About this training module

Welcome to our Scam Messages Cyber Safety learning module for small and medium business owners and staff.

Cyber criminals target small businesses every day to try and steal customer and business information. In 2017, Australians lost $340 million to email-based scams. These criminals are becoming more sophisticated and continually improve their scamming techniques. That’s why it’s very important that business owners and staff can spot a suspicious message and know what to do with it.

What you will learn:

  • How to recognise a suspicious message (spam, phishing emails, SMS phishing and spear-phishing).
  • How to handle them.
  • How to report an incident/where to find more information.
  • What is Spam?

    A spam email is an unsolicited junk email sent simultaneously to a large number of people. It typically advertises products or get-rich quick schemes. Some also include links to malicious software.

    Never unsubscribe from a spam email. If you do, the spammer will know that your email address is correct and being checked, and you’ll get more spam. Spammers aren’t operating legitimate businesses and will never remove you from their mailing lists.

    How should you manage spam?

    Delete the spam email without opening it. Each time you get a spam email it’s a good idea to set up a rule so that it treats all messages from that sender as spam, and keeps it out of your inbox.

    Check your understanding

    You receive an email from an unknown email address. The subject line is Feeling lucky? Click here to see if you have won this month’s cash prize. What should you do?

    Unsubscribe, then delete the email

    Incorrect. You should never unsubscribe from spam emails because it shows the criminals that your email address is correct and they will continue to spam you.

    Delete the email

    Correct. You should always delete a spam email if you receive one. Don’t unsubscribe from it as this just confirms to the spammers that your email address is real and active. You can also set up a ‘junk rule’ in your inbox so that future emails from the same sender will go to your junk folder.

    Click on the link to see if you have won the prize

    Incorrect. You should never click on a link in a suspicious email or from a sender who is unfamiliar to you. You should delete the email and set up a rule to forward spam from that sender to your junk folder.

  • What is Email phishing?

    Phishing emails are more sinister than spam. These emails pretend to be from legitimate companies such as banks, courier companies, or government departments and can contain links to fake websites.

    These fake websites usually look very similar to the real website. However, if people visit the fake website and enter their details, they are handing their information directly to cyber criminals. It is important not to interact with the criminals sending these messages. These criminals may gather information from any response sent by you, including your email signature.

    Some phishing emails also have attachments that carry malicious software. When opened, these attachments can infect your computer without you knowing. There is usually a sense of urgency within the email to open the attachment for a specific reason.

    What to look out for

    Below is an example of a phishing email. Read the 6 suspicious signs, then click next when you're ready to check your understanding.

    1. Incorrect email address – nab.com instead of nab.com.au.
    2. Generic greeting-phishing emails are sent out to hundreds of people at once, so they cannot identify people individually.
    3. Poor spelling and grammar.
    4. Creating urgency – phishing emails will often use an urgent tone, to get you to act quickly on their request.
    5. Suspicious links – if you receive an email with a suspicious link, hover over the link with your mouse to see the actual web address the link leads to – it could be a fake website.
    6. General sign off – often phishing emails will not be from a specific person or contain the contact details for the company.
  • Check your understanding on Email phishing

    Read the below emails and decide which one you think is a legitimate NAB email.

    Which email is a legitimate NAB email?


    Incorrect, this is a phishing email. Clues that this email is fraudulent include:

    • Not a legitimate NAB email address.
    • Urgent tone trying to get you to click on a link.
    • Not personalised to the recipient.
    • No sign off.
    • Poor spelling and grammar.


    Correct, this is a legitimate NAB email. Signs that this email is legitimate are:

    • It comes from a NAB email address.
    • It addresses the customer by name.
    • It contains a short website address that takes you to a legitimate NAB web page.
  • What is SMS phishing?

    Cyber criminals now use SMS for phishing scams where they send fraudulent text messages to try to trick you into handing over information. For example, you might get an SMS that appears to be from NAB, urging you to click on a link to log in to your NAB account. If you do this, you might end up on a fake website, and accidentally hand over your account and password details to the scammers.

    How to spot a phishing SMS

    Because phishing text messages are short, they may be harder to spot than a phishing email. Unfortunately, criminals can easily create any text sender name they want. For example, criminals may set the sender name as NAB, so a phishing SMS can appear in the same message thread as a legitimate one from us. Below is an example of a phishing text. Click next when you’re ready to check your understanding.

