9 December 2025 · 4 min read
How to spot a phishing email before it's too late
Would you spot a fake email if it landed in your inbox right now?
Phishing emails are the number one way small businesses get done over - not clever hacking, just a convincing message that gets someone to click, pay, or hand over a password. The good news: most of them give themselves away if you know what to look for.
What actually is phishing?
Phishing is a scam email (or text) pretending to be someone you trust - a supplier, the bank, the ATO, Microsoft, even your own boss. The goal is to get you to act fast without thinking: click a link, open an attachment, or change where money gets sent.
They work because they feel normal and urgent. That combination is the trap.
What are the tell-tale signs?
Most dodgy emails trip at least one of these wires:
- Urgency or pressure - "Act now or your account will be suspended." Real organisations rarely rush you like this.
- An unexpected attachment - an invoice, receipt or "document" you weren't expecting. Don't open it.
- A mismatched sender address - the name says "ANZ" but the actual address is something like [email protected].
- Dodgy links - hover over any link (don't click) and check where it really goes. On a phone, press and hold to preview it.
- A request to change bank details - "Please update our account for future payments." This one costs Aussie businesses the most.
- Too good to be true - refunds, prizes, unexpected credits. If you didn't expect it, be suspicious.
- Subtle look-alike domains - ewanmelt.com.au instead of ewanmeit.com.au, or micros0ft.com with a zero. Easy to miss at a glance.
- Odd greetings or wording - "Dear Customer," clunky phrasing, or a tone that's slightly off for who it's meant to be from.
One sign might be nothing. Two or three together - stop and check.
What do these look like in real life?
A few we see hit Brisbane businesses regularly:
The fake invoice. An email that looks like it's from a supplier you actually use, with a PDF attached and a note that "our bank details have changed." Pay it and the money's gone - and it's very hard to claw back.
"Your mailbox is full." A warning that your email is over its limit and you'll stop receiving messages unless you "verify" now. The link goes to a fake Microsoft or webmail login built to steal your password.
The ATO or bank message. A text or email about a refund, an overdue payment, or "unusual activity," with a link to log in. The ATO and banks never ask you to confirm details or make payments through a link like this.
What is the one rule that beats nearly all of them?
Verify through a channel you already trust.
If a supplier emails new bank details, ring them on the number you already have - not the number in the email. If the bank messages about your account, log in the way you normally do or call the number on the back of your card. If a staff member gets an odd request from "the boss," a quick phone call settles it.
The scam relies on you staying inside their email. One phone call to a known number breaks the whole thing.
What if someone has already clicked?
It happens - don't panic, and don't hide it. Speed matters more than blame.
- If they entered a password, change it straight away - and anywhere else that password was reused.
- Turn on multi-factor authentication if it isn't already on.
- If bank details or a payment were involved, call your bank immediately - the first few hours are your best shot at stopping the money.
- Tell whoever looks after your IT so they can check nothing else was touched.
- Report it to Scamwatch and, if money's gone, to the police via ReportCyber.
A clicked link caught early is a scare. Caught late, it's a bill.
Can scammers pretend to be your business too?
Yes - and this is the part most owners miss. If your domain isn't locked down, scammers can send emails that look like they come from you, hitting your customers and suppliers. That's your name on their scam.
Three email settings - SPF, DKIM and DMARC - are what stop that. They're not something you notice day to day, but if they're missing or set up wrong, your business is an easy one to impersonate.
One last thing
If an email ever has you second-guessing, trust that instinct. Forward it to someone who can check - I'd much rather tell you it was nothing than hear about it a week after the money moved.
And if you want to know whether scammers could impersonate your business, the free scan checks exactly that.
Want me to check your domain?
Free health check, plain-English action list, yours to keep.