Skip to end of metadata
Go to start of metadata

Phishing is a popular form of cybercrime because of how effective it is. Cybercriminals will regularly send targeted emails and SMS/text messages to individuals to attempt to get people to give out personal or confidential information, including credit card information, username and passwords or other sensitive information.

The best defence is awareness and knowing what to look for.

It's OK to be cautious & be safe

Phishing attacks are common and routine - it's OK to err on the side of caution, and question the legitimacy of any email sent to you. If in doubt, call the person who sent you the email to validate it's authenticity, or contact the IT Service Desk.

Some methods to recognise phishing emails

  • Suspicious links - the links that appear in an email body may go to somewhere unexpected, always rest/hover your mouse over any links which will reveal the real web address and don't click any suspicious links.
  • Unexpected or suspicious attachments - Word documents are regularly used to spread malware and viruses, if you receive an unexpected or suspicious attachment - do not open it.
  • Urgent call to action or threats - be suspicious of any email that claims that you must click, call, or open an attachment with urgency. A common attack method is to claim something is time sensitive creating a false sense of urgency. Whenever you see a message calling for immediate action, pause, and look carefully at the message - are you sure it's real? Slow down and be safe.
  • First time or infrequent sender - whilst it's not unusual to receive an email from someone new for the first time, especially if they are outside your organisation. New senders can be a sign of phishing campaign, so take a moment and examine the email carefully for suspicious links, what the sender address is.
  • Mismatched email domains - if the email claims to be from a reputable company, like Microsoft or your NAB bank, but the email is being sent from another email domain like gmail.com, or microsoftsupportteam.com or thenabbank.com - it's a scam. Also be watchful for very subtle misspelling of a legitimate domain name, like micr0soft.com ("0" instead of "o") or naab.com.au (NAB business name doesn't have double "aa").

How to report a phishing email

Don't forward to other staff

Do not forward suspicious or suspected phishing emails to other staff, by doing so - you are spreading the phishing attack and giving legitimacy to the original email leading to staff feeling safe to click links.

  1. Within Microsoft Outlook, select the suspicious message.
  2. From the ribbon, choose Report message and then select Phishing.

This is the fastest way to report it and remove the message from your Inbox, and it will help Microsoft improve their filters so that you or other staff will receive fewer of these attacks in the future.