    Legitimate NAB SMS

    • Personalised greeting
    • Correct spelling and grammar
    • Expected message

    Phishing SMS

    Signs that this message is fraudulent:

    • A lack of personalisation
    • A sense of urgency
    • Unfamiliar website address in the link
    • Poor spelling and grammar
  • Check your understanding of SMS phishing

    Read the text messages below and decide which SMS is legitimate.

    Which SMS is a legitimate NAB text?

    SMS 1 - Dear NAB Bank User

    Incorrect, there are several signs that this is fraudulent:

    • A lack of personalisation.
    • A sense of urgency to try to get you to click on a link.
    • A fake NAB link.

    SMS 2 - Hi Bob

    Correct, this is a legitimate NAB SMS. Signs that this is legitimate include:

    • Personalised message.
    • Legitimate NAB phone number.
  • What is Spear-phishing?

    A spear-phishing email is sent to one person about a topic that appears to be relevant to them or their role. Unlike spam and phishing messages, which are sent to many people at once, spear-phishing is a specifically targeted attack.

    Spear-phishing emails can be difficult to spot because they are well crafted. To create them, criminals gather information from sources like your social media profiles or your business website and then write emails that seem legitimate.

    What to look out for

    Below is an example of a spear-phishing email. Read the 6 clues and then click next when you're ready to check your understanding:

    1. Attachments: the email may encourage you to open an attachment. This may be old or blank when you open it and will contain malicious software.
    2. Sender address: always double check the email address. This example does not come from a legitimate NAB email address.
    3. Who it is sent to: often spear-phishing emails are only sent to a single recipient.
    4. Subject field: Urgent tone/interesting subject to entice recipients to open email quickly.
    5. Instructs you to take an action: email may direct the recipient to lower their security settings or to open a web link or attachment.
    6. Poor spelling or grammar.
  • Check your understanding of Spear-phishing

    John owns a small construction company. He receives an email inviting him to be on a panel at a conference. The email contains an attachment of the proposed agenda and information about the event. John was not expecting the email, but he’s pleased he was invited.

    Read the email below and decide what John should do.

    Decide what John should do.

    John should reply to the email to find out if it's real.

    Incorrect. You should never respond to a suspicious email. If he replies, John will possibly give away more information to the scammers. Signs that this email is a spear-phishing attempt are:

    1. It was an unexpected request.
    2. It has poor spelling and grammar.
    3. It asks John to click on an attachment.

    John should open the attachment to see if he is available to speak at the conference.

    Incorrect. You should never open an attachment in a suspicious email. In this example, the cyber criminals have researched John and tailored a message to gain his trust. Signs that it’s fraudulent include:

    1. It was an unexpected request.
    2. It has poor spelling and grammar.
    3. It asks John to click on an attachment.

    John should find a publically listed phone number for Sylvia's company and call to check it's real.

    Correct, always check that the email is coming from a legitimate source. In this case, when John phones Sylvia's company he realises that the email was a spear-phishing attempt. Signs that it's fraudulent include:

    • It was an unexpected request.
    • It has poor spelling and grammar.
    • It asks John to click on an attachment.

    With this knowledge, John deletes it from his inbox without opening any of the attachments or clicking any links.

  • What should you do if you click on a suspicious link?

    If you have clicked on a suspicious link, or provided personal or business information on a fake website, take the following steps immediately:

    • Disconnect your device from the network immediately, either by removing the ethernet cable or disconnecting from wi-fi. This prevents malicious software from spreading to other devices on the network. If you're on a mobile device, turn off your mobile data.
    • Notify your manager or IT team.
    • If you have given out your personal banking information report this to your bank straight away, or the organisation being impersonated.
    • Educate your staff about the risks of spam and phishing scams and the clues to identify them.

    Check your understanding

    If you suspect you have received a NAB branded phishing message what should you do?

    Click on the link.

    Incorrect, you should never click on a suspicious message, link or attachment as it may contain malicious software or direct you to a fake web page to trick you into giving out personal information.

    Forward the message to hoax@nab.com.au

    Correct, if you receive a suspicious message you should report it to hoax@nab.com.au and then delete it.

    Ask a colleague to open it for you to check.

    Incorrect, you should never open a phishing email or click on the links or attachments as it may contain malicious software or direct you to a fake web page to trick you into giving out personal information.


You have completed NAB’s Cyber Safety module on scam messages. We hope you found it valuable.

For more information on how to spot a scam message you can read How to identify Spam and Phishing messages.

Test your knowledge on other cyber safety topics.

Important information