Charles Sturt University
Charles Sturt University

Phishing

Phishing is the act of attempting to acquire information such as usernames, passwords and credit card details by sending an email which appears to be from a legitimate business, organisation or individual. Phishing emails most commonly direct you to click a link, go to a website and enter your details. The website often looks exactly the same as the legitimate one and has been set up to capture your username and password. Sometimes just clicking a malicious link can trigger the download of spyware to your computer. Spyware can be installed in the background without your knowledge so it can collect and transmit all your passwords and other personal details.

Unsolicited emails with attachments often contain viruses or other malicious files which are also designed to capture and transmit your information or allow scammers to access your computer when you are on the Internet. You should be alert to all of the threats which exist. According to ASIC 1 in 20 Australians fall victim to scams or personal fraud each year. Prevention is the best protection against scams, the more you know about phishing and scam attempts the less likely you are to be tricked into providing your details.

Falling victim to phishing emails can not only cause you problems but also the University. This is because compromised email accounts are used to keep distributing these unsolicited emails to more unsuspecting people. When other organisations detect large volumes of unsolicited emails coming from a particular organisation they blacklist it (block delivery) to protect themselves. This means even legitimate emails coming from an address in that organisation cannot get through.

Test your knowledge with this quick quiz

The US Federal Trade Commission has created a great little quiz where you can use to test your likelihood of being caught by a phishing scam. It provides details for US organisations to follow up. See SCAMWatch and Where Can I Find More Information? for Australian organisations who can provide more advice and assistance.

Why is it called phishing?

The term phishing is a variant of fishing. It refers to emails being used as bait with the hopes that potential victims will bite by

  • clicking a link and entering their username and password so they are captured by the fake website
  • opening a malicious attachment which installs spyware or a virus on the computer which is used to capture and transmit usernames, passwords and financial information such as credit card details
  • complying with requests to verify information by providing it to the scammer in an email or phone call

What do phishing emails look like?

Phishing emails can come in many forms and variants, they may impersonate

  • CSU
  • your bank or financial institution
  • eBay or Paypal
  • government departments eg ATO or Centrelink
  • a service provider eg Telstra, Optus, Vodaphone

They use official looking logos, images, letterheads and language to trick you into believing it's real. They often have a sense of urgency and advise if you don't click the link you will

  • lose access to your account, have it suspended or terminated
  • be charged a fee (eg if you don't login and change to online billing you will be charged $5 a month for paper bills)
  • be taken to court for an overdue account unless you pay it online now (eg tax, phone, electricity, gas etc)

You should always be wary of any emails which ask for personal information. This includes prompting you to login to an account (CSU, personal email, online banking, Amazon or other online retailer, eBay, Paypal, online share portfolio etc)

Messages or websites phishing for information might ask you to enter

  • usernames and passwords
  • bank account numbers
  • client or customer numbers
  • your name and home address
  • PINs (Personal Identification Numbers)
  • full credit card numbers
  • your mother’s maiden name
  • your date of birth

Legitimate businesses and organisations will never send unsolicited requests for information in this way. They already have your account information, they do not need you to verify it. Use the yellow pages to look up the business or organisation's phone number if you want to verify the authenticity of any electronic message (eg email, SMS or information on a website which seems suspicious).

Top of page

What is a phishing website?

A phishing website is one that has been set up to impersonate a legitimate website and capture information. They often look identical to the authentic website because scammers replicate the layout, colours, text and use logos and images they obtained from the real site.

If you are alert you can sometimes notice subtle differences in the URL (website address) of spoof websites. The legitimate URL of the Australian eBay account login page is https://signin.ebay.com.au

An example of a website URL trying to impersonate the Australian eBay login page is http://signin-ebay.com.au

Did you spot the differences? There are two. The legitimate eBay login page starts with https and has a full stop between the word signin and ebay. The spoof website starts with http and has a dash between signin and ebay.

Legitimate e-commerce sites use encryption to help keep your information safe. An address that starts with https indicates it's a secure site which uses encryption to transmit your login and financial details. Websites which use encryption display a lock symbol in the browser window. Clicking on the lock symbol allows you to verify that a security certificate was issued to that site which is a sign that it's a legitimate and trusted website.

Top of page

What to do if you have been tricked

  • Use an uncompromised computer with up to date virus protection to change your account password
  • Visit have you been scammed? to find out what steps you can take to reduce the damage and protect yourself against follow up scams

Top of page

SCAMwatch

SCAMwatch is a website setup by the Australian Competition and Consumer Commission (ACCC) to provide information to consumers and small businesses about how to recognise, avoid and report scams

Top of page

How can I protect myself?

  • Do not respond to requests to provide information by return email or enter your account information on a website
  • Use security software including antivirus, antispyware and a firewall. Ensure your antivirus and antispyware software is kept up to date
  • Keep your computer's operating system up to date by ensuring automatic updates are switched on
  • If you want to access an internet account website use a bookmarked link or type the address in yourself
  • Do not click on any links in a phishing email and do not open any files which are attached to phishing emails
  • Delete phishing emails
  • Never call a telephone number that you see in an unsolicited email to verify the authenticity of the email (use the yellow pages to locate the required telephone number )
  • NEVER reply to a spam email (even to unsubscribe)
  • Always look for "https://" and a padlock on web sites that require personal information
  • Educate yourself about all the tricks that are used and current scams so you can easily recognise them. Fraudwatch International maintains a list of phishing alerts (including those which affect Australians)

Top of page

Where can I find more information?

You can sign up for email alerts from the Australian site staysmart online to keep up to date about a variety of topics including phishing, scams, fraud, hoaxes, identity theft, privacy and social media (Facebook, Google and Twitter).

Top of page

Do you have questions or need to report a phishing email?

You can report any phishing emails to

If the email or website tried to obtain your CSU details forward the email or send the URL to

Internet Explorer provides a SmartScreen Filter to help protect you from phishing websites, you can also use it to report a phishing website

If you have further questions or need to report a phishing email which attempted to obtain your CSU details contact the IT Service Desk.

Top of page