🎣 Module 2: Phishing & Social Engineering

What is Phishing?

Phishing is a cyberattack where criminals impersonate legitimate organisations to trick you into revealing sensitive information like passwords, credit card numbers, or personal data. These attacks usually come via email but can also occur through text messages (smishing) or phone calls (vishing).

The Goal: Get you to click a malicious link, download malware, or provide confidential information.

Red Flags of Phishing Emails

1. Sender Email Address Doesn't Match: Check carefully! "[email protected]" or "[email protected]" are NOT legitimate. The domain after the @ matters most.

2. Generic Greetings: "Dear Customer" or "Dear User" instead of your actual name suggests mass-sent phishing.

3. Urgent or Threatening Language: "Your account will be closed!" or "Immediate action required!" creates panic to bypass your critical thinking.

4. Requests for Sensitive Information: Legitimate organisations never ask for passwords, SSN, or credit card numbers via email.

5. Suspicious Links: Hover over links (don't click!) to see the real URL. Look for misspellings or odd domains.

6. Unexpected Attachments: Especially .zip, .exe, or macro-enabled documents from unknown senders.

7. Poor Grammar and Spelling: While not always present, many phishing emails have obvious errors.

Types of Phishing

Spear Phishing: Targeted attacks on specific individuals using personal information (like your name, job title, or recent activities) to seem more convincing.

Whaling: Spear phishing targeting executives or high-value individuals.

Clone Phishing: Legitimate emails are copied and resent with malicious links replacing the original ones.

Vishing (Voice Phishing): Scam phone calls pretending to be from tech support, the ATO (Australian Taxation Office), banks like CommBank or NAB, or even NBN technicians.

Smishing (SMS Phishing): Text messages with malicious links, often claiming to be from Australia Post, myGov, or your bank with package delivery issues or account problems.

QR Code Phishing (Quishing): A rapidly growing scam in Australia where attackers place fake QR codes over legitimate ones or create malicious QR codes that look official.

⚠️ QR Code Scams - New Threat in Australia

QR code scams have exploded across Australia, particularly since COVID-19 made QR codes commonplace for venue check-ins, menus, and payments.

How QR Code Scams Work:

• Sticker Overlays: Scammers place fake QR code stickers over legitimate ones on parking meters, restaurant menus, or payment terminals
• Fake Parking Fines: QR codes on fake parking fine notices left on windscreens
• Phishing Pages: QR codes that look official but lead to fake payment or login pages
• Menu Scams: At restaurants, fake QR codes on tables that look like menu links but steal credit card details

How to Protect Yourself from QR Code Scams:

• ✅ Preview the URL first: Most phones show the URL before opening - check it carefully
• ✅ Verify the domain: Does it match the legitimate business? (e.g., realwebsite.com.au not realwebsite-checkout.com)
• ✅ Check for stickers: If a QR code looks like it's been recently stuck over something, be suspicious
• ✅ Verify parking fines: Check your council's website or app - don't trust QR codes on paper notices
• ✅ For payments, verify the business name: Before entering payment details, confirm the business name matches
• ✅ Use official apps when possible: For payments, use known apps like PayPal, bank apps, or pay in person
• ❌ Never scan QR codes: On unsolicited emails, from unknown sources, or that promise prizes/refunds

Real Australian Example: In 2023, scammers placed fake QR codes on parking meters across Sydney and Melbourne. Users scanned to pay for parking, entered their credit card details on a fake page, and had their details stolen. Always use official parking apps or pay at the machine directly.

Social Engineering: The Human Hack

Social engineering is the art of manipulating people into performing actions or divulging confidential information. It exploits human psychology rather than technical vulnerabilities.

Common Tactics:

• Pretexting: Creating a false scenario to gain trust (e.g., "I'm from IT, we need your password to fix an issue")
• Baiting: Offering something enticing to trick you (e.g., "Free iPhone - click here!")
• Quid Pro Quo: Offering a service in exchange for information (e.g., "We'll give you tech support if you disable your firewall")
• Tailgating: Following someone into a restricted physical area without proper authentication
• Authority: Impersonating someone in a position of power to pressure compliance

Real Australian Phishing & Scam Examples

These are actual scams that have targeted Australians. Learn to recognise them:

1. ATO Tax Scam (Very Common):

Email/SMS: "Your tax refund of $1,247 is ready. Click here to claim within 48 hours."

Red flags: ATO never sends refund links via email or SMS. They communicate through myGov or mail only.

What to do: Report to ReportCyber and delete. Check myGov inbox directly if concerned.

2. Australia Post Delivery Scam (Flubot):

SMS: "Australia Post: Your parcel is awaiting delivery. Pay $2.50 redelivery fee: auspost-track.com/ID456"

Red flags: Fake domain (not auspost.com.au), unexpected fee, asks for payment via suspicious link.

What to do: Check your real tracking number on the official Australia Post app/website. Delete the SMS.

3. myGov Account Suspension Scam:

Email from: "mygov-security@gov-services.com"

Content: "Your myGov account has been temporarily suspended due to unusual activity. Verify your identity immediately."

Red flags: Wrong domain (real myGov doesn't use email for security), creates urgency, asks you to click link.

What to do: myGov sends all important messages through your myGov inbox, not email. Log in directly to check.

4. CommBank/NAB/ANZ "Security Alert" Scam:

Email: "We've detected suspicious activity on your account. Confirm your details to prevent account closure."

Red flags: Australian banks never ask for passwords or full account details via email.

What to do: Call your bank using the number on your card (not the email). Check your account via the official app.

5. Services Australia/Centrelink Payment Scam:

SMS/Email: "You have an unclaimed Centrelink payment. Update your details to receive $850."

Red flags: Services Australia doesn't notify about payments via email/SMS links.

What to do: Log into myGov directly or call Services Australia on 132 300.

6. NBN Upgrade/Tech Support Scam:

Phone call: "This is NBN Co. Your internet needs an urgent upgrade. We need remote access to your computer."

Red flags: NBN doesn't make unsolicited calls, never asks for remote access or payment over phone.

What to do: Hang up. If you need NBN help, contact your internet service provider (Telstra, Optus, etc.) directly.

How much Australians lose: According to ACCC's Scamwatch, Australians lost over $568 million to scams in 2022, with phishing and identity theft being the fastest-growing categories.

How to Protect Yourself

• ✅ Verify independently: If an email seems suspicious, contact the organisation directly using a known phone number or website (not from the email)
• ✅ Think before you click: Hover over links to inspect URLs before clicking
• ✅ Check the sender: Look closely at email addresses, not just display names
• ✅ Enable spam filters: Use email security features
• ✅ Use MFA: Multi-factor authentication protects you even if passwords are stolen
• ✅ Trust your instincts: If something feels off, it probably is
• ✅ Report suspicious messages: Alert your IT/security team immediately
• ✅ Never share credentials: No legitimate organisation asks for passwords via email or phone

What to Do If You Click a Phishing Link

1. Don't panic, but act fast
2. Disconnect from the internet (unplug Ethernet or turn off Wi-Fi)
3. Change your passwords from a different, clean device
4. Report the incident to your IT/security team immediately
5. Run antivirus/malware scans on your device
6. Monitor accounts for unusual activity