How to Spot Phishing Scams in 2026: Red Flags - tech-insider.org

Sophie Lawson June 5, 2026 16 min read Key Takeaways Australians reported 2.18 billion dollars in scam losses across 2025, and phishing was the single most-reported scam type to Scamwatch with more than 65,000 reports. The four phishing channels to watch in 2026 are email, SMS (smishing), phone or voice (vishing), and QR codes (quishing), and AI now makes the fake messages cleaner and harder to pick. The clearest red flags are unexpected urgency, a request to click a link or scan a code, a sender or number you cannot verify, and any demand to move money or confirm a one-time code. If you think you have been caught, act fast: call your bank on its official number, change passwords, turn on two-factor authentication, and report to Scamwatch and ReportCyber. Free Australian help is real and worth using: Scamwatch for reporting, ReportCyber on 1300 292 371 for cybercrime, and IDCARE on 1800 595 160 if your identity is at risk. Phishing is no longer the clumsy, typo-ridden email most of us learned to laugh off. In 2026 the messages are polished, the phone calls sound human, and the QR code stuck to a parking meter can be every bit as dangerous as a dodgy link. Australians felt the cost directly: the National Anti-Scam Centre reported 2.18 billion dollars in losses across 2025, and phishing topped the list as the most-reported scam type to Scamwatch. This guide walks through how each phishing channel works, the red flags that give scammers away, and the exact steps to take if you click before you think. If you only do one thing after reading, turn on two-factor authentication on your email and banking, because it blocks most account takeovers even when a password leaks. What phishing actually is in 2026 Phishing is any attempt to trick you into handing over personal information, login details, or money by pretending to be a person or organisation you trust. The disguise might be your bank, Australia Post, the ATO, myGov, a streaming service, or even a colleague. The goal is always the same: get you to act before you stop to check. What changed recently is the quality. Generative AI lets scammers write fluent, grammatically correct messages in seconds, clone a voice from a few seconds of audio, and spin up a fake login page that looks identical to the real one. Security researchers reported that AI-assisted phishing emails drew click rates several times higher than older, hand-written attempts. The old advice to watch for bad spelling still helps, but it is no longer enough on its own. The other shift is volume across channels. Email is still the workhorse, but SMS scams grew sharply through late 2025 and into 2026, with some industry trackers reporting smishing volumes rising by roughly 30 to 40 per cent quarter on quarter, and QR-code phishing detections climbed steeply over the same period. Treat every channel as a possible delivery route, not just your inbox. Scale is the reason this matters for ordinary Australians, not just big companies. The National Anti-Scam Centre combines reports from Scamwatch, ReportCyber, IDCARE, the Australian Financial Crimes Exchange, and ASIC, and that combined picture showed roughly 2.18 billion dollars in reported losses across 2025. Phishing alone accounted for tens of millions of those dollars and was the most-reported scam type to Scamwatch, with more than 65,000 reports. Early 2026 figures pointed in the same direction, with hundreds of millions of dollars reported lost in the first quarter alone. The four channels: email, SMS, voice and QR Most phishing reaches you through one of four channels. Knowing how each one behaves makes the fakes easier to spot, because the trick is usually the same even when the wrapping changes. Email phishing remains the most common. It often impersonates a brand you use, includes a logo and a believable reason to act, and points to a link that leads to a fake login page. Business email compromise, where a scammer poses as a manager or supplier and asks for an urgent payment or a change of bank details, is the costliest version for organisations. Smishing is phishing by SMS. Fake parcel-delivery texts, toll-road notices, bank alerts, and ATO or myGov messages are common in Australia. The link is usually shortened to hide where it really goes. Vishing is the voice version, where a caller claims to be from your bank, a telco, or a government agency and pressures you over the phone, sometimes using a cloned or spoofed number. Quishing uses a QR code, printed on a sticker, a flyer, a parking meter, or embedded in a PDF, to send your phone to a malicious site that a link filter never gets to scan. Channel What it is Common Australian lure Top red flag Email phishing Fake email from a trusted brand or person Bank security alert, ATO refund, parcel held Link to a login page you did not request Smishing (SMS) Phishing by text message Parcel redelivery fee, toll notice, myGov alert Shortened link plus pressure to act now Vishing (voice) Phishing by phone call or voicemail Bank fraud team, NBN or telco, ATO debt Caller asks for codes, passwords or remote access Quishing (QR code) Phishing via a scanned QR code Parking meter sticker, menu, invoice PDF QR sends you to a login or payment page How AI changed the threat Artificial intelligence did not invent phishing, but it removed many of the tells we relied on. Messages now read like they were written by a native speaker, with correct grammar, on-brand tone, and details pulled from data breaches or public social posts. A lure that references your recent order, your suburb, or your employer feels far more convincing than a generic blast. Voice is the area that unsettles people most. With a short audio sample, a scammer can clone a familiar voice well enough to fool a quick phone call, then layer on urgency: an audit is happening now, a payment must go out today, a family member is in trouble and needs money. Treat any