

  2. 2

    Hover over links without clicking

    Before clicking any link in an email, hover your mouse over it (on desktop) to see the actual destination URL shown in the bottom of the browser or email client. A PayPal email should link to paypal.com. If it shows a different domain, a misspelling (paypa1.com, paypal-security.com), or a URL shortener, do not click. On mobile: press and hold the link to preview the URL.

  3. 3

    Watch for urgency and threats

    Phishing emails create artificial urgency to override rational thinking: “Your account has been compromised — verify immediately or it will be closed,” “You have an unpaid tax debt — pay now to avoid prosecution,” “Your parcel cannot be delivered — update your address within 24 hours.” Legitimate organisations do not send threatening emails demanding immediate action. When in doubt, contact the organisation directly via their official website or phone number.

  4. 4

    Look for impersonal greetings

    “Dear Customer”, “Dear User”, or “Dear Account Holder” rather than your actual name is a red flag. Legitimate organisations you have an account with know your name. Generic greetings indicate a mass-sent phishing campaign rather than a communication from an organisation that knows who you are.

  5. 5

    Check for poor spelling and grammar

    Many phishing emails contain spelling mistakes, grammatical errors, or unusual phrasing — often because they originate from non-English-speaking countries or are generated hastily. A real communication from CommBank or the ATO is professionally written. Errors are not definitive proof (some phishing is sophisticated) but are a useful indicator.

  6. 6

    Verify suspicious emails through official channels

    If an email from your bank claims your account is at risk, do not click any links in the email. Instead: open a new browser tab and type your bank’s URL directly. Or call the number on the back of your card. Log in independently and check whether there is actually any issue. The ATO, banks and Australia Post will never ask you to verify credentials via an email link.

Report phishing in AustraliaForward suspected scam emails to scamwatch@accc.gov.au (Scamwatch) or report at scamwatch.gov.au. ATO impersonation scams: ato.gov.au/about-ato/contact-us/report-something. Reporting helps protect others.

Frequently Asked Questions

Act immediately. If you entered a password: change that password on the real website immediately and on any other site where you use the same password. If you entered payment information: contact your bank immediately to report potential fraud and consider cancelling the card. Run a malware scan (Malwarebytes). Change your email password if email credentials were involved. Check your accounts for unusual activity. The faster you act, the more damage you can limit.
Yes — SMS phishing (smishing) is extremely common in Australia. Common examples: fake Australia Post parcel delivery texts, ATO refund texts, bank security alert texts. The same rules apply: do not click links in unexpected texts. If you receive a delivery text, track your parcel by going directly to the courier’s website. If you receive a bank text, call the number on the back of your card. Never call numbers provided in unexpected texts.