Risk Bite 11: Phishing

Social Engineering in the context of information security is the psychological manipulation of people into divulging of personal or confidential information. Cyber criminals use social engineering because it is usually easier to exploit the natural inclination to trust than it is to discover ways to hack computers. The most common social engineering attack is Phishing.

Phishing is the fraudulent practice of sending emails, text messages or phone calls purporting to be from reputable companies or government organisations in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

A Phishing attack could come in various forms. It could look like

  • an email from a friend or a trusted source,
  • be a ‘baiting’ scenario like getting a response to a question you hadn’t raised, or
  • spreading information on social media to create distrust or starting conflicts. 

Taking advantage of our curiosity and trust these messages will contain a link which contains a download that has malicious software installed. The message may suggest you “check out” a point of interest to encourage accessing the harmful link. Another common theme is using a compelling story or pretext in the messages that asks for urgent help or to donate to a charity, present a problem that requires us to verify information, notify us as a winner or poses as a boss or co-worker.

Security is all about knowing who and what to trust. It is important to know when and when not to take something at face value. Some warning signs to look out for are graphically represented below:

Phishing Emails:


Voice Phishing – “Vishing”:



SMS (text message) Phishing – “Smishing”:

 How to avoid these attacks?

There are several things we can do to decrease our vulnerability to such attacks significantly. Some are listed below:

  • Err on the side of caution always. Be suspicious of emails and SMS messages.
  • Do not reveal personally identifiable information unless it is in a way you can be sure is secure
  • Never provide financial information or passwords to unverified parties.
  • Check the website’s address before sending any information online.
  • Avoid clicking on links unless they are from trusted sources, and you have initiated access to them.
  • Ask – “How else can I verify this?”
  • One of the best ways to check if something is legitimate is to make a phone call directly to the business or sender of the email using contact details you access independently.
  • When on the phone, double-check about who you are speaking with. The person may not be who they claim to be.
  • What to do if you think you are compromised by one of these attacks?
  • Change any compromised passwords everywhere it is in use (it is best not to use the same password for everything)
  • If you disclosed financial information, contact your bank immediately. Close or block any compromised accounts.
  • Check your bank statements regularly.
  • Watch out for signs of identity theft. It can take many forms, from fraudulent credit card use, to your entire identity being used to open accounts, obtain loans, and conduct other illegal activities. · Report scams to the ACCC via the Scamwatch report a scam page. Your report helps to warn people about current scams, monitor trends and disrupt scams. Please include details of the scam contact you received, for example, the email or screenshot.
  • Contact IDCARE– a free government-funded service which will work with you to develop a specific response plan to your situation and support you through the process. Visit the iDcare website or call 1300 IDCARE (432273) or use their free Cyber First Aid Kit.

For more information visit the site Scamwatch.gov.au or Cyber.gov.au