urgent voice request to move money or share a code as suspect until you confirm it through a separate, known channel. The practical takeaway is to shift from spotting mistakes to verifying intent. Instead of asking whether a message looks polished, ask whether the request itself makes sense, whether you initiated it, and whether you can confirm it independently. A clean, professional message is now the baseline, not a reassurance. Red flags that apply to every scam Phishing changes its costume constantly, but the underlying pressure tactics rarely change. If you train yourself to notice these signals, you can catch most attempts no matter which channel they arrive on. Urgency or fear: your account will be closed, a fine is overdue, a parcel will be returned unless you act in minutes. An unexpected link or QR code, especially a shortened or slightly misspelt web address. A request for a one-time passcode, password, PIN, or remote-access app such as AnyDesk or TeamViewer. A sender, number, or email address you cannot verify, or that almost matches a real one. A change to payment details, or a request to pay by gift card, cryptocurrency, or a quick bank transfer. Contact that comes out of the blue but references real details about you, which can come from a past data breach. Who they pretend to be Typical message The red flag What the real one does Your bank We blocked a suspicious payment, confirm it now Asks for a code or to move funds to a safe account Asks you to call back or check the app; never requests codes ATO or myGov You are owed a refund, or a debt is overdue A link to log in or claim money Directs you to log in via my.gov.au yourself, no link with codes Australia Post or a courier A parcel is held, pay a small fee to release it A link asking for card details or a fee Does not text links demanding payment to release a parcel A telco or NBN Your internet will be cut off today Pressure to install remote-access software Will not cold-call you to install software on your device A family member or boss I am in trouble, send money urgently Urgency plus a new number or account Can be reached on their known number to confirm No legitimate bank, government agency, or reputable business will ask you to read out a one-time code, install remote-access software, or move your money to a so-called safe account. Those three requests are among the strongest signs you are being scammed, and seeing any of them should stop the conversation immediately. It also helps to recognise the impersonation scripts that keep appearing in Australia. The table below pairs the most common disguises with the red flag that exposes each one and what a genuine organisation would actually do. Spotting a phishing email Start with the sender. Hover over the display name on a computer, or press and hold on a phone, to reveal the real email address. Scammers often use a lookalike domain, swapping a letter or adding a word, so service-name dot security dot example becomes easy to miss at a glance. Next, check the link before you click. Hover to preview the destination and confirm it matches the organisation you expect. Be wary of links that lead to a login page when you did not start a sign-in, and of attachments you were not expecting, particularly password-protected files that ask you to enable content. Finally, judge the request itself. Banks and agencies will not email you a link and ask you to log in to fix an urgent problem. When in doubt, do not use any contact detail inside the message. Open a new browser tab and type the official address yourself, or use the bank app you already trust. Watch the small details that AI still tends to get wrong. The greeting may be oddly generic, such as Dear Customer, when the real organisation knows your name. The reply-to address may differ from the sender. A logo might be slightly the wrong shade, or the footer might list an address that does not match the real business. None of these is proof on its own, but a cluster of them alongside an urgent request is a reliable warning. When the message has an attachment, be especially careful with files that ask you to enable macros or content, since that is a common way malware gets in. Spotting smishing (SMS scams) Australian smishing leans heavily on parcels, toll roads, banks, and government services. A text might claim a delivery needs a small fee, a toll is unpaid, or your myGov account has a problem, then push you toward a link. Because phone screens are small and links are shortened, it is easy to tap before thinking. Do not tap links in unexpected texts, even if they appear in the same thread as genuine messages, because scammers can spoof a sender ID so their text lands under a real one. If a message claims to be from a service you use, go to that service directly through its official app or website instead. Australia Post will not text you a link asking for payment or card details to release a parcel, and the ATO and myGov will not send you a link to log in or claim a refund. If a text asks for any of that, treat it as a scam and delete it after reporting. Spotting vishing (phone and voice scams) Voice scams rely on authority and pressure. A caller may claim to be from your bank fraud team, a telco saying your internet will be cut off, or a government agency chasing a debt. They often know a fragment of real information about you, which makes the rest sound credible. The safest response is to hang up and call back on a number you find yourself, from the back of your bank card, an official website, or a bill. Never use a callback number the caller gives you. A real bank will never ask you to transfer money to keep it safe, read out a one-time code, or install software so they can see your screen. With voice cloning now within reach of scammers, apply the same caution to calls that sound like someone you know. If a relative or boss calls with an urgent money request, verify through a separate channel before acting. A simple