Start Here
Almost every serious cyber incident in a workplace starts the same way: not with a hacker breaking through a wall, but with an ordinary message that talked one person into doing one thing. Clicking a link. Opening a file. Paying an invoice. Reading out a code.
The good news is that this also makes it the most fixable problem we have. You do not need to be technical to stop it. You need to know the handful of patterns these messages use, and one simple habit: slow down and check before you act. That is this whole session.
The scammer's job is to rush you. Your job is to slow down. That is the entire fight, in one sentence.
Why Scams Work: It's Hurry, Not Stupidity
Scams do not catch people because those people are silly. They catch people who are busy, helpful, and trying to do the right thing quickly. A scammer's whole craft is getting you to act before you think. To do that, they push on a feeling. Almost every scam leans on one of these three:
Fear
"Your account has been suspended." "There is a problem with a payment." "You are about to be fined." Fear makes you want to fix the problem right now, before you have stopped to ask whether the problem is even real.
Urgency
"Respond in the next two hours." "The invoice is overdue and the supplier is threatening to stop work." A deadline switches off careful thinking. Real organisations almost always give you time. Pressure to act this minute is itself a warning sign.
Authority
"This is the CEO." "It's the IT team, we need your password to fix your account." Most of us are wired to help someone important who asks directly. Scammers borrow that authority by pretending to be the boss, the bank, or the help desk.
Slowing down. Fear, urgency, and authority all rely on you reacting in the moment. The single most effective defence is to pause and check through a different channel before you do what the message asks. Nothing genuine is ever ruined by taking five minutes to confirm it.
The Tells: Spotting a Dodgy Email, Text, or Call
The same warning signs show up again and again, whether the scam arrives by email, text message, or phone call. If a message has one of these, be careful. Two or more, and it is almost certainly a scam.
It pushes you to act now
A deadline, a threat, a problem that supposedly needs fixing this minute. As above: urgency is the most reliable tell of all.
It asks for something a real organisation would not
Your password. A code from your phone. Payment by gift cards or to a new bank account. Remote access to your computer. No real bank, agency, or IT team asks for these. Gift cards as payment is a scam every single time.
There is a link or attachment you were not expecting
A "click here to verify" button, a tracking link, a "reset your password" message you did not ask for, an invoice you were not waiting on. If you did not expect it, do not click it.
Read the sender address, not just the name
The display name on an email or text is just a label. Anyone can set it to "Australia Post", "ATO", or even your manager's name. What matters is the actual address underneath. On a phone, tap the sender's name to see the real email address. Look closely at the exact spelling.
Read the link before you trust it
On a computer, hover your mouse over a link without clicking; the real address shows at the bottom of the screen. On a phone, press and hold the link to preview where it really goes. Scammers use addresses that are nearly right, which is the point.
A voice on the phone is not proof of who is calling. "Your bank's fraud team", "the tax office", or "Microsoft support" ringing out of the blue and creating pressure is a classic scam. The tells are the same: urgency, a request a real organisation would not make, and pressure not to hang up.
Scams Aimed at Workplaces
Some scams target organisations on purpose, because that is where the larger money is. Councils and similar bodies are a particular target: they handle public money, pay many suppliers, and have staff who are, quite rightly, trained to be helpful. Here are the workplace scams worth knowing by name.
Invoice and payment redirection
A scammer pretends to be a supplier you already deal with and sends a message: "Our bank details have changed, please use this new account for future payments." The next genuine invoice gets paid straight into the scammer's account. By the time the real supplier asks where their money is, it is long gone.
The defence: any change to a supplier's bank details is confirmed by ringing them on a number you already have, never the number or email in the message asking for the change.
The fake boss (CEO or manager fraud)
An email or text that looks like it comes from a manager or the CEO: "I'm in a meeting and can't talk, I need you to urgently pay this invoice / buy these gift cards / send these staff details. Keep it between us for now." It uses authority and urgency together, and the secrecy is designed to stop you checking.
The defence: a real manager will not mind you confirming. Check in person, by phone, or through Teams using contact details you already have, not by replying to the message.
