by The Computing Australia Group | Simple Ways to Spot and Stop Phishing Emails
Phishing remains one of the most common and costly cyber threats facing Australian businesses. It is no longer limited to obvious scam emails full of spelling mistakes. Today’s phishing attacks can look professional, personalised and urgent. Some appear to come from banks, cloud storage platforms, government agencies, suppliers, executives or even colleagues inside your own organisation.
For small and medium-sized businesses, the risk is especially serious. A single employee clicking a malicious link can expose passwords, customer records, financial systems, email accounts or business data. In some cases, phishing also leads to ransomware, business email compromise, identity theft and unauthorised payments.
The threat continues to grow in Australia. The Australian Cyber Security Centre reported more than 84,700 cybercrime reports in FY2024–25, with an average report made every six minutes. For businesses, the average self-reported cost of cybercrime per report rose to $80,850. Email compromise and business email compromise were among the top cybercrimes reported by businesses.
Scamwatch also warns that phishing scammers impersonate trusted people and organisations through emails, texts, phone calls, messages and fake websites. They commonly create urgency to make people click links, download attachments or share private information.
Understanding how phishing works is one of the best ways to protect your business. In this guide, our IT support and cybersecurity team in Perth explains the most common types of phishing emails, how to recognise warning signs and what practical steps your organisation can take to stay protected.
What Is Phishing?
Phishing is a form of social engineering where cybercriminals trick people into giving away confidential information or performing unsafe actions. This may include sharing passwords, online banking details, credit card numbers, business login credentials, one-time passcodes, personal information or payment authorisation.
Most phishing attacks begin with a message that looks genuine. The email may appear to come from a trusted company, a government department, a courier service, a cloud storage platform, a manager or a supplier. The goal is to make the recipient act quickly before they have time to think.
A phishing email may ask you to:
- Click a link to verify your account
- Download an attachment
- Reset your password
- Approve an invoice
- Update payment details
- Sign into a fake portal
- Share a one-time code
- Transfer money urgently
- Confirm sensitive business information
According to the Australian Cyber Security Centre, phishing messages may try to steal banking logins, passwords, credit card details, account access or verification codes. Some may also ask users to scan QR codes or link devices, which can give attackers access to accounts.
Phishing is dangerous because it targets people, not just technology. Even a well-secured business can be exposed if an employee is pressured into clicking a convincing link or approving a fraudulent request.
Why Phishing Emails Are So Effective
Phishing works because it uses human behaviour against us. Attackers rely on trust, fear, curiosity, urgency and routine.
For example, an employee may click a fake Microsoft 365 login link because they use Microsoft every day. A finance officer may approve a payment because the email appears to come from the CEO. A receptionist may open a fake delivery notice because the business receives parcels regularly. A staff member may enter credentials into a fake Dropbox page because the message looks like a shared document from a client.
Modern phishing campaigns are also becoming more difficult to detect. Attackers can copy branding, use real company names, create convincing email templates and gather personal details from LinkedIn, websites and social media. Artificial intelligence tools can also help scammers write cleaner emails with fewer grammar mistakes, making older warning signs less reliable.
This is why businesses need a layered approach. Staff awareness is important, but it should be supported by technical controls such as multi-factor authentication, email filtering, secure backups, endpoint protection, password management and clear approval procedures.
1. Deceptive Phishing
Deceptive phishing is one of the most common forms of phishing. In this type of attack, the scammer impersonates a trusted organisation to steal information or trigger an unsafe action.
The email may look like it comes from a bank, software provider, courier company, government agency, payment platform, telecommunications provider or online account service. It may claim that there is a problem with your account, an overdue payment, a failed delivery, suspicious activity or a required security update.
The email usually includes a link to a fake website that looks similar to the real one. When the user enters their details, the attacker captures the information.
Common examples of deceptive phishing
You may receive an email claiming:
- Your bank account has been locked
- Your Microsoft 365 password has expired
- Your email storage is full
- Your tax refund is ready
- A parcel delivery has failed
- Your payment method needs updating
- Your account will be suspended
- You must verify your identity immediately
The message often creates urgency. It may say you have only a few hours to respond, your account will be closed or a payment will be rejected. This pressure is designed to stop you from checking whether the message is genuine.
How to recognise deceptive phishing
- The sender address does not match the official organisation
- The greeting is generic, such as “Dear customer”
- The email asks for personal or financial information
- The message contains unexpected links or attachments
- The link address looks slightly different from the real website
- The email uses threats, urgency or fear
- The branding looks slightly wrong
- The message asks you to log in through a link
Scamwatch advises that phishing emails often involve urgent action, mismatched sender details, website addresses that are slightly different from normal and messages that do not use your proper name.
