Phishing remains the number one way attackers get into business systems. It's not because people are careless โ it's because modern phishing emails are genuinely convincing. We've seen fake invoices from "suppliers," urgent requests from "the boss," and delivery notifications that look pixel-perfect. Here's how to train your eye (and your team's) to catch them.
The display name might say "Commonwealth Bank" or "Australia Post," but the actual email address often tells a different story. Hover over (or tap on) the sender name to reveal the real address. If it's something like accounts@commbank-secure-update.xyz instead of a legitimate @cba.com.au address, it's fake.
Watch for subtle misspellings too โ @commonwea1th.com or @australiapost-delivery.com are designed to fool a quick glance.
Phishing emails almost always create a sense of urgency. "Your account will be suspended in 24 hours." "Immediate action required." "Your payment failed โ update now." Legitimate organisations rarely threaten you via email with tight deadlines. If an email makes you feel panicked, that's by design โ take a breath and verify through other channels before clicking anything.
This is the most important habit to build. Before clicking any link in an email, hover your mouse over it and look at the URL that appears (usually in the bottom-left of your browser or email client). Does it go where you'd expect? A link that says "Log in to your account" but points to a random domain is a dead giveaway.
On mobile, press and hold the link to preview the URL. If anything looks off, don't tap it.
Unexpected attachments โ especially ZIP files, Office documents with macros, or PDFs from unknown senders โ are a common way to deliver malware. If you weren't expecting a file, verify with the sender through a separate channel (phone call, Teams message) before opening it.
"Dear Customer," "Dear User," "Dear Account Holder" โ legitimate companies that have your account usually know your name. Generic greetings are a red flag, especially combined with other suspicious elements.
If an email asks you to do something โ transfer money, update payment details, click a link, open a file โ and there's any doubt at all, verify it through a completely separate channel. Call the person or organisation using a number you already have (not one in the suspicious email). Open a new browser tab and go directly to the website (don't click the email link). Send a separate message asking if the request is genuine.
It happens. The important thing is to act quickly. Disconnect the device from the network (turn off Wi-Fi, unplug Ethernet). Change passwords for any accounts that might be compromised. Report it to your IT support immediately. Don't delete the email โ it's useful for investigation.
Creating a blame-free culture around reporting is essential. If staff are afraid of getting in trouble for clicking a bad link, they'll hide it โ and that delay can be the difference between a contained incident and a full breach.
We offer practical cybersecurity awareness sessions for Townsville businesses. No death-by-PowerPoint โ just clear, real-world examples and actionable advice that sticks. Get in touch to arrange a session for your team.