Phishing for business

Phishing is a way that criminals steal confidential information by sending fraudulent messages (sometimes called ‘lures’).

Pronounced 'fishing', these deceptive messages pretend to be from individuals or organisations you know and can be sent via email, SMS, instant messaging or social media platforms. They mimic phrasing, branding and logos to appear 'real' and trick you to click on a link or attachment. They often contain a link to a fake website where you are encouraged to enter confidential business details, like passwords or credit card details, to pay a fake account (for example).

It doesn’t matter what type or size of business you are in, phishing can affect you.

Use this guidance to learn about how to protect your business from phishing.

Tip: Be wary - don’t click on links in unexpected emails or messages from people or organisations you don’t know.

Phishing emails have been used by criminals to steal financial details from Australians for a number of years (phishing emails were first observed in Australia in 2003) but have become increasingly sophisticated since then.

It used to be easy to recognise and ignore a phishing email because it was badly written or contained spelling errors, but current phishing messages appear more genuine. It can be very difficult to distinguish these malicious messages from genuine communications.

Because of phishing, many companies now don’t ask customers to update or verify confidential details, such as passwords, PINs, or account details online.  This helps people to tell the difference between legitimate business emails, and those that may be phishing attempts.

Spear phishing

More dangerous still are a class of phishing messages known as ‘spear phishing’. These messages target specific people in organisations, like the business owner, receptionist, finance or payroll manager, and may contain information about the organisation or recipient to make them appear more authentic.

These messages can be extremely difficult to detect – even for trained professionals – as they catch people with their guard down.

For example, you might get a message that appears to be from your own company’s IT help desk asking you to click on a link and change your password because of a new policy – would you click the link?

Protect your business from phishing attempts

The best way to protect your business from phishing attempts is to stay abreast of current threats, be cautious online and to take steps to block malicious or unwanted messages from reaching your business in the first place.

Invest in staff awareness

Increasing awareness of online risks such as phishing, and the way criminals operate online, is a good way to improve the resilience of your organisation against such threats. Train your staff to use safe behaviour online.

It doesn’t matter if you are a small or large business, not-for-profit club, if you employ a staff member responsible for IT or outsource that to someone else – there are simple steps you can take to protect your staff and your business.

Educate staff to be cautious of:

  • requests for money, especially if they claim to be ‘urgent’ or ‘overdue’, or appear to come from a senior executive in the organisation that you wouldn’t usually get these type of requests from
  • unexpected notification of supplier bank account changes
  • suspicious email attachments
  • requests to check or confirm login details.

Make sure staff are aware of these techniques and implement processes that prevent these situations, such as having a two-step process to verify requests to change account information or payments, etc.

You can also take the following steps to protect your business from phishing attempts:

  • If a message seems suspicious, contact the person or business separately to check if they are likely to have sent the message. Use contact details you find through a legitimate source and not those contained in the suspicious message.
  • Use a spam filter to block deceptive messages from even reaching your business.
  • Understand that your financial institution and other large organisations (such as Amazon, PayPal, Apple, Facebook, Google and others) would never send you a link and ask you to enter your confidential business or financial details.
  • Stay informed on the latest threats – sign up for the Stay Smart Online Alert Service. You can also find information about the latest scams on the Australian Government’s Scamwatch website,

For more advice on implementing security awareness across your organisation, download a copy of the Security Awareness Implementation Guide.

What to do if you think you have revealed confidential information

Is your organisation prepared to respond to ID theft as a result of a successful phishing attempt?

As a manager or owner of a business, you are responsible for protecting sensitive organisational, member and customer information. Your brand and reputation are the most important assets your organisation has.

Depending on your organisation, there may be clear legal obligations regarding security, confidentiality and privacy of data or sensitive personal and financial information.

If you are unsure of your obligations, you could contact:

  • the business advisory service run by your local council or state or territory government
  • Office of the Australian Information Commissioner –
  • Office of the eSafety Commissioner –
  • your relevant industry or member association.

IDCARE also works with organisations of all sizes to make sure they know what to do if customer details are digitally or physically stolen. They can provide 'best practice' recommendations and support for your particular situation.

Find out more about IDCARE by visiting

More information and reporting

More information on phishing and email scams is available the Scamwatch – Phishing scams web page. You can report scams on the same website.

You can also report phishing scams to the Australian Cyber Security Centre's ReportCyber.

If you receive a phishing attempt that unlawfully copies a legitimate brand, report it to the organisation that is being copied. Remember, do not forward the malicious email. Instead, take a screen shot (print screen) or screen snip and send the image to the company so they can see the detail of the scam.