The fake IT or help desk message
"This is IT. Your account will be locked unless you confirm your password here." Or a pop-up or call claiming your computer has a virus and offering to "fix" it if you let them in. Real IT teams do not ask for your password; they do not need it.
The defence: never give your password to anyone, ever, including someone claiming to be IT. If in doubt, contact your IT team yourself through the normal channel.
At work, a single click can affect residents, suppliers, colleagues, and public money, not just you. That is not meant to frighten you; it is the reason the simple checks in this session are worth the few minutes they take.
Two More to Watch: QR Codes and Investment Scams
Two scams worth knowing by name, because they are everywhere right now and because they follow people home from work. Spotting them protects you, your family, and the communities you serve.
QR-code scams
A QR code is the little square barcode you scan with your phone camera; it usually just opens a website. But a QR code can send your phone to a fake website just as easily as a dodgy link can, and you cannot tell where it leads by looking at it. Scammers stick fake codes over real ones on posters and parking meters, or drop them into emails, to send you to a page that steals your details or takes a payment.
Be wary of QR codes on posters, flyers, or emails you were not expecting. After you scan, check the web address that comes up before you type anything or pay. When in doubt, go to the real website yourself instead of scanning. There is more in Tech Words, in Plain English.
Investment scams and "pig butchering"
This is the long con, and it is doing real harm. It often starts with a friendly message out of the blue on WhatsApp, Facebook, or a dating app; sometimes a "wrong number" text that turns into a chat. Over days or weeks a warm relationship builds. Then comes the opportunity: an investment, usually in cryptocurrency, that is supposedly making them great money, and they would love to help you in too.
A fake website or app shows your "profits" climbing, so you put in more. When you try to take money out, there are fees, then taxes, then delays, and eventually the person, the website, and your money are all gone. The ugly nickname, "pig butchering", is about fattening someone up with trust before the kill.
Why it uses cryptocurrency. Once you send crypto, the payment usually cannot be reversed; there is no bank to ring and claw it back, and it is hard to trace where it went. That is exactly why scammers ask for it. Anyone you have only ever met online steering you toward crypto is the clearest red flag there is. There is a plain explainer of cryptocurrency in Tech Words.
No real investment ever comes from a stranger who messaged you first. If someone you have not met in person is building a friendship and steering you toward an investment or cryptocurrency, it is a scam, full stop. Check any investment offer on the ASIC list at moneysmart.gov.au first, and tell a friend before you send a cent. These scams have hit people right across the Territory; passing this warning on to family and community is one of the most useful things you can do.
How to Verify Before You Click
Here is the single most useful habit in the whole series. When a message asks you to do something, do not act on the message itself. Go to the source yourself, through a channel you already trust.
The verify-before-you-click routine
Go to the source yourself. Do not click the link in the message. Open the app you already have, or type the website address in yourself, or use a bookmark you saved earlier.
Confirm by a second channel. If an email asks for money or a change, confirm by phone or in person. If a text claims to be a colleague, ring them. Use a different channel than the one the message came through.
Never trust the contact details inside a suspicious message. The phone number or "click to chat" link in a scam message just connects you back to the scammer. Find the real contact details yourself.
When in doubt, ask. Show the message to a colleague, your manager, or IT. A thirty-second "does this look right to you?" has stopped countless incidents.
You will never get in trouble for taking a moment to confirm something is genuine, even if it turns out it was. Checking is exactly what good staff do. The only mistake is feeling too rushed or too embarrassed to ask.
If You've Already Clicked
First: do not panic, and do not feel stupid. These messages are built by full-time professionals to catch capable people. What matters now is not how it happened; it is what you do in the next few minutes. Speed matters far more than getting it perfect.
The first few minutes
1. Tell someone straight away. Report it to your IT team or manager immediately, even if you are not certain anything is wrong. Early is everything. We cover exactly how and where to report in Session 4.
2. If you typed a password, change it now on the real site, and anywhere else you used the same one. This is why never reusing passwords, from Session 1, matters so much.
3. If money or bank details were involved, raise the alarm fast. The quicker a payment is flagged, the better the chance of stopping or recovering it. Minutes count.
