Proudly supported by

Australian Government logo


Resources Hub / Small business cyber basics / How to protect your small business from phishing scams

How to protect your small business from phishing scams


Most of us will have received a phone call, text message or email from someone pretending to be an organisation or person they’re not.

Maybe a text about a parcel that can’t be delivered (except you hadn’t ordered anything) or an email from your “bank” but the email address is

While these messages might seem pretty harmless, they’re part of elaborate scams that cyber criminals are running to target individuals and small businesses. They might also seem obvious to spot but these attacks are becoming more sophisticated and harder to tell the real from the phony.

Our guide on phishing makes it easy for small businesses to understand and prevent falling victim to these threats.

What is phishing?

Phishing is a common trick used by scammers. They send fake emails, messages or phone calls pretending to be from a trusted person, company or government department. The aim is to steal your information and money or to get you to download malicious software. Over half of all Australian businesses have been affected by a cyber security breach, so it pays to know how to spot and avoid these scams.

Phishing attacks can target anyone in your business, from the small business owner to the most junior staff member, so it’s important that everyone has the skills and training to spot a phishing attack.

Identifying phishing: How to tell if a message is suspicious

Phishing comes in many ways, including emails, SMS, social media, direct messages and phone calls.

Phishing attacks can look convincing but there are some red flags to alert you.

Phishing scams often:

  • Ask for sensitive information like passwords or bank details;
  • Request payments from a usual supplier, but with new bank details;
  • Ask you to verify or update business or personal information;
  • Use threats or urgent warnings to make you act quickly; or
  • Have an unusual website or email address.

Small business phishing scam examples

Boss impersonation

Criminals compromise a work email account and impersonate a co-worker via email. Often they will impersonate someone in the business in power (like the boss!) and email them with a fake request, like to transfer funds.
Boss impersonation scam graphic

 In these cases, the cyber criminal might try to make the employee feel special by saying something like, “I’m only asking you because I trust you — just keep this between you and me”.

The invoice scam

Another common scenario involves a fake invoice that’s from a regular supplier but uses different bank details. Cyber criminals may also impersonate your invoices redirecting payment from your customers. You can read about how this happened to one Australian small business and how they responded to the hack.

Employee bank scam

Scammers may impersonate your employees asking for you to update the details for their payroll bank account. Always double-check the email address, and if possible speak directly with the employee to confirm the payment details.

Customer complaints

Scammers will try to send you fake customer complaints. Fake customer complaints may be sent to your email but they are very common as a private message on social media and typically include a file pretending to be a photo of the evidence of damaged goods. Be alert to unusual file types that may contain computer viruses or phishing attacks.

What to do if you suspect an email phishing scam

Don’t Click or Download: If an email looks strange, don’t interact with it all. Don’t click on any links, open attachments, or download anything.

 These emails might be fake and try to get important information like your bank details, passwords or client data.

Verify: Check unusual emails by contacting the person or company through official channels, like their website or phone number. Don’t use the information in the email. Look up the website or phone number yourself.

Reject and delete: Remove suspicious emails or texts and block the number.

Report the email: Let your team and IT person (if you have one) know if you come across a suspicious email. Alert your team to the example so they can spot it too. You can also tell ReportCyber and Scamwatch to keep other Australians safe.

What to do if you’ve accidentally clicked on a phishing link

If you’ve clicked on a phishing link, or shared personal or business information, here’s what to do:

  • Contact your bank: Tell your bank or financial institution immediately.
  • Protect your accounts: Change any passwords that might have been compromised, including online banking passwords, MyGov, financial software and email accounts.
  • Add protection: Turn on multi-factor authentication (MFA)
  • Get rid of malware (bad software): Run a security scan with antivirus software to check for malware computer programs on your computer designed to steal your information.
  • Monitor financial transactions: Watch for unusual account activity.
  • Keep your files safe: Back up important business files on external storage, like a USB or hard drive.
  • Educate your team: Make sure your team understands about phishing and how to recognise it.
  • Report the incident: Talk to your team and IT provider (if you have one). Let authorities like National Anti-Scam Centre – Scamwatch know that someone tried to scam you.

With Cyber Wardens, you can keep your digital floors clean and free of cyber criminals fishing.

Learn easy and simple cyber security tips for your small business

More helpful resources for you and your business

It happened to me!

Have you got a Cyber attack story to share? Your story can help other small businesses protect themselves.

It happened to me!

Have you got a Cyber attack story to share? Your story can help other small businesses protect themselves.