How to spot a scam: phishing and impersonation, explained simply
Here is how to spot a scam without learning a single thing about technology. Almost every scam, the phishing email, the fake text, the phone call pretending to be your bank, fails the same three tests: did you start it, is it rushing you, and is it asking for money, a code, a password or access to your device? Get those three questions into your head and you will catch the vast majority of them, even the slick ones. Forget chasing spelling mistakes, that advice is years out of date. Scammers write neatly now. What they cannot hide is how they behave. This guide gives you the few tells that matter, in plain English.
The one question that does the most work: who started it?
If you take only one thing from this page, take this. The single most reliable scam test is who began the contact. You ringing your bank, you logging into a website you typed yourself, you replying to a friend you know, that is contact you started, and it is almost always safe. A message or call that arrives out of the blue is the opposite, and it is where nearly all scams live.
No real company will phone you unprompted to say your computer is infected. No bank will text you a link and ask you to "verify" your login. The government will not ring demanding payment in gift cards. Genuine organisations let you come to them. The moment something arrives uninvited and wants you to do something right now, your guard should go up, no matter whose name is on it.
What phishing actually is (the bait, not the spelling)
Phishing is a fake message dressed up as a company you trust, your bank, Australia Post, the ATO, your phone provider, Netflix, designed to get you to click a link and type your details into a copy of the real site. The page can look identical to the real one, right logo, right colours. That's the trap: people are told to look for things that "look wrong," but a good fake looks perfectly right.
So don't judge the message on how it looks, judge it on what it's doing. A real "your parcel is held" notice doesn't exist if you weren't expecting a parcel. A real bank doesn't email you a link to log in, it expects you to use the app or the address you already know. The link in the message is the whole scam. Never click it and the bait never works.
Impersonation: when a name is the disguise
Impersonation is the other half of the game. The scammer wears a trusted name like a mask, your bank, a big tech company, even your own grandchild. Here's the part most people don't know: the name you see on a call or message is not proof of anything. A caller ID can be faked, the "From" name on an email can say anything the sender types, and a fake text can even drop into the same thread as real messages from a company. Seeing the right name tells you nothing about who's really on the other end.
A few of the impersonations doing the rounds in Australia:
- The "your account's been compromised" call, claiming to be your bank, the NBN, Telstra or Microsoft, talking you into installing software or reading out a code. Always a scam.
- The "Hi Mum" or "Hi Dad" text from an unknown number, saying they've lost their phone and need money urgently. Ring your child on their real number before you do anything.
- The fake delivery text, a missed parcel, a small fee to redeliver, a link to pay. The fee is the hook.
- The "ATO" or "myGov" message threatening a fine or arrest. Government departments don't threaten you by text, and they don't take gift cards.
The defence is the same for all of them: ignore the name, and check by going to the person or company yourself, through a number or app you already trust, never the one in the message.
The feeling they're after: urgency and fear
Every good scam works on emotion before it works on technology. It wants you rushed, worried or excited, because a calm person checks first and a panicked person clicks. So the message says your account closes today, you've won something you must claim now, your grandchild is in trouble, you'll be fined if you don't act.
That pressure is itself the tell. A real organisation is happy for you to hang up, think it over and ring back. A scammer can't allow that, because the second you slow down the trick falls apart, which is why they say "don't hang up," "act now," "tell no one." When you feel that hurry, do the exact opposite: stop, and check.
What they ask for: the dead giveaways
Scams nearly always end with the same shopping list. If a message or call asks for any of these, treat it as a scam full stop:
- A code, the one-time number texted to you. That code is the key to your account. No genuine person ever needs you to read it out. Ever.
- Remote access to your device, "let me connect to fix it." You only allow that when you started the call to someone you chose.
- Payment in gift cards, vouchers or cryptocurrency. No real bill is ever paid this way. This one alone proves it's a scam.
- Your password or full card and bank details typed into a link or read aloud.
- Money moved "to keep it safe" into another account. Banks never ask you to do this. It's a classic con.
You can stop reading their script the instant one of these appears. The polish, the right logo, the calm professional voice, none of it matters once they ask. The ask is the proof.
Run the three checks before you act
Pin this to the fridge if it helps. Before you click, reply, pay or hand anything over, run these three:
- Who started it? Did I reach out, or did this arrive uninvited? Uninvited means slow down.
- Is it rushing me? A deadline, a threat, "act now," "don't tell anyone." Pressure is a red flag, not a reason to hurry.
- What does it want? A code, a password, remote access, gift cards, money moved? Any of those, and it's a scam.
Pass all three and you're almost certainly fine. Fail two of them and you've caught a scam, no technical knowledge required. When you're not sure, the safest move is always the same: don't use anything in the message, and contact the company or person yourself the way you normally would.
If you think you've already been caught
First, don't be embarrassed, these are designed by professionals to fool sharp people, and they catch thousands of Australians a week. Speed is what limits the damage:
- Gave card or bank details? Ring your bank now, on the number on your card, and ask them to stop the card.
- Gave a password? Change it, and change it anywhere else you used the same one.
- Let someone onto your computer? Disconnect it from the internet and have it checked properly.
- Report it to Scamwatch at scamwatch.gov.au, it helps warn others.
Acting in the first hour can be the difference between a scare and a loss.
The short version
You don't need to understand how scams work to beat them. You need three questions: who started it, is it rushing me, and what is it asking for. Logos lie, names lie, polished writing lies, but those three behaviours give the game away every time. If something feels off, that instinct is usually right, so stop and check before you do anything. And if you'd like a hand, or you're ever unsure about a message in front of you, that's exactly what we're here for. Send us the message you're worried about and we'll tell you, plainly and patiently, whether it's safe. New to all this? Start with tech help for seniors: where to start.
Frequently asked questions
How to spot a scam quickly: what's the fastest test?
The fastest way to spot a scam is three questions: did I start this, or did it arrive uninvited; is it rushing or frightening me; and is it asking for money, a code, a password or remote access? Fail two of those and it's a scam, no matter how official it looks.
What is phishing, in plain English?
A fake message, usually an email or text, dressed up to look like a company you trust, wanting you to click a link and type your login or card details into a copy of the real site. The link is the bait, don't click it and the scam can't work.
How can I tell a fake email or text from a real one?
Don't trust the name shown, it's easily faked. Check the real sender address and hover over links to see where they go. Watch for a generic greeting, urgency, and a link instead of the normal log-in. When unsure, go to the company yourself through an app or address you already know.
Someone rang saying they're from Microsoft or my bank. Is it a scam?
Treat it as one and hang up. Real companies and your bank don't cold-call about viruses or hacks, and never ask you to install software, read out a code or buy gift cards. To be sure, ring back on a number from your card or statement, not the one they gave you.
What should I do if I think I've been scammed?
Move fast and don't be embarrassed. Gave card details? Ring your bank now to stop the card. Gave a password? Change it everywhere you used it. Let someone onto your computer? Disconnect it and get it checked. Report it to Scamwatch at scamwatch.gov.au.
Are scam messages getting harder to spot?
Yes. The old "bad spelling" advice is out of date, scammers write cleanly and copy logos perfectly now. That's why you judge a message by its behaviour, who started it, is it rushing you, what's it asking for, not by how it looks.