How to protect your business
Do not click links in unexpected emails. Instead, go directly to the official website by typing the address into your browser or using a trusted bookmark. If the message claims to be from a supplier, bank or service provider, contact them through verified contact details.
Businesses should also use email filtering, DNS filtering, multi-factor authentication and staff training to reduce the risk of deceptive phishing.
2. Spear Phishing
Spear phishing is a targeted form of phishing. Unlike general phishing emails sent to thousands of people, spear phishing is personalised to a specific person, team or business.
The attacker may research the target before sending the email. They may use information from LinkedIn, company websites, social media, public registers, press releases or previous data breaches. The email may include the recipient’s name, job title, department, supplier name, project details or other information that makes the message feel legitimate.
Because spear phishing is more personal, it can be harder to spot.
Common examples of spear phishing
A spear phishing email may appear to come from:
- A client sending a project file
- A supplier sharing an updated invoice
- A recruiter contacting an employee
- A manager requesting a document
- A software provider asking for login confirmation
- A colleague sharing a cloud document
- A professional contact following up from an event
For example, an employee may receive an email that appears to be from a real supplier. The message says, “Hi Sarah, please see the updated April invoice for the Perth office attached.” If Sarah works in accounts and the business really does use that supplier, she may be more likely to open the attachment.
How to recognise spear phishing
Spear phishing may not have obvious spelling mistakes. Instead, watch for subtle warning signs:
- The request is unusual for that person or supplier
- The sender’s email address is slightly different
- The tone does not match previous communication
- The attachment is unexpected
- The email asks for login details, payment changes or confidential files
- The message creates pressure to act quickly
- The sender refuses to use normal communication channels
- The link leads to a login page you were not expecting
One of the best ways to detect spear phishing is to focus on behaviour, not just appearance. Ask: Is this request normal? Was I expecting this file? Would this person usually ask me to do this by email?
How to protect your business
Train employees to verify unusual requests through a second channel. For example, if a supplier sends new bank account details, call them using a phone number already on file, not a number included in the email.
Limit the amount of staff information published publicly where possible. Review what your website and social media profiles reveal about job roles, reporting lines, email formats and internal processes.
Businesses should also apply multi-factor authentication, endpoint protection and security awareness training that includes real-world spear phishing scenarios.
3. CEO Fraud and Whaling
CEO fraud, also known as whaling, targets senior executives or impersonates them. These attacks often aim to trick employees into transferring money, sharing confidential data or approving urgent business actions.
The term “whaling” is used because attackers go after high-value targets such as CEOs, directors, business owners, finance managers, executives or senior decision-makers.
In many cases, the attacker does not need to compromise the CEO’s real email account. They may create a lookalike email address or spoof the sender name. For example, an email may appear to come from “John Smith, CEO”, but the actual address may be slightly different from the company domain.
Common examples of CEO fraud
- “I need you to process this payment urgently.”
- “Are you available? I need a confidential favour.”
- “Please purchase gift cards for a client event.”
- “Send me the payroll report before the meeting.”
- “Update this supplier’s bank details today.”
- “Do not call me; I’m in a meeting.”
These messages often use authority and secrecy. The attacker wants the employee to feel pressured, helpful and unable to question the request.
Why CEO fraud is dangerous
CEO fraud can lead directly to financial loss. If an accounts employee receives a convincing request from someone they believe is the business owner or managing director, they may process a payment before realising the message was fake.
It can also expose sensitive company data. Attackers may request payroll files, tax information, employee records, customer lists, contracts or login details.
Business email compromise is a major concern for Australian organisations. The ACSC’s 2024–25 business factsheet lists business email compromise fraud resulting in financial loss among the top cybercrimes reported by businesses.
How to recognise CEO fraud
Warning signs include:
- The request is urgent and unusual
- The sender asks for secrecy
- The email avoids normal approval processes
- The message asks for a payment, gift cards or bank detail changes
- The executive says they are unavailable by phone
- The email address is slightly different
- The request is sent outside normal business hours
- The wording does not sound like the executive
How to protect your business
Create strict payment approval procedures. No payment, bank detail change or sensitive data transfer should be approved based only on an email.
Use multi-factor authentication for email accounts, especially executive and finance accounts. Set up alerts for suspicious login activity and forwarding rules. Attackers sometimes create hidden forwarding rules after compromising an inbox so they can monitor conversations.
