How to spot an unsafe email or text message

Most of us don’t have any qualms about accessing or safely sharing our personal information online, especially when it comes to online banking or accessing tax refunds through the ATO’s online portal. However, this doesn't stop scammers and threat actors trying to trick you into giving away this information. Phishing scams claim to come from a legitimate source, like your bank or telco company, but are just attempts to steal your personal information.

Results from the Australian Bureau of Statistics' 2021-2022 Personal Fraud Survey found that 65% of people received a scam offer from 2021 to 2022 (48% of these offers over the phone). That's 13.2 million Australians exposed to scams and unsafe texts each year.

There are multiple ways to identify an unsafe email or text, and it’s usually easier than you think, especially once you know what to look for. Of course, there will be outliers, but they’re the exception, not the rule.

An email from your bank, telco, or the ATO won’t start with a casual greeting like ‘Hello dear’. Watch out for any emails that start with a simple ‘Hi’, or ‘Sir/Madam’ as it could be a scammer fishing for your information. 

Scammers scrounging for sensitive information will preface their emails with these impersonal greetings so they can email or message a large number of people at the same time. A company is much more likely to email you by name than a scammer is. 

Your telco will not ask you to verify your details or pay for your bill through a link in a text message. They might let you know your bill is coming up, but will not request immediate payment through a link embedded in the message. 

Scammers will often request login credentials, payment details, and other sensitive information pretending to be from an entity you trust. Some crafty scammers can forge pages that are almost indistinguishable from the real thing, so when you click on a link, you don’t realise it's a grab for your valuable personal information.

Whenever you’re redirected to a login page or told that you have an urgent payment due, ensure it is 100% legitimate before putting in any information. If you have doubts, get another set of eyes to confirm it’s safe for you to proceed, like a customer service representative from the company contacting you. 

Texts are a common way for scammers to embed fraudulent links — which is why banks like NAB are moving away from using links in SMS messages to their customers. Even if you’re sure the message is from a legitimate sender, reach out to them through another mode of communication (like calling them) and confirm where the link leads. The worst thing you can do is simply assume it's legitimate, click the link, and find yourself on an unsafe website.

Another indication of an unsafe email or text, and often the biggest giveaway, is bad spelling and grammatical errors. You can usually tell if the message is not written by a business executive or a customer service representative – it feels off. They might put full stops or commas in odd places, not capitalise their sentences, and misspell the business they’re trying to spoof. 

Many big, legitimate companies like banks use spell-checking tools before emails are sent to their mailing lists to ensure all grammar and spelling are correct. Scammers don't have the facilities to ensure their grammar is impeccable, and English is often not their first language.

Unsafe texts and emails can be identified by looking at the sender’s domain name and email. If you’ve been emailed by ‘ANZ.bankingservice’, and you’re unsure whether you’ve corresponded with them previously, simply type in the address into your email’s search bar. If an email allegedly originates from ANZ but you’ve never been contacted by the address before, reach out to the business’ customer service team and report it. 

Another way to check if the sender is unsafe is by copying and pasting the phone number or email address into Google. You might find people who have been contacted (or worse, scammed) by the number or address, and advise you not to engage. 

Emails or texts that threaten consequences like a large payment deducted from your account if you don’t click on a link are almost always unsafe. Big businesses or government agencies will not use scare tactics, as it's unprofessional and embeds distrust. Attackers use this approach to scare you into action before you have a chance to examine the email or text and realise it's a scam. 

The way files are shared is different than what it was 5-10 years ago. Most work-related file sharing takes place on collaboration platforms like OneDrive, Google Drive, or DropBox, and most emails you receive are files with the extension .doc, .jpg, or .pdf.

Be wary though, as sometimes the attachment might appear to be a PDF file or an image, but upon closer inspection, the file has an unfamiliar or executable extension like .zip or .exe on it. This is why it's important to always examine files before clicking on them. Opening files before ensuring they’re safe could run a program or script and infect your computer with malware.

• Your online banking account has been suspended because of a billing problem.
• Congratulations! You’ve won our grand prize. Go to [link] to claim now! 
• Your Google account will expire later today. Please verify your login credentials at [link] to prevent your account from being deleted. 
• Your package is stuck in customs. Please visit [link] for more information.
• Thank you for your payment. Please find your invoice below. [insert fake invoice about money you never paid]
• Emergency: your grandson/granddaughter/relative is in hospital, please send $2000 to [link] for treatment.

• Hover over URLs before clicking on them. If you move your cursor over any URLs in the email, your browser will reveal the address in the bottom left corner. Unfortunately, this can’t be done for text messages without clicking the link, which we’d advise against, as clicking on a link can install malware on your phone. As always, if you don’t know the sender, don’t open the link. 
• Don’t reply. Any reply to an unsafe message will let the scammer behind the ruse know that your number is working and genuine. Don't unsubscribe from spam email senders either, as this signals the same thing. Engagement with the message or sender will lead to more messages and your contact details could be sold and sent to other scammers. 
• Use your phone’s spam filtering. Some modern phones and antivirus services for mobiles offer spam filtering, so you can scan, identify, and block spammy messages immediately.
• Block the sender and report the number to your telco or ACCC’s Scamwatch.
• Use security or antivirus software. Antivirus suites for iOS and Android have built-in phishing protection. Set it to run in the background to further protect you from any unsafe texts or emails. Set the program, as well as your phone to update automatically so it can protect you against the latest threats. 
• Use multi-factor authentication. Even if a scammer gets a hold of your username and password, if you have multi-factor authentication enabled, it’ll be much harder for them to access your personal information. We'd recommend a verification code from an authenticator app or a scan of your retina or fingerprint for maximum protection.

Unsafe messages can infect your device with malware or compromise your personal and financial safety. It's important to know how to identify them so you know how to act when you see one. The best practice is to not respond, report it to the company it allegedly came from, and consider if it's worth installing antivirus software to keep you and your personal information protected.