How to tell a real message from a phishing scam

Have you ever received a message from your bank asking you to share private information, move money from one account to another, or perform some other eyebrow-raising task? Chances are the sender isn’t actually who they’re claiming to be, but how can you be sure?

These days, phishing messages seem to be an unavoidable part of living in the digital age. While many of us can recognise the telltale signs of a scam, cybercriminals (and the tools available to them) are getting more sophisticated by the day.

Below are some ways to help tell a phishing scam from a legitimate message, along with some steps to consider taking if you’re unlucky enough to fall victim to one.


These are messages that resemble communications from a trusted source (such as your bank, insurance company or super fund) but are actually ploys by cybercriminals to obtain your personal information.

They often contain suspicious looking links or attachments that can install malware onto your computer once clicked. This might allow scammers to make changes to your device remotely and without your knowledge.

Other giveaways can include typos, poor grammar, and urgent calls to action (such as calling a number, claiming a prize, or entering your login details). Generally, if your first impression when reading the message is that something’s off, there’s a good chance you’re right.


  • Don’t click on any links or open any attachments: Doing so can leave your device vulnerable to attack. Some red flags to watch out for include URLs that are deceptively similar to official websites, shortened URLs, and excessive use of hyphens and numbers. Even if a link doesn’t look suspicious, hover over it to see if it matches the text displayed.
  • Go directly to the source: Without interacting with the message, navigate to the official website of your bank or service provider yourself. Many companies these days will have a dedicated page explaining what they will and won’t ask for in communications to customers.
  • Call your bank or provider: For peace of mind, you can call your provider using the number listed on their website and ask them to confirm if the message you received (and any information contained within) is legitimate or not.
  • Report the message: Finally, consider taking a screenshot of the text or email so you can report the scam to the ACCC’s ScamWatch.


Even the most cautious of us can unwittingly click on a malicious URL. If you find yourself in this position, whether due to a slip of the finger or a lapse of judgement, don’t panic. Below are a few steps that might be able to minimise the damage.

  1. Turn off your internet connection: This can potentially reduce the likelihood of malware spreading to other devices on your network. If your computer is tethered to an internet router, unplug the cable. If you’re connected via Wi-Fi, turn it off using the network settings on your device or by switching off your router.
  2. Back up any files using cloud storage, an external hard drive, or a USB: This is to prevent your files from becoming infected with malware, but it can also give you peace of mind that they won’t be lost if you have to perform a factory reset.
  3. Run an antivirus scan: If you already have antivirus software installed, run a scan and do not use your computer until it is finished. This should be able to identify any suspicious files that were installed on your computer and either remove or quarantine them. Alternatively, you can take your device to a professional to have it looked at.
  4. Change your passwords and PINs: It’s good practice to change the passwords on your accounts every few months, but doing so after your computer has been compromised is strongly advised. Try to create stronger passwords that you haven’t used before.

You will also need to alert your bank or service provider so they can put the appropriate controls in place. Depending on the nature of the scam and how recently it took place, they might be able to block any suspicious activity.


Scammers can go to great lengths to impersonate people or institutions that you trust. These days, phishing messages can appear in the same message thread as actual communications from your bank. And a single phishing message might conceal an entire team of scammers, with people ready to pick up the phone to ‘confirm’ a claim once a victim calls the number in a message.

If you receive a text or email that raises alarm bells in your head, stay calm and try to avoid making any hasty decisions. Remember that a real organisation wouldn’t put you in a position where you’re under pressure to act — and if you’re still uncertain, go directly to the source to confirm.