Phishing in the Australian Context: The Latest Scams to Watch Out For

We’ve all seen them: the urgent email from a “bank” you don’t use, the text message claiming a package is “stuck in transit,” or the social media message from a “friend” asking for an urgent loan.

Phishing scams are a global problem, but in Australia, cybercriminals are getting smarter, tailoring their attacks to exploit local events, services, and trusted brands. These scams are no longer easy to spot; they’re sophisticated, highly convincing, and can be devastating to both individuals and businesses.

At Orro, our Australian-based Security Operations Centres (SOCs) see these threats every single day. Here’s our guide to the latest phishing scams making the rounds in Australia, and how you can protect yourself and your business.

The Top 3 Phishing Scams Targeting Australians Right Now

Cybercriminals are masters of social engineering, preying on our trust, fear, and desire for convenience. Here are some of the most common scams we’re seeing.

1. The Fake Delivery and Toll Scams

• The Scam: You receive a text message (often called “smishing”) that appears to be from Australia Post, Toll, Linkt, or a similar delivery service. The message claims a package is on hold due to an unpaid fee or asks you to update your delivery details by clicking a link.
• The Trap: The link directs you to a fake website that looks identical to the real one. It asks you for a small “delivery fee” and your credit card details. This isn’t just about the small fee; the criminals are stealing your credit card information for future fraudulent purchases.
• What to Watch Out For: Look for generic greetings (“Hi there!”), unusual or shortened URLs (e.g., bit.ly), and a sense of urgency. Real delivery companies will rarely ask for payment via a random text message.

2. The Business Email Compromise (BEC) Scam

• The Scam: This is one of the most financially damaging scams for Australian businesses. An attacker, having compromised an executive’s or vendor’s email account, sends a fraudulent invoice or a request for a funds transfer. They use perfect grammar, familiar language, and the company’s real branding. The request often has a tone of urgency, such as “Urgent payment needed by end of day.”
• The Trap: The email will instruct you to send money to a new bank account, which is controlled by the criminal. The victim, believing the request is genuine, makes the transfer, and the money is almost impossible to recover.
• What to Watch Out For: Always verify any request for a change in banking details or a large payment via a secondary method—a phone call to a known number, or a separate email thread. Never reply directly to the suspicious email.

3. The Impersonation of Government Agencies & Banks

• The Scam: Scammers pretend to be from trusted Australian government agencies like the ATO, myGov, or Services Australia. They might claim you are owed a tax refund, or that your account has been locked. Alternatively, they may impersonate major Australian banks, like CommBank, ANZ, or NAB, and send a text or email claiming “unusual activity” on your account, directing you to a fake login page.
• The Trap: By leveraging the trust Australians place in these institutions, the scammers trick you into clicking a link and entering your personal details, tax file number (TFN), or banking credentials.
• What to Watch Out For: No legitimate Australian government agency or bank will ever ask you to provide personal details or account information via a link in a text message or email. Always go directly to the official website by typing the address yourself.

How to Protect Yourself and Your Business

Being able to spot these scams is your best defence. Here are some simple, yet powerful, rules to follow:

1. Stop, Look, and Think: Always pause before clicking a link or providing information. Scammers rely on your instinct to react quickly. Take a moment to assess the situation.
2. Verify the Source: Don’t trust the name in the “From” field. Hover over the sender’s email address to see the actual address. If it’s a mix of random letters or a public domain (like @gmail.com), it’s almost certainly a scam.
3. Check for Spelling and Grammar: While phishing emails are getting more sophisticated, spelling and grammatical errors are still a common giveaway.
4. Use Official Channels: If an email or message seems suspicious, contact the company directly using a phone number or website you find yourself—not the one provided in the message.
5. Enable MFA: Multi-Factor Authentication (MFA) is the single most effective barrier against phishing. Even if a criminal steals your password, they can’t get into your account without that second verification step.

Orro: Your Partner in Cybersecurity

At Orro, we believe that education is the first step to a stronger defence. We provide comprehensive Security Awareness Training that empowers your team with the knowledge to spot and report phishing scams, turning them from a potential vulnerability into an active line of defence.

Our Managed Security services also provide the technical controls—including advanced email filtering and continuous monitoring—that help stop these threats before they even reach your inbox.

Stay vigilant, stay informed, and stay secure.

Contact Orro today to learn how our solutions can protect your business from the latest cyber threats.