A criminal doesn't even need your physical card to commit fraud. All they require are your personal details or card information, and one way they can get these is through a process known as "phishing".
A phishing scam aims to trick people into giving away their personal information so it can be used for fraud. Phishing messages look like they're from legitimate sources and can come through emails, phone calls, text messages or even social media channels. This guide focuses on how to spot email phishing scams, but it can help you avoid other phishing scams as well.
How serious is this type of fraud in Australia?
Most Australian credit card fraud doesn't even involve the scammer getting a hold of the victim's physical card. Data published by the Australian Payments Network in December 2019 shows that this kind of fraud cost Australians around $450 million in the 2018/2019 financial year.
Phishing is one form that this kind of fraud can take. If you want to see a list of current scams that include phishing, you can also check the government's active database on the Scamwatch website.
How to spot an email phishing scam
While phishing scams can vary widely in approach, email scammers will generally pose as a friend, a bank or another trusted organisation in order to trick or scare you into responding or providing details.
Fortunately, the vast majority of scams share a few telltale signs that mark them as being fraudulent. Here are some common signs:
- Unofficial email address. Always check the address the message has been sent from. See if it matches legitimate correspondence that you've had before, or if it has been sent from a generic server like @gmail or @hotmail. Emails from official institutions are usually sent from that institution's own server. For example, a message from the government should come from a ".gov.au" address.
- Suspicious links or attachments. Never follow links to a third-party website from an email. If you think a link may be legitimate, hover over it and check whether it's secure (flagged by "https://" at the start of the link address). Don't download or open attachments unless you're absolutely certain of what they are. If you're not, double-check them with the supposed sender or simply ignore/delete them.
- Urgent demands for payment or information. Scammers will often create a sense of urgency to trick you into doing things you wouldn't normally do. If the email contains threats, demands immediate action or asks for your personal information, don't trust it.
- Poor spelling and grammar. Less sophisticated scams are more likely to be full of typos and grammatical errors than proofread correspondence from your bank. Don't rely on this method alone, though – good grammar doesn't necessarily make it trustworthy either.
Email spam filters often pick up potential phishing scams, but it's important to stay aware. If you suspect an email of being a scam, delete the message and don't click on any links. If you suspect you've been the target of a scam, follow the advice below.
A real example: The Latitude Finance scam
To help give you some idea of what a sophisticated email phishing scam might be like, here's one that was directed at customers holding a Latitude Financial Services Mastercard in January 2020.
Essentially, an official-looking email was sent to holders of a Latitude Mastercard, asking them to update their security details immediately. Following the link took recipients to another official-looking page, where they were prompted to enter their card details. Both the page and the email had proper branding and formatting and language consistent with what you might expect from a financial institution.
Here's a breakdown of what made this scam believable and what gave it away.
|Looked legitimate...||Probably a scam...|
|The email address ended in "@latitudefinancial.com.au". This was done using a hacked mail server.||The use of urgent language such as "action required" was designed to rush recipients into making a decision.|
|Official branding, headers and footers that were consistent with real emails were used.||The lack of personal address in the email and the fact that it did not address the recipient by name.|
|Clicking the link directed users to a convincing replica of Latitude's own page, complete with logos and proper branding.||The fake website it redirected to didn't start with "https://", which would indicate that it's a secure destination.|
|Spelling, grammar and phrasing were correct and the email was well-formatted.||There were still some spacing errors in the email itself.|
|Came through to peoples inboxes (instead of being filtered to their junk mail or spam folders).||The email was related to security. Security and protection "upgrades" or "updates" are some of the most common ways to pressure people into providing information.|
As you can see, there's no guaranteed method of spotting a sophisticated scam. Keeping your guard up can help, but you should always treat any request for personal information in an email with extreme caution, no matter how legitimate the source seems to be.
What should I do if I've been scammed?
- Notify your bank. If you think a scammer has gained access to your credit card or bank details, let your bank know immediately. They can freeze your account and potentially reverse unauthorised transactions. The faster you report it, the better.
- Contact the proper authorities. According to the government's MoneyWatch banking and credit scams page, here's who you should notify for different financial scams:
- Report the scam and help others. No matter the scam, the government also recommends that you report it to Scamwatch so that other people know what to look out for.
Tips to avoid being scammed
Never respond immediately or agree to anything if an email or phone call seems suspicious. Contact the organisation that the person claims to be from, especially if it's a reputable company or group that you've heard of. Ask if they have any knowledge of the communication and go from there.
Some companies and websites only exist for fraudulent activity. Never use a link or contact number given to you in a suspicious communication, as this could be part of the scam.
You can learn more about protecting yourself from fraud and scams with this Finder guide.