I was so confident in my ability to spot a phishing email that I told my cyber security team I’d make sure to click theirs and not instinctively report or delete it. I knew I’d been had when I saw my colleague smiling an hour later.

Even I need to remember to always be sceptical of the unexpected.

Scepticism comes instinctively after a decade in journalism and so I was confident I’d spot the phishing email the team needed me to click for testing.

Scams Awareness Week: five ways in five days to free and easy cyber security


Be sceptical of unexpected communications, regardless of the sender, and on what platform it is made and sent. Contact the sender on official sources and report any suspected phishing breach to your security or IT teams.

They sent a phishing email offering six months of free music streaming. It was perfect bait since I was deciding what service to use.

I was fully expecting free music. My face fell into my hands as realisation dawned.

Falling victim to that phishing email popped my bubble of subconscious confidence, but it doesn’t make me an idiot or even an easy mark.

Phishing emails, like any advertising, work best when their well-crafted pitch hits the right audience at the right time.

Look for tpyos typos

Phishing often contains typos and offers too good to be true, but traditional advice to look for these indicators misses the mark.

Many security practitioners, myself included, argue there are now no rules to phishing and no useful hallmarks for spotting it. Traditional indicators could even be harmful if they lull people into thinking well-written emails are more credible.

Discover for yourself and imagine the role of a criminal writing a phishing email. What lure would you write to interest your target? Could you write one free of typos? What lure would you pick if you were emailing 20,000 people?

My team wrote a good lure. It copied branding that didn’t seem out of place for my inbox. But ultimately the email’s chance timing coinciding with my hunt for a music service was so good that I probably would not have noticed typos or wonky logos.

Better advice than hallmarks of phishing is to be sceptical of unexpected communication, regardless of the sender and on what service the message appears.

An email from your bank, an SMS from your energy supplier; a phone call from your telecommunications provider; or direct message on your social platforms should be treated as untrusted.

Confirm whatever the communication claims with the entity’s official phone or email address and not those offered in the unexpected contact.

The inconvenience will go far to increase your cyber security defences.

Simple superweapon

Phishing is not going away.

It is the simple superweapon behind most successful cyberattacks from basic scammers to the most well-resourced nation-state intelligence agencies.

Technical controls can do much by blocking phishing and limiting the potential damage from successful attacks. But much comes down to your ability to detect and react.

Emotet, one of the most dangerous cyberattacks at present, spreads a variety of malicious payloads using phishing. These emails may come from people you know delivered as replies to email threads. But they may still raise some suspicion.

Always report any possible phishing to your security or IT team, even if it is days or weeks after the incident, especially if you have entered your logins or run attachments.

Security teams can utilise the window between phishing and stolen usernames and passwords being used in attacks to protect you and your organisation.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser