ntworld.ink
AI Literacy · Course 1

Scams, Phishing, and Dodgy Messages

How to spot a scam email, text, or phone call, what the common scams going around in Australia look like, how AI is making them harder to spot, and what to do if you've already clicked something you shouldn't have.

Back to AI Literacy overview
// on this page
// why scams work

Why Scams Work

Scams aren't clever, they're patient. Criminals send the same message to hundreds of thousands of people. Most people ignore it. A few click. A few of those click quickly, without thinking. That's all the scammer needs.

The feeling scammers are after isn't stupidity, it's hurry. They want you to act now, before you think. Almost every scam uses one of three emotional levers:

Fear. "Your account has been compromised." "You've been fined." "Your parcel couldn't be delivered."

Greed or hope. "You've won." "Claim your refund." "Unclaimed super waiting."

Love or trust. "Hi Mum, I've lost my phone, this is my new number." "I saw your profile and..."

The scammer's job is to rush you. Your job is to slow down. That's the whole fight, in one sentence.

// five tells

The Five Tells

Five warning signs. If a message has one, be careful. If it has two or more, it's almost certainly a scam.

1. Urgency

The phrase: "Act within 24 hours or your account will be closed." "Pay now to avoid a court summons." "Your parcel will be returned today."

Real organisations give you time. Real banks don't threaten to close your account in an hour by text. Urgency is the single most reliable tell.

2. A link you weren't expecting

The shape: A text with a tracking link. An email asking you to "verify" by clicking. A "reset your password" message you didn't ask for.

If you didn't ask for it, don't click it. Go to the service's website by typing the address yourself, or by opening the app you already have installed.

3. Asking for something a real organisation wouldn't

The ask: Your password. Your full card details including CVV. Payment in gift cards. Payment by bank transfer to a new account. Remote access to your computer.

No real bank, tax office, Centrelink, Telstra, or delivery company will ever ask for these. Gift cards as payment, in particular, is a scam every single time.

4. An address or number that's almost right

The giveaway: An email from "service@paypa1.com" (note the number 1 instead of the letter l). A text from "Australia Post" but with an unusual overseas-looking phone number. A web link that says "mygov-update.net" instead of "my.gov.au".

The details are nearly right, which is the point. Zoom in. Check the exact spelling.

5. Something's off, and you can't say exactly why

The feeling: The language is slightly stiff or overly formal. Or too friendly. Or it addresses you as "Dear customer" when your bank usually uses your name. Or your cousin "has had an emergency and really needs money".

Trust the feeling. If something is slightly off, slow down. Ask a friend. Call the organisation directly using a number you already have for them.

// scams going around right now

The Scams Going Around Right Now

What Australians are losing money to, roughly in order of how common they are.

The missed-parcel text

A text from "Australia Post" or "StarTrack" saying you have a parcel waiting, click here to reschedule or pay a small fee. The link takes you to a fake website that either steals your card or installs spyware.

AusPost: Your parcel has been held due to incomplete address. Please update: https://auspost-redelivery.info/verify

What to do. If you're expecting a parcel, open the real Australia Post app or website yourself. Ignore the text.

The "Hi Mum" scam

A WhatsApp or text message from an unknown number saying "Hi Mum, I've broken my phone, this is my new number, can you send $800 for the replacement." It sounds like your kid in trouble. It isn't.

What to do. Before you send any money, call your actual child on the number you already have for them. If they don't answer, call someone who'd know where they are.

The fake bank call

Someone calls saying they're from your bank's fraud team. They've "detected suspicious activity". They need you to move money to a "safe account" or read out a code that was just texted to you. The code is actually the one that lets them into your real account.

What to do. Hang up. Call your bank back on the number on the back of your card. Never share a code with anyone who called you.

Romance scams

Someone online, often on Facebook, a dating app, or Instagram, starts a relationship with you over weeks or months. Eventually they need money, for a medical emergency, a visa, an investment, or to come and visit. They always have a reason they can't video call.

What to do. Insist on a video call before sending any money, ever. If they always have a reason to avoid it, they're not real. A trusted friend reality-check is worth more than any romance you've only ever typed to.

Investment scams and "crypto opportunities"

A message, often on Facebook or WhatsApp, inviting you to an exclusive investment group, a cryptocurrency opportunity, or a trader who makes guaranteed returns. Starts small. Asks for more. Shows you a fake account dashboard with your "profits". When you try to withdraw, there are fees, delays, and eventually, nothing.

What to do. Check any investment firm on the ASIC Investor Alert List before putting a cent in. Guaranteed returns don't exist.

Tax and MyGov scams

An email or text about a tax refund you can claim, or a debt you need to pay immediately, with a link to "log in to MyGov". The link is fake and captures your credentials.

What to do. Never click a link in an email or text from "MyGov" or "ATO". Open the MyGov app or type the address yourself.

