What is a Phishing Scam?

Phishing scams are attempts by scammers to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers. This is usually done by including a link that will take you to a legitimate looking company’s website to fill in your sensitive information.
Phishing messages are designed to look genuine, and often copy the format used by the organisation the scammer is pretending to represent, including their branding and logo. They will take you to a fake website that looks like the real deal, but has a slightly different address.

How does this scam work?

A scammer contacts you pretending to be from a legitimate business such a bank, telephone or internet service provider. You may be contacted by email, social media, phone call, or text message.
The scammer asks you to provide or confirm your personal details. For example, the scammer may say that the bank or organisation is verifying customer records due to a technical error that wiped out customer data. Or, they may ask you to fill out a customer survey and offer a prize for participating.
Alternatively, the scammer may alert you to ‘unauthorised or suspicious activity on your account’. You might be told that a large purchase has been made in a foreign country and asked if you authorised the payment. If you reply that you didn’t, the scammer will ask you to confirm your credit card or bank details so the ‘bank’ can investigate. In some cases, the scammer may already have your credit card number and ask you to confirm your identity by quoting the 3 or 4-digit security code printed on the card.

Examples of recent Phishing scam reported in Australia:

Example 1: Sophisticated ATO email phishing scam

The email scam tells the recipient the ATO is trying to contact them in regards to an undisclosed matter. The victim is then told to download and review a document needed to complete the process.
The scam attempts to get victims to login to a fake page using their myGov details – doing this will hand over their username and password to cybercriminals which can be used for identity theft and fraud.

Example 2: Xero invoice email phishing scam

Cybercriminals are sending hoax invoice notifications purporting to be from the company to users. The body of the email is simple, advising recipients that their Xero invoice is ready, and that the
amount in the invoice will be debited from their credit card. A link is included to view the bill online.
Recipients who click on the link to view their invoice are led to a malicious website asking you to confirm your credit card details.

Example 3: Medicare & Aus Post SMS scam

Scammers are sending active phishing emails and SMS pretending to be form Medicare or AusPost, telling people they are owed a rebate or they need to pay to have your parcel delivered. It will prompt
you to enter your full name, a memorable work, a card number and a card expiry number.

Example 4: Fake ‘Account is hacked’ phishing email

Recently we are noticing a lot of ‘Your account has been hacked email’ targeting our Kindergartens.
The scammer is pretending to send email from the Kindergarten’s own email address and asking them to pay $1000 in bitcoin to release their account. The scammer is masquerading his malicious email address and using kindergarten’s own email address as the sender address and tricking kindergartens in believing that their email account is actually been hacked.

How to protect yourself from Phishing Scams?

  • Be alert to the fact that scams exist. When dealing with uninvited contacts from people or businesses, whether it’s over the phone, by mail, email, in person or on a social networking site, always consider the possibility that the approach may be a scam.
  • Do not open suspicious texts, pop-up windows or click on links or attachments in emails – delete them: If unsure, verify the identity of the contact through an independent source such as a phone book or online search.
  • Don’t respond to phone calls about your computer asking for remote access – hang up.
  • Beware of any requests for your details or money. Never send money or give credit card details, online account details or copies of personal documents to anyone you don’t know or trust.
  • Be careful when shopping online. Beware of offers that seem too good to be true, and always use an online shopping service that you know and trust.
  • Review your privacy and security settings on social media websites like Facebook and Twitter.
  • Never open an attachment (especially a .zip file or .exe file) unless you are expecting it. Files from unknown senders often contain malware or virus.
  • Keep in mind companies like Xero, they commonly use a PDF attachment to send invoices rather than a link to an external website.
  • Never trust any email or SMS asking you for your personal information like passwords, bank details etc.

Have you been scammed?

If you think you have provided your account details to a scammer, contact your bank or financial institution immediately. If you are unsure contact our KITP helpdesk before clicking on any links on a suspicious email.

We encourage you to report KITP of any suspicious email you might have received or if you think you have been scammed you can contact ACCC – Australian Competition & Consumer Commission and use their Report a scam page to any scams.


Every year, scammers get more advanced and introduce new phishing strategies to bypass defences that were designed for last year’s threats. Remind yourself to second guess requests for information, money or passwords.