Phishing attacks are the leading cause of data breaches in Australia. In 2025, the Australian Signals Directorate reported that over $84 million was lost to business email compromise — a form of targeted phishing — in a single year. Despite sophisticated email filters and firewalls, attackers consistently find one reliable vulnerability: people.
The good news? With the right knowledge, your team can be your strongest line of defence. Here are the 8 tell-tale signs of a phishing email that every Australian employee should know.
1. The Sender's Email Address Doesn't Match the Organisation
One of the oldest tricks in the phishing playbook — and still one of the most effective. Attackers will create addresses that look legitimate at a glance:
- Lookalike domains:
support@anz-bank.com.auinstead ofsupport@anz.com.au - Subdomain abuse:
noreply@anz.com.au.secure-login.net— the real domain issecure-login.net - Character substitution: replacing an 'l' with a '1' or an 'O' with a '0'
Always check the full email address — not just the display name. Display names like "ANZ Bank" can be set to anything by the sender.
Quick tip: On mobile, tap the sender's name to reveal the actual email address. Don't just read the display name at face value.
2. Urgent or Threatening Language
Phishing emails are engineered to trigger panic. Common phrases include:
- "Your account will be suspended in 24 hours"
- "Immediate action required — your payment has failed"
- "Unusual sign-in activity detected — verify now"
- "Your tax return has been flagged by the ATO"
Legitimate organisations almost never demand immediate action under threat of severe consequences. When you feel that rush of anxiety, pause — that's exactly what the attacker wants. Take a breath and verify the message through another channel.
3. Generic Greetings
A legitimate email from your bank, government agency, or supplier will usually address you by name. Phishing emails are sent at scale, so they often use vague greetings like "Dear Customer," "Dear User," or "Dear Account Holder."
If your bank says "Dear Valued Customer" instead of your actual name, treat it with suspicion.
4. Suspicious Links — Check Before You Click
Before clicking any link in an email, hover over it to see where it actually goes. Look for:
- URLs that don't match the organisation (e.g., clicking an "ATO" link that goes to
taxrefund.biz) - Shortened URLs (bit.ly, tinyurl) — these hide the real destination
- HTTP instead of HTTPS — though note that phishing sites often have valid SSL certificates now
- Long strings of random characters in the URL
On mobile: Press and hold a link to preview the URL before tapping. If you're unsure, don't click — type the website address directly into your browser instead.
5. Unexpected Attachments
Did you receive an invoice you weren't expecting? A "shipping notification" for a package you didn't order? A PDF from someone you've never heard of?
Malicious attachments commonly disguise themselves as:
- PDF invoices or statements
- Word or Excel documents (especially those asking you to "enable macros")
- ZIP files containing executable files (.exe, .js, .bat)
Never enable macros in an unexpected document. Legitimate business documents rarely require you to lower your security settings.
6. Requests for Sensitive Information
No legitimate organisation — your bank, the ATO, Medicare, or your IT department — will ever ask you to provide passwords, credit card numbers, or multi-factor authentication codes via email.
If someone asks you to reply with your password or click a link and "log in to verify," stop immediately. This is always a red flag.
7. Poor Grammar, Spelling, or Formatting
While sophisticated phishing emails can look remarkably polished, many still contain telltale signs:
- Spelling mistakes or grammatical errors
- Awkward phrasing ("Your account has problem")
- Inconsistent fonts or logo proportions
- Images that look slightly blurry or distorted (signs they've been ripped from legitimate sources)
8. The "Too Good to Be True" Offer
Not all phishing emails use fear — some use greed. Watch out for:
- "Congratulations! You've been selected for a $500 gift card"
- "Unclaimed refund of $1,247.00 from the ATO — click here to receive"
- "You've inherited funds — please provide your bank details"
If an email is offering something that sounds too good to be true, it almost certainly is.
What to Do If You Receive a Suspicious Email
- Don't click, don't reply, don't download — just pause.
- Report it to your IT team or security contact immediately.
- Verify independently — if it looks like it's from your bank, call the number on the back of your card, not the one in the email.
- Delete the email once reported.
- If you clicked — report it immediately. The sooner you act, the better the outcome.
Already clicked something suspicious? Don't panic — but do act fast. Change your passwords immediately, alert your IT team, and check if any sensitive information was entered. The faster you respond, the less damage is done.
The Real Solution: Ongoing Training
Knowing these signs is a great start — but one-off training isn't enough. Attackers constantly evolve their techniques. The most effective defence is regular, automated security awareness training combined with realistic phishing simulations that keep your team sharp.
At Shield Axis, we use the usecure platform to run automated training and simulated phishing campaigns for Melbourne businesses of all sizes. Clients typically see phishing click rates drop from 20–30% to under 5% within 90 days.