agreed-on family code word can defeat a convincing fake. Spotting quishing (QR code scams) QR-code phishing surged because a code hides its destination until you scan it, and most link filters never get the chance to inspect it. Scammers print stickers over real codes on parking meters and posters, slip codes into emails and PDF invoices, and attach them to fake parking or toll notices. Before you scan, ask whether the code is in a place anyone could tamper with, and whether you have a reason to trust it. After scanning, check the web address your phone previews. If it leads to a login page, a payment form, or a site whose name does not match what you expected, close it. When a QR code claims to be for a bill, a fine, or an account, skip the code entirely and go to the organisation through its official app or website. The few extra seconds remove the single biggest risk a QR code carries. What to do the moment you think you have been caught If you clicked a link, entered details, or sent money, speed matters more than embarrassment. Banks can sometimes stop or recall a transfer if you call within minutes, so contact yours first. The table below sets out the order to work through. Step Action Why it matters 1. Call your bank Use the number on your card or official app, not one from the message Fast contact gives the best chance to freeze or recall a payment 2. Secure your logins Change the password on the affected account and any account sharing it Stops the scammer reusing leaked credentials elsewhere 3. Turn on 2FA Enable two-factor authentication on email and banking Blocks most account takeovers even if a password is known 4. Scan your device Run a trusted security tool and remove any remote-access app you were told to install Removes malware and cuts off remote control 5. Report it Lodge reports with Scamwatch and ReportCyber, and contact IDCARE if your ID is exposed Helps disrupt the scam and gets you recovery support 6. Watch your accounts Check statements and consider a credit ban with the three credit bureaus Catches follow-on fraud and identity misuse early Do not delete the scam message until you have reported it, because a screenshot or the sender details help investigators. And do not feel singled out. With tens of thousands of reports a year in Australia, this happens to careful people too. How to report a phishing scam in Australia Reporting does more than vent frustration. It feeds the National Anti-Scam Centre, helps warn others, and can trigger action against the accounts and numbers behind a scam. Each agency below has a clear role. Scamwatch, run by the National Anti-Scam Centre, is the main place to report any scam and to check current scam alerts. ReportCyber is for cybercrime, including when you have lost money or data. The Australian Cyber Security Hotline runs 24/7 on 1300 292 371 (1300 CYBER1). IDCARE is the national identity and cyber support service. Call 1800 595 160 if your personal information has been exposed. Services Australia handles myGov, Centrelink, Medicare, and Child Support scams. Forward a suspicious message or a screenshot to reportascam@servicesaustralia.gov.au. Your bank should hear about any scam touching your accounts, and most major banks now have a dedicated scam-reporting line. Keep evidence when you report. A screenshot, the sender address or phone number, and the time it arrived all help the agencies build a picture and act faster. How Australia is fighting back You are not facing this alone. Australian banks signed up to the Scam-Safe Accord, a set of shared measures that includes faster intelligence sharing across the sector and a Confirmation of Payee system that checks whether the name on an account matches the details you enter before a transfer goes through. That name-check is designed to catch the moment a scammer feeds you the wrong account details. The government has also introduced a Scam Prevention Framework that places clearer obligations on banks, telcos, and digital platforms to prevent, detect, and disrupt scams, with the prospect of penalties where they fall short. The aim is to share responsibility across the businesses best placed to stop a scam, rather than leaving it solely on the person targeted. Telcos have a role too, blocking and tracing scam calls and texts and reducing the spoofed numbers that get through, and digital platforms face pressure to take down fake ads and impostor accounts faster. The direction of travel is clear: regulators want the businesses in the best position to spot a scam to carry more of the load. These measures reduce the odds, but they do not replace your own caution. A strong personal habit, verify first and act second, remains the most reliable defence, and pairing it with a private connection from a trusted VPN on public Wi-Fi reduces the chances your details are intercepted in the first place. Build habits that make phishing fail The most resilient defence is a small set of routines you follow automatically. None of them are difficult, and together they close off the paths scammers rely on most. Switch on two-factor authentication everywhere it is offered, and prefer an authenticator app or passkey over SMS codes. Use a password manager so every account has a unique password, which limits the damage of any single leak. Never act on an unexpected message in the moment. Pause, then verify through an official app or a number you look up yourself. Keep your phone, computer, and apps updated so known security holes are patched. Talk about scams with older relatives and teenagers, since both groups are heavily targeted in Australia. Habits beat heroics. You will not out-think every scam, but a person who routinely verifies before clicking, paying, or sharing a code is a poor target, and scammers move on to easier ones. Protecting your accounts and devices Your email account is the master key to your digital life, because password resets for almost everything flow through it. Lock it down