Senior management should also complete cybersecurity awareness training. Executives are often highly targeted, and they need to understand both the technical and human risks.
4. Pharming and Fake Login Pages
Pharming is different from a standard phishing email because it can redirect users to a fake website even when they think they are visiting a legitimate one. It may involve compromising DNS settings, poisoning cached DNS records or manipulating website redirection.
While pharming is more technical than standard phishing, the end goal is often the same: trick users into entering credentials, payment details or personal information into a fraudulent page.
Phishing emails can also lead to fake login pages that imitate well-known services. These pages may copy the branding of Microsoft 365, Google, Dropbox, banks, courier companies, government portals or cloud platforms.
Common examples of fake login attacks
A user may receive an email saying:
- “Your Microsoft password has expired.”
- “A secure document has been shared with you.”
- “Your mailbox is over quota.”
- “Your invoice is ready to view.”
- “Please log in to review the file.”
The link opens a page that looks like a real login portal. Once the user enters their username and password, the attacker can use those credentials to access the real account.
Some attacks also ask for multi-factor authentication codes. This is why businesses need stronger forms of MFA and user training around one-time passcodes.
How to recognise fake login pages
Before entering any login details, check:
- Is the website address exactly correct?
- Does the domain match the official service?
- Did you arrive at the page from an unexpected email link?
- Is the page asking for credentials when it normally would not?
- Is the design slightly different from usual?
- Is the page missing normal security features?
- Does the request feel rushed or unusual?
HTTPS is important, but it is not enough on its own. Many fake websites now use HTTPS, so users should not assume a site is safe just because there is a padlock icon.
How to protect your business
Use a password manager. A good password manager can help staff avoid fake login pages because it will not automatically fill credentials on the wrong domain.
Enable multi-factor authentication across all business-critical systems. Where possible, use phishing-resistant MFA methods, such as hardware security keys or number-matching authentication.
Businesses should also monitor for unusual logins, impossible travel alerts, suspicious mailbox rules and repeated failed login attempts.
5. Cloud Storage and File-Sharing Phishing
Cloud storage phishing uses trusted platforms such as Dropbox, Google Drive, OneDrive, SharePoint or Microsoft Teams to trick users into clicking links or entering credentials.
These attacks are effective because file-sharing is now part of everyday business. Employees regularly receive links to documents, contracts, invoices, proposals, spreadsheets and project files. Attackers take advantage of this routine.
The email may say that someone has shared a file with you. It may include a button such as “Open Document”, “View File”, “Review Invoice” or “Access Shared Folder”. The link may lead to a fake login page or a malicious download.
Common examples of cloud phishing
- A client has shared a proposal
- A supplier has uploaded an invoice
- HR has shared a policy update
- A colleague has sent a confidential file
- A contract is ready for review
- A voicemail or scanned document is available
- A Teams message or SharePoint file requires login
These emails often look clean and professional. Some may even use genuine cloud services to host malicious files or redirect users to fake pages.
How to recognise cloud storage phishing
Look for signs such as:
- You were not expecting the file
- The sender is unknown or unusual
- The message does not explain why the file was shared
- The link asks you to log in again unexpectedly
- The file name is vague, such as “Important Document”
- The email creates urgency
- The sharing notification does not match the platform’s normal format
- The sender’s domain does not match the organisation they claim to represent
How to protect your business
Encourage staff to confirm unexpected file-sharing links before opening them. Where possible, access shared files through the official app or portal rather than clicking email links.
Set sharing controls for business cloud platforms. Restrict external sharing where it is not needed. Review permissions regularly and remove access for former employees, contractors and suppliers.
Use security tools that scan shared links and attachments. Combine this with staff training so employees understand that even familiar platforms can be abused by attackers.
General Warning Signs of a Phishing Email
While phishing emails vary, many share common red flags. Employees should slow down and check carefully when an email:
- Creates urgency or fear
- Requests passwords, payment details or one-time codes
- Asks for a payment or bank detail change
- Includes unexpected attachments
- Contains links to login pages
- Comes from a slightly unusual email address
- Uses generic greetings
- Has unusual tone or wording
- Claims there is a problem with an account
- Offers something too good to be true
- Asks for secrecy
- Pressures the recipient to bypass normal processes
However, businesses should not rely only on employees spotting mistakes. Modern phishing can be polished and convincing. Strong cybersecurity controls are essential.
What to Do If You Receive a Suspicious Email
If you receive a suspicious email, do not click links, download attachments or reply to the sender.
Instead:
- Report the email to your IT support team.
- Verify the request through a trusted contact method.
