Phishing is a way that cybercriminals steal confidential information, such as online banking logins, credit card details, business login credentials or passwords/passphrases, by sending fraudulent messages (sometimes called ‘lures’).

These deceptive messages often pretend to be from a large organisation you trust to make the scam more believable. They can be sent via email, SMS, instant messaging or social media platforms. They often contain a link to a fake website where you are encouraged to enter confidential details.

How to protect yourself from phishing?

Phishing emails have been used by cybercriminals to steal financial details from Australians for a number of years (phishing emails were first observed in Australia in 2003) but have become increasingly sophisticated since then. Brands that are commonly copied include:

• state and territory police or law enforcement (fake fine scams)
• utilities such as power and gas (fake bills and overdue fines)
• postal services (parcel pick-up scams)
• banks (fake requests to update your information)
• telecommunication services (fake bills, fines or requests to confirm your details)
• government departments and service providers such as the Australian Taxation Office, Centrelink, Medicare and myGov.

It used to be easy to recognise and ignore a phishing email because it was badly written or contained spelling errors, but current phishing messages appear more genuine. It can be very difficult to distinguish these malicious messages from genuine communications. Because of phishing, it is now standard policy for many companies that they will not call, email or SMS you to:

• ask for your user name, PIN, password or secret/security questions and answers
• ask you to enter information on a web page that isn't part of their main public website
• ask to confirm personal information such as credit card details or account information
• request payment on the spot (e.g. for an undeliverable mail item or overdue fee).