4. If you let someone into your computer, or installed something they asked for, disconnect it from the internet and tell IT right away. Do not keep using it.
5. Keep the evidence. Do not delete the message. IT and the authorities may need it. Take a screenshot if you can.
The most damaging thing anyone can do after clicking is stay quiet out of embarrassment. A workplace where people report early and without fear is the safest workplace there is. You are helping everyone by speaking up, not letting anyone down.
What to Take Away
Your scam-spotting habits, in a short list. Click an item to tick it off.
- When a message creates fear or urgency, treat that as a warning sign, not a reason to hurry.
- Read the real sender address and the real link, not just the display name.
- Never give my password or a phone code to anyone, including "IT" or "the bank".
- Confirm any change to bank or payment details by phone, using a number I already have.
- Treat "urgent, secret, and from the boss" as the classic fake-boss pattern.
- Verify by going to the source myself, never by the link or number in the message.
- If something feels off, ask a colleague or IT before acting.
- Be careful scanning QR codes; check where they go before I type anything or pay.
- Treat any stranger who messages me and steers me toward crypto or an investment as a scam, and warn family and community.
- If I have already clicked, report it straight away; speed beats certainty.
The download at the top of this page puts these on one printable page, with the reporting contacts, to keep by your desk.
Knowledge Check
Five quick scenarios to see what has landed. Read each, decide what you would do, then click to reveal the answer. No score, no wrong answers; it is just a way to check your thinking.
01You get an email from a supplier you know, saying their bank account has changed and to use the new details for the next invoice. What do you do before paying?Answer
Ring the supplier on a number you already have for them, and confirm the change verbally. This is the classic invoice-redirection scam. Do not use the phone number or email in the message asking for the change; that just reaches the scammer. A genuine supplier will be glad you checked. Until you have confirmed by a trusted channel, do not change any payment details.
02A text arrives that looks like it is from your manager: "At my desk? Need a quick favour, about to go into a meeting, please don't call, just reply." Real or not?Answer
Treat it as a scam until proven otherwise. Urgency, authority, and "don't call me" secrecy together are the fake-boss pattern; the "don't call" part exists precisely to stop you checking. Confirm with your manager in person, or on a number or Teams account you already have. A real manager will not mind. Never act on the message alone, especially if it leads to a payment or sharing staff details.
03Someone phones saying they are from IT and need your password to fix a problem with your account. Do you give it to them?Answer
No. Never give your password to anyone, including IT. A real IT team does not need your password to do their job and will never ask for it. Hang up and, if you want to be sure, contact IT yourself through your normal channel. Anyone who phones and asks for your password is running a scam.
04An email says "Your mailbox is full, click here to verify your login and keep your account active." The button looks like it goes to your email provider. How do you check safely?Answer
Do not click the button. Check the real destination first. On a computer, hover over the link to see the real address at the bottom of the screen; on a phone, press and hold to preview it. A login or "verify" message you did not expect is a common phishing trick. If you are worried about your account, open your email settings the way you normally do, not through the link. When in doubt, send it to IT.
05You clicked a link in a dodgy email and typed your work password into the page before realising. It is the end of the day. What do you do?Answer
Report it now, do not wait until tomorrow, and change that password straight away. Tell your IT team or manager immediately, even though it is late and even though you feel embarrassed; speed is what limits the damage. Change the password on the real site, and anywhere else you used the same one. Keep the email as evidence rather than deleting it. Reporting quickly is exactly the right move, and you will not be in trouble for it.
Inbox Detective
Now put it into practice. Inbox Detective is a simulated council inbox. Some emails are genuine; some are scams aimed straight at a regional council. Open each one, decide whether it is a scam or real, and get instant feedback on the warning signs.
Open the simulated inbox and call each email
Nine emails are waiting in the accounts inbox: gift-card requests from the "CEO", a supplier asking you to change their bank account, a payroll switch, a fake Microsoft login, and some that are perfectly genuine. Your job is to tell them apart.
Running it as a group? Share your screen in Teams, read each email together, ask everyone to vote SCAM or REAL in the chat or with the raise-hand button, then reveal the answer and talk through the flags.