Think you can identify a scam? You are probably wrong (guide)

New research from KnowBe4 show that while 57% of Aussies are confident they can identify a scam in email or SMS (54%), there is a big fail – only 5% scored 100% in its tests.

Now, while that 57% may be confident of their anti-scam identification prowess, the 5% success rate proves they are not up with the latest scam techniques. These use sophisticated social engineering and data from Facebook et al., and your massive dark web profile to get past your guard.

According to the ACCC, Australians lost a record $211 million to scams in 2021 (up a massive 89% YoY). It will keep growing exponentially until Australians become scam-savvy.

Scams work on three things

  1. Trust: By posing as legitimate individuals and organisations, cybercriminals lower their target’s scepticism. As a more personal communication channel, SMS texts also naturally lower a person’s defences against threats.
  2. Context: Using a situation relevant to targets allows an attacker to build an effective disguise. The message feels personalised, which helps it override any suspicion that it might be spam.
  3. Emotion: By heightening a target’s emotions, attackers can override their target’s critical thinking and spur them into rapid action.

Would you ignore an email from your local gym, supermarket, hairdresser, pub, or café? No. Social engineering takes what it knows about you, where you live, shop, eat, drink and exercise. It then uses AI to craft a ‘spoofed’ email that looks legit but contains poisoned links to malware or equally legitimate-looking websites designed to suck up your financial information.

If Australians cannot identify scam emails and SMS messages, they are at significant risk of getting phished or smished*. Our research shows that we are more likely to assume real messages are fake or scams and dismiss them, missing out on legitimate messages that require action. The key here is better education about cyber risk, which requires a joint effort from the government, employers, and individuals.

Jacqueline Jayne, Security Awareness Advocate for APAC at KnowBe4

* Smishing is a phishing attack using SMS

How to identify a scam

Jayne advises: “Be hyper-vigilant – Never share or confirm any of your personal information in response to an email, SMS or phone call. Don’t do it.”

You should only provide such information if you initiate direct outgoing contact via official channels (App, email, SMS, phone or website), not the other way around.

Here are some recent examples of the emotive wording used in these tactics:

  • Your credit card has been used for fraudulent activities; update your details now.
  • Open the attachment to see all the people with COVID-19 in your suburb.
  • Click here to claim your $200 (Woollies, Coles, Aldi, IGA) shopping voucher.
  • Like, share and comment to go in the draw to win a $50,000 car.
  • Unsubscribe from this mailing list.
  • You can jump the queue for your Covid19 vaccine. Click here.
  • Bank Account Deactivation Notification – click here to confirm your details.
  • You have a new connection request on LinkedIn – click here to find out more.
  • Password change notification – your account has been compromised.
  • Congratulations!  You have won a prize – click here to claim it.
  • Your package has been delayed (or needs a small payment to be delivered).

Emotive terms include Final Notice, Police Action initiated, today only, act now, limited time expires tomorrow and more.

How to spot a scam? (Thanks to Kaspersky cybersecurity)

  • Mistakes, typos, and strange characters in the text. Some criminals struggle with English, although attackers sometimes purposefully make mistakes like “milion” or use letters from different alphabets in an attempt to bypass spam filters.
  • Inconsistent sender address. An email address with a load of random letters and numbers or the wrong domain name are sure signs of forgery when a sender claims to be writing from a large organisation.
  • Links in the email or the website they lead. Check links by hovering your cursor over them and reading the address carefully. Criminals bet on victims not paying enough attention to detect slight changes made to the names of well-known companies or brands — think or Never click a (shortened anonymous link like
  • Messages you receive in messaging apps and social networks have just as much potential for danger; you can find malicious links in friends’ posts on Facebook, in comments posted by fake brand ambassadors on Twitter, or in DMs on Discord.

Been scammed? Act quickly

  • Contact any relevant financial institution and freeze your cards and accounts
  • Report the scam at ScamWatch.
  • If it is an ATO related scam, then visit the Verify or Report a Scam page on the ATO website –  or call them on ATO 1800 008 540. 
  • If you believe a cybercriminal has stolen your identity, please contact IDCARE (Australia & New Zealand’s national identity and cyber support service) here.
  • Contact the actual company that has been spoofed and send the scam so it can take action.

Proactive things you can do to identify a scam and reduce them

  • If an app asks for your birthday – lie and take off ten years (unless it is a government app).
  • Set up a junk Google Gmail account for all web activity and use it instead of your personal Gmail or Outlook account (never use your work account)
  • Use a Pseudonym for the email address and your name so if someone emails [email protected], you know it is not a personal email.
  • Use an avatar instead of your picture (stops face ID rip-off)
  • Don’t give any more information than necessary
  • Never set up family or friends’ groups (unless you need it)
  • Never store passwords or personal information in Google contacts as apps like Facebook suck them up. Use the cloud-based Outlook contacts if you must.
  • Never use your Facebook (#Delete Facebook) or any social media account to log in to any app. Use your junk email instead.
  • Get a junk credit card for all online transactions with a low spend limit that you can afford to lose.
  • Use a recognised paid (not free) anti-virus and malware solution to identify suspect SMS or email and set up a protected browser for financial activity.

CyberShack scam news