- Delete the email if confirmed as suspicious.
- Block the sender if appropriate.
- Warn affected staff if the email was sent to multiple people.
- Check whether anyone clicked the link or opened the attachment.
If an employee has clicked a link, entered credentials or downloaded a file, act quickly. The ACSC recommends running antivirus or a security scan if malware may have been installed, changing passwords where personal information or credentials were revealed and reporting cyber incidents through ReportCyber.
For businesses, fast response can significantly reduce the damage. Reset compromised passwords, revoke active sessions, check mailbox forwarding rules, review login activity and monitor for unauthorised access.
How Businesses Can Reduce Phishing Risk
Phishing prevention requires people, processes and technology working together.
Train employees regularly
Security awareness training should be practical and repeated. Staff should learn how phishing works, how to inspect links, how to report suspicious messages and how to verify unusual requests.
Training should include examples relevant to your business, such as fake supplier invoices, Microsoft 365 login scams, courier notifications, payroll requests and executive impersonation.
Use multi-factor authentication
MFA adds an extra layer of protection if a password is stolen. It should be enabled for email, cloud storage, finance systems, remote access, admin accounts and customer databases.
Where possible, use stronger MFA methods rather than SMS codes alone.
Strengthen email security
Businesses should use professional email filtering and authentication controls such as SPF, DKIM and DMARC. These help reduce spoofed emails and improve trust in legitimate messages.
Email security tools can also detect malicious links, suspicious attachments and impersonation attempts.
Create approval procedures
Financial transactions, supplier bank changes and sensitive data requests should require verification outside email. A phone call, approval workflow or dual-authorisation process can stop many business email compromise attempts.
Keep systems updated
Outdated systems are easier to exploit. Keep operating systems, browsers, email clients, antivirus software, firewalls and cloud applications updated.
Use secure backups
If phishing leads to malware or ransomware, reliable backups can help your business recover. Backups should be regularly tested, protected from unauthorised access and stored separately from production systems.
Monitor accounts
Watch for suspicious logins, unusual locations, mailbox forwarding rules, new inbox rules, unexpected password resets and changes to security settings.
Have an incident response plan
Every business should know what to do if a phishing email succeeds. Your plan should include who to contact, how to isolate affected devices, how to reset accounts, how to preserve evidence and how to notify customers or authorities if required.
Final Thoughts
Phishing emails are becoming more convincing, targeted and damaging. They no longer rely only on poor spelling or obvious scams. Many now imitate trusted organisations, cloud platforms, executives, suppliers and government services with alarming accuracy.
For Australian businesses, the financial and reputational risks are significant. A single phishing email can lead to stolen credentials, fraudulent payments, data breaches, malware infections or ransomware attacks.
The best defence is a layered cybersecurity strategy. Train your staff, secure your email systems, use multi-factor authentication, verify unusual requests, monitor accounts and have a clear incident response plan.
Need help protecting your business from phishing attacks? Our cybersecurity and IT support experts in Perth are available 24/7 to assist you. Contact Computing Australia Group or email cybersecurity@computingaustralia.group to strengthen your business security and reduce phishing risk.
Jargon Buster
URL– Uniform Resource Locator incorporates the domain name, along with other detailed information, to create a complete web address.
Ransomware – A malware that hinders access to a system and demands a ransom to free access again. The infection usually happens through deceptive links in websites, emails or messaging.
Multi-Factor Authentication (MFA) – A security process that requires multiple authentications from independent sources to verify your identity before you can access confidential data.
David Brown
FAQ
What is a phishing email?
A phishing email is a fraudulent message designed to trick you into sharing sensitive information, clicking a malicious link, downloading malware or approving an unsafe action such as a payment transfer.
What are the most common types of phishing emails?
The most common types include deceptive phishing, spear phishing, CEO fraud or whaling, pharming-related fake login emails and cloud storage phishing scams involving platforms like Dropbox, Google Drive, OneDrive or SharePoint.
How can I recognise a phishing email?
Look for warning signs such as urgent language, suspicious sender addresses, unexpected attachments, unusual payment requests, spelling errors, fake login links and messages asking for passwords or personal details.
What should I do if I click a phishing link?
Disconnect from the internet if you suspect malware, report it to your IT support team immediately, change affected passwords, enable multi-factor authentication and check your accounts for suspicious activity.
How can businesses prevent phishing attacks?
Businesses can reduce phishing risks with cybersecurity awareness training, multi-factor authentication, email filtering, strong password policies, secure backups, regular software updates and clear payment approval procedures.