first with a unique password and strong two-factor authentication, and review which apps and devices have access. On your devices, keep automatic updates on, install apps only from official stores, and be cautious with browser extensions and remote-access tools. If a caller or message ever pressures you to install AnyDesk, TeamViewer, or a similar app to fix a problem, that is a scam in almost every case. Public Wi-Fi at airports, cafes, and hotels is convenient but easy to snoop on. Avoid logging in to banking or entering card details on open networks, and use a reputable VPN when you need to. These steps will not stop a phishing message arriving, but they shrink the damage if one slips through. Phishing scenarios you are likely to meet Abstract advice sticks better when you can picture the real thing. Here are three scenarios that play out across Australia every week, and how a careful person handles each one. The bank text. You get an SMS that appears in your existing bank message thread: a large payment was attempted, reply YES or NO. You did not make a payment, so the fear is real. The trap is the link or callback number in the message. The right move is to ignore both, open your bank app directly, and check for any genuine alert there. If nothing shows, call the number on your card. The spoofed thread is designed precisely to make you trust it. The delivery fee. A text says a parcel could not be delivered and a small redelivery fee is owed, with a link to pay. Even if you are expecting a package, no Australian courier asks for card details by SMS link to release a parcel. Track the parcel through the retailer or carrier app instead, using the tracking number you already have. The few cents in fee is bait for your card number. The remote-access call. Someone calls claiming your internet provider has detected a problem and asks you to install software so they can fix it. The instant a caller wants remote access to your device, the call is a scam. Hang up. A real provider does not cold-call to install software, and remote-access apps hand a stranger control of everything on your screen, including your banking. A quick self-check before you click When a message lands and something feels off, run a five-second mental check. Did I expect this? Who is it really from, and can I verify the address or number? Is it pushing me to hurry? Does it want a link, a code, a payment, or remote access? Can I confirm it through a channel I already trust? If any answer raises doubt, stop and verify before doing anything else. Closing a message and opening your bank app or typing an official web address yourself costs you almost nothing. Acting on a scam can cost you a great deal, and as the 2.18 billion dollars in reported Australian losses shows, the stakes are real. Phishing works by rushing you. Slowing down, even for a few seconds, is the simplest and most powerful defence you have. Frequently asked questions What is the difference between phishing, smishing, vishing and quishing? They are the same trick delivered through different channels. Phishing is the broad term and usually means email. Smishing is phishing by SMS, vishing is phishing by phone or voice, and quishing uses a QR code to send you to a malicious site. The warning signs, such as urgency and requests for codes or money, are the same across all four. I clicked a phishing link but did not enter anything. Am I in trouble? Often you are fine, since simply opening a page rarely causes harm on an updated device. To be safe, do not enter any details, close the page, run a security scan, and watch for follow-up messages. If you were prompted to install anything, remove it and change relevant passwords. How do I report a phishing scam in Australia? Report it to Scamwatch, run by the National Anti-Scam Centre, and to ReportCyber for cybercrime. Call the Australian Cyber Security Hotline on 1300 292 371 if you need help, contact IDCARE on 1800 595 160 if your identity is at risk, and tell your bank if any account is affected. Keep a screenshot or the sender details before you delete anything. Can scammers really fake a phone number or a bank’s caller ID? Yes. Number spoofing lets a scammer make a call or text appear to come from a real bank or agency, and it can even thread a fake SMS into a genuine message history. Never trust a number or sender ID on its own. Hang up and call back on a number you find yourself, from your card or an official website. Will two-factor authentication stop phishing? It will not stop the messages arriving, but it blocks most account takeovers even when your password leaks, which is why it is one of the strongest protections you can switch on. Prefer an authenticator app or a passkey over SMS codes, and never read a one-time code out to anyone who calls or messages you. Are older Australians and young people more at risk? Both groups are heavily targeted, for different reasons. Scammers chase older Australians for larger savings and use authority-based pressure, while younger people see more job, shopping, and social-media scams. The same habits protect everyone: verify before acting, never share codes, and report anything suspicious to Scamwatch. Related reading How to set up two-factor authentication (2FA) Best VPN for Australia in 2026 Tech Insider Australia Our editorial policy Reviewed by Sophie Lawson for the Tech Insider Australia editorial team. Figures are drawn from publicly reported sources including the National Anti-Scam Centre and may change as new data is released. This article is general information, not financial, legal, or security advice; if you have been scammed, contact your bank and the official reporting channels listed above. Sophie Lawson Sophie Lawson covers cybersecurity, VPNs and privacy software for Tech Insider Australia. A former IT systems administrator, she translates complex security topics into plain-English advice and personally tests every tool she recommends. View all articles