The fake job offer

A message out of the blue, often on LinkedIn or Indeed, offering you a well-paid remote job. They ask for your details upfront, or they need you to buy equipment with your own money and they'll reimburse you. They won't.

What to do. Real jobs don't require you to pay anything to get started. Real employers interview you before making an offer. If it starts with money, walk away.

// how ai makes it worse

How AI Makes It Worse

Scams used to be easier to spot. The old tells, broken English, obvious grammar mistakes, strange phrasing, are mostly gone, because scammers use AI to write their messages now.

What AI has changed:

Scam emails are now in perfect English, or perfect whatever-language-you-prefer.

Voice scams can clone a family member's voice from a 10-second sample on Facebook.

Fake customer service chats can hold long, convincing conversations.

Romance scam photos and videos can be generated on demand.

The old rule "bad English means scam" is dead. The new rule is "unexpected plus urgent means scam".

What hasn't changed. Scams still rely on urgency, on asking for things real organisations don't ask for, and on links you weren't expecting. Those three remain the best tells regardless of how good the writing is.

// how verify without clicking

How to Verify Without Clicking

The single most useful habit: when in doubt, don't click the thing in front of you. Go to the source yourself.

The verify-without-clicking routine

Banking: Open the app you already have installed, or type your bank's address yourself into a browser. Never click a link from a text or email.

MyGov and government: Open the MyGov app, or type my.gov.au directly. Government agencies never send you a login link by text.

Delivery companies: Open the Australia Post app, or the courier's website directly. Legitimate tracking lives there, not in a random text.

A phone call from a "service": Hang up. Call back on a number you find yourself, from your own records, from the back of a card, or from the company's real website.

A message from a friend asking for money: Call them, voice, not text, on the number you already have for them. If that number doesn't work, call someone who'd know where they are.

Use AI as a scam checker

If you're not sure about a message, you can paste it into an AI chatbot and ask: "Does this look like a scam to you? What are the warning signs?" The AI has seen tens of thousands of scam examples and is usually pretty accurate. Just don't paste your actual account numbers in with it.

// if youve already clicked

If You've Already Clicked

First: don't panic, and don't feel stupid. Scams are designed by full-time professionals to catch people. You're not the first and you won't be the last.

What matters is what you do in the next few hours. In order:

1. If you entered a password. Change that password right now on the real site. Also change it anywhere else you used the same password (this is why reuse is so dangerous, see Session 3).

2. If you entered bank or card details. Call your bank on the number on the back of your card. Ask them to block the card and watch the account. They've dealt with this a thousand times before. They'll know what to do.

3. If you sent money. Call your bank straight away. If the transfer is recent enough they may be able to recall it. Speed matters here, minutes can be the difference.

4. If you installed software they asked for, or gave remote access. Disconnect from the internet, shut down the computer, and get it looked at by someone you trust. If it's a work computer, tell your IT team immediately.

5. If you gave your Medicare, tax file number, or ID details. Contact IDCARE (1800 595 160). They're a free government-funded service that helps you recover from identity theft.

Speed matters more than pride

Report it even if you're embarrassed. Every hour you wait, money moves further away. Your bank and IDCARE have seen every version of this, they won't judge, and they can sometimes recover money that's already been sent.

// where report

Where to Report

Reporting a scam doesn't always get your money back, but it helps authorities warn others and catch the people behind it. Keep this list handy.

Who to tell

Scamwatch (ACCC, scamwatch.gov.au), for any scam, whether you lost money or not. This is the main Australian reporting channel.

ReportCyber (cyber.gov.au/report-and-recover/report), if you've been hacked, had money stolen, or your identity used. Goes to the AFP and state police.

IDCARE (1800 595 160, idcare.org), if your personal details have been compromised. Free case workers who help you fix the damage.

Your bank, for anything involving bank details, transfers, or cards. First call if money is involved.

eSafety Commissioner (esafety.gov.au), for online abuse, image-based abuse, or social media issues.

The platform itself. Facebook, Instagram, WhatsApp, and Gmail all have "report" buttons. Use them, you're helping the next person.

// try it yourself

Try It Yourself

Activity, 10 minutes

Find a suspicious message on your own phone.

Scroll through your text messages, spam email folder, or Facebook Messenger requests. Find one that feels off. Don't click anything.

1. Open Claude, ChatGPT, or Copilot on the computer next to you.

2. Type what the message says (or screenshot it). Ask: "Does this look like a scam? What are the warning signs?"

3. Compare the AI's answer to the five tells in this session. Did it spot them all? Did it spot one you missed?

4. If it's clearly a scam, report it on scamwatch.gov.au before you leave. It takes two minutes.

The point of this exercise isn't the reporting, it's training your eye. After you've run a few real messages past the AI, you'll start spotting the tells yourself.