skip to log on skip to main content
VoiceOver users please use the tab key when navigating expanded menus
Find ANZ Support Centre
Find ANZ Contact
Article related to:

Types of scams

Phishing: How it works and how to help protect yourself

ANZ Security specialist

2024-04-02 05:30

Estimated reading time
5 min

Jump to

You get a text from a road toll provider asking you to update your payment details to avoid a fee. It feels urgent, so you click the link and enter your information - without realising it’s a phishing attempt designed to steal your information.

Phishing messages can catch anyone off guard. It’s easy to assume you’d never fall for one - but when a message looks urgent and comes from a familiar source, even the most cautious people can be tricked. Phishing is designed to look convincing and prompt quick action.

We’re going to take you through what phishing is, how it works, and ways to help you protect your personal and financial information online.

 

What is phishing?

Phishing typically involves cybercriminals trying to lure you in by impersonating a brand or company you trust. They phish for your information to try and swindle you out of your hard-earned money.

You can be ‘phished’ for information in various ways, such as email, SMS (also known as, smishing), social media, and phone (also known as, vishing).

Messages or emails often include links that look legitimate but lead to fake websites. Clicking through can expose your data or even install malware on your device. You might even receive a call from someone pretending to be from a reputable company to get the information they want.

It only takes one quick decision to compromise your information.

 

Common examples of phishing?

Phishing attacks can come from a variety of channels and any brand or organisation can be impersonated.

With advancing technology like artificial intelligence (AI), phishing messages are becoming harder to spot. Cybercriminals use these tools to craft convincing messages that appear legitimate, making it easier to trick people into sharing personal or financial information.

  • Postal service impersonation: You receive a message or email claiming you missed a delivery or need to update your details to receive a package. The link directs you to a fake site asking for personal information.

  • Government agency impersonation: A message appears to be from the tax office, saying your refund is delayed until you update your banking details. It might even say you owe a sum of money. The link leads to a form requesting sensitive financial information.

  • Toll payment alerts: You’re contacted about an unpaid toll, with a link prompting immediate payment. The site may look legitimate but is designed to capture your data.

  • Direct contact via message or social media: You receive a message or post with a link that installs malware or captures information that you type in.

Some reg flags to watch out for include:

  • Any email or message asking you to follow an external link.

  • Being asked to verify your account details like your PIN, username and password.

  • A sense of urgency or threat that you will lose money or items, or even face prosecution if you don’t immediately perform the action that they want you to do.

  • A message that calls you by a generic name or title rather than using your name. For example, ‘Dear account holder’.

  • Any unusual characters or numbers added to an email domain name or website address that could indicate it is only impersonating a legitimate company.

  • Being prompted to fill in personal details or financial details to win a prize or enter a competition.

  • “Similar but misspelt email addresses are common in phishing,” says Erica Hardinge, ANZ’s Product Area Lead in Staff & Customer Security Education & Resilience Enablement. “So it’s important to check the email address that’s contacting you.”

What is Session Hijacking?

Session hijacking is when a cybercriminal intercepts an active online session—such as your email, banking, or business applications—to gain unauthorised access to your account. This could happen if you use unsecured Wi-Fi, have malware on your device, or click on malicious links. Once an attacker hijacks your session, they may be able to access sensitive information or initiate unauthorised transactions.

Cybercriminals could use various techniques to hijack online sessions, including:

  • Stealing session cookies: Many websites use session cookies to keep users logged in. Attackers may attempt to steal these cookies through malware, browser exploits, or unsecured network traffic.

  • Man-in-the-Middle (MitM) attacks: If you're using an unsecured or compromised network (like public Wi-Fi), attackers might intercept and manipulate data between you and the website you're accessing, potentially gaining access to your session.

  • Cross-Site Scripting (XSS): Attackers might inject malicious scripts into trusted websites that run in your browser, stealing your session tokens when you visit the page.

  • Phishing and malware: If you click on a phishing link in an email, it may direct you to a fake login page to steal your credentials or inject malware that captures your session information.

While no security measure is foolproof, certain practices may help lower the risk of session hijacking:

  • Use secure networks - Avoid logging into sensitive accounts on public or unsecured Wi-Fi. A VPN may add an extra layer of security.

  • Log out manually and close the browser - Manually logging out may help ensure session data isn't accessible after use and close your browser as well.

  • Enable Multi-Factor Authentication (MFA) - If available, MFA can provide an additional layer of protection, even if session data is compromised.

  • Check for HTTPS encryption - Websites that use HTTPS encrypt data transmission, which may reduce interception risks.

  • Keep software updated - Regular updates to browsers, operating systems, and security software may help patch vulnerabilities that attackers could exploit.

How to prevent phishing 

Unfortunately, it won’t always be possible to spot a phishing message. Some messages or emails will appear almost identical to those sent by legitimate companies.

“Our email inboxes are loaded with emails often including a lot of irrelevant information, like junk mail,” says Erica. “Checking our emails can become a task we do without paying a lot of attention. But we must look out for unexpected, emotive calls to action and always check legitimacy before clicking on links, attachments or before providing personal information.”

 Cybercriminals are intelligent and innovative, so the best way to protect yourself is by always practicing good digital hygiene, even when you think you can trust the source of your correspondence.

How to protect yourself:

  • Take extra time and consideration when responding to ‘urgent’ correspondence. Cybercriminals often use an urgency as a tactic to hope you will either miss or ignore the flaws in their username, website or email address.

  • Never follow a link sent to you by any company via message or email. Instead, go directly to the relevant section of that company’s website and log in securely to see if your details actually need updating.

  • Never share your passwords, bank details, credit card details or personal details after following a link, or when you have been contacted over the phone.

  • Enable multi-factor authentication for all accounts you have, where possible.

  • Don’t click on links or download attachments from an unexpected message or email.

 

What can you do if you think you’ve been phished?

If you think you have been phished, firstly, don’t blame yourself. Even the most tech-savvy among us have clicked the wrong link without thinking and found ourselves on a criminal’s hook.

  • If you have shared financial information or believe you have transferred money to a cybercriminal, notify your bank immediately. If you’re an ANZ customer, contact us immediately to report the fraud.

  • If you shared credit card details, block or cancel those cards immediately. If your cards are with ANZ, you can do this through the app. Learn more

 

Who can you contact if you’ve been phished?

  • Report the scam to the Police through the Australian Signals Directorate’s ReportCyber portal. This resource is there for reports of scams where money or personal information has been lost.

  • Help others by reporting to Scamwatch to help them prevent future losses, monitor trends and educate the population about emerging threats.

  • For phishing or identity theft associated with government accounts such as Centrelink, Medicare, or Child Support, contact the Services Australia scams and identity helpdesk on 1800 941 126 or visit their website.

  • You can also contact IDCare, a not-for-profit organisation that provides support to those experiencing identity and cyber security concerns.
anzcomau:content-hubs/security/scams,anzcomau:content-hubs/security/business-scams-and-fraud
Phishing: How it works and how to help protect yourself
ANZ
Security specialist
2024-04-02
/content/dam/anzcomau/images/security-hub/types-of-scams/scams-phising-1200-800.jpg

Protect your virtual valuables

Stay safe online and protect yourself with the cyber security PACT – simple guidelines to help you stay one step ahead of the scammers.

Learn more

 

 

Important information

This information seeks to raise awareness and provides general information only. It may be necessary or appropriate to ensure that measures are taken in addition to, or in substitution for, the measures presented having regard to your particular personal or business circumstances.

Top