Spot & Report Phishing and Scam Emails
Catch dodgy emails, texts and messages before anyone clicks - and report them the right way in Australia.
When to use
Any time an email, SMS or message feels off: an unexpected invoice, a "your account is locked" warning, a link you weren't expecting, a boss or supplier asking for money or gift cards, or a login page that pops up after you follow a link. Also use to teach your team a repeatable "stop and check" habit.
Steps
1. Stop before you click, tap or reply. Urgency is the scammer's main tool - "act now", "final notice", "account suspended" are pressure, not proof. 2. Check the real sender address, not just the display name. Tap or click the name to reveal the full address and look for odd domains (e.g. paypa1-support.com) or a public address (like gmail.com) pretending to be a company. 3. Preview links before opening them - hover on a computer, or long-press on a phone. If the visible text and the real destination don't match, don't click. 4. Watch for the classic tells: spelling and grammar slips, a generic "Dear Customer", requests for passwords or one-time codes, gift-card or cryptocurrency payment, or an attachment you didn't expect. 5. Verify through a channel you already trust. Ring the person or business on a number from their official website or a past invoice - never the number or link in the suspicious message. 6. Don't forward it to colleagues (that spreads the risk). Instead report it: use the "Report" or "Report phishing" button in your email app, then report to ReportCyber (cyber.gov.au/report) and Scamwatch (scamwatch.gov.au). 7. If someone already clicked or entered details: change that password immediately from a different device, turn on multi-factor authentication, watch for unusual activity, and tell whoever looks after your IT. 8. Keep a small "known scams" folder so your team learns to recognise the repeat patterns aimed at your business.
When to call a professional
If login details were entered, money was sent, or you suspect a work email account is compromised (for example, contacts start getting messages you didn't send), contact your IT provider or managed service provider (MSP). For urgent help you can also call the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371), available 24/7.
ACSC reference: Aligns with the ACSC Small Business Cyber Security Guide - "Recognise and report scams" - and Essential Eight user application hardening (cyber.gov.au/smallbusiness).
Want your agent to fetch skills itself? The Academy MCP serves this whole library.
Connect via MCP