TL;DR: Phishing emails have become sophisticated enough to deceive experienced professionals. The best defence is pattern recognition - learning to identify the consistent tells that appear across different attack types. This guide breaks down real phishing patterns used against Australian businesses, with annotated examples your team can use for training.
Why Phishing Training Matters More Than Technology
Your email filtering catches the vast majority of phishing attempts. The ones that reach inboxes are the sophisticated ones - carefully crafted to pass technical filters and fool human judgement. For these, your last line of defence is a staff member who recognises the attack for what it is.
Security awareness training consistently reduces phishing click rates by 50–70% in organisations that run regular, practical training. The key word is practical - training based on real examples of the types of attacks employees will actually encounter is far more effective than generic security lectures.
This guide provides that practical material.
The Anatomy of a Phishing Email
Before the specific examples, understand the five elements that appear in virtually every phishing email:
1. A False Sense of Urgency
“Your account will be suspended in 24 hours.” “Immediate action required.” “Your payment is overdue - respond by end of business today.”
Urgency is designed to short-circuit careful thinking. When we are rushed, we are more likely to act without verifying. If an email is demanding urgent action - particularly action involving money, credentials, or sensitive information - slow down, not speed up.
2. Impersonation of a Trusted Entity
Every phishing email impersonates someone or something the target trusts: Microsoft, the ATO, a bank, the CEO, a supplier, or a colleague. The impersonation may be perfect (compromised real account) or imperfect (lookalike email address).
3. A Request for Action
Phishing emails always want you to do something: click a link, open an attachment, reply with information, make a payment. The requested action is the payload.
4. A Pretext
A plausible business reason for the request. “We detected suspicious activity on your account.” “Your invoice is attached.” “I need you to process this urgent payment before I land.”
5. A Mechanism
A link to a fake login page, a malicious attachment, or a phone number to call. The mechanism delivers the actual attack.
Example Type 1: Credential Harvesting (Microsoft Account)
What it looks like:
From: Microsoft Account Team <support@microsoft-security-alert.com> Subject: Action Required: Unusual Sign-In Activity Detected
Dear User,
We have detected unusual sign-in activity on your Microsoft account from an unrecognised device in [LOCATION].
To secure your account, you must verify your identity within 24 hours or your account access will be suspended.
[Verify My Account Now]
If you did not attempt to sign in, please click the link above immediately to protect your account.
Microsoft Security Team
The tells:
Sender domain: microsoft-security-alert.com is not a Microsoft domain. Microsoft sends email from @microsoft.com or @account.microsoft.com. Any other domain is not Microsoft, regardless of what the display name says. Check the actual sending address, not the display name.
Generic greeting: Microsoft knows your name - they use it. “Dear User” is a generic greeting used in phishing because attackers are sending the same email to thousands of people.
The threat: “Account will be suspended in 24 hours” is the urgency mechanism. Microsoft sends warnings with much longer timeframes when genuine - and they send multiple warnings, not one with a 24-hour deadline.
The link: The “Verify My Account Now” link will not go to microsoft.com. Hover over any link before clicking to see where it actually leads. If the domain is not recognisably legitimate - and particularly if it is a long string of characters or an IP address - do not click.
What to do: Delete the email. If you are genuinely concerned about your Microsoft account, go directly to account.microsoft.com by typing it in your browser - never by clicking a link in an email.
Example Type 2: Business Email Compromise (CEO Fraud)
What it looks like:
From: David Thompson <ceo@yourcompany-ap.com> Subject: Urgent - Confidential Transfer
Hi Sarah,
Are you available right now? I’m in meetings all day but I need you to process an urgent payment. It’s time-sensitive and I need it done before end of business today.
Please keep this between us for now - I’ll explain when I’m back in the office.
David
The tells:
Lookalike domain: yourcompany-ap.com is not yourcompany.com. Attackers register domains that look like the target company with small variations: adding -ap, -au, -secure, replacing letters (rn → m, 0 → o). The display name says “David Thompson” but the actual email address reveals the deception.
Secrecy request: “Keep this between us” is a classic BEC tell. Legitimate financial transactions do not require secrecy from colleagues. The secrecy request is specifically designed to prevent the target from verifying with a colleague.
Urgency without detail: “Time-sensitive” and “I’ll explain later” are designed to discourage questions. A real CEO requesting a payment would provide the payee details, amount, and reason in the same email.
“Are you available right now?”: This is a two-stage attack. Stage one is getting an “yes” reply, which confirms the email address is monitored and sets up compliance. Stage two follows with the actual payment request. If you reply to stage one without realising it is a phishing email, stage two is more likely to succeed.
What to do: Call the CEO directly - on a known phone number, not one provided in the email - to verify the request before taking any action. Any payment instruction received by email should be verified by phone, regardless of who it appears to be from.
Example Type 3: Invoice Fraud (Supplier Impersonation)
What it looks like:
From: Accounts <invoicing@telstra-billing.net.au> Subject: Invoice #INV-2026-0847 - Updated Payment Details
Dear Accounts Team,
Please note that our banking details have changed effective immediately. Please update your records and process all outstanding and future payments to our new account:
BSB: 032-XXX Account: XXXXXXXX Account Name: Telstra Communications Pty Ltd
Our invoice #INV-2026-0847 for $4,847.50 is now due. Please process to the new account.
Thank you, Telstra Accounts Receivable
The tells:
Domain: telstra-billing.net.au is not Telstra. Telstra uses @telstra.com.au. Any deviation from the actual organisation’s domain is a major red flag.
Banking change by email: Legitimate businesses almost never change their banking details by email alone. If a supplier sends a banking change notification, call them on their published phone number to verify before changing anything in your payment system.
Pressure to pay immediately: The email is combining a banking change notification with an overdue invoice - creating pressure to act quickly. The combination of urgency and a change in payment details is a classic fraud pattern.
What to do: Call Telstra (or whichever supplier is being impersonated) on the number from their actual website or a previous verified statement - not any number in the email. Verify the banking change before updating your records.
Example Type 4: Malicious Attachment (Fake Invoice/PDF)
What it looks like:
From: info@supplierco.com.au Subject: Invoice attached - payment due 15/02/2026
Hi,
Please find attached our invoice for the recent work. Payment terms are 14 days.
Let me know if you have any questions.
Regards, Brad SupplierCo
Attachment: Invoice_2026_0284.pdf (may actually be a .exe disguised as a PDF, or a PDF with embedded malicious content)
The tells:
Vague content: The email provides no specifics. What work? For which project? Legitimate invoices from genuine suppliers reference the job, the project, or the service description.
Generic greeting: No recipient name. Phishing emails are often sent to large lists - they cannot personalise.
Suspicious attachment: Before opening any attachment, check the file extension (sometimes hidden in Windows by default). An invoice should be a .pdf - not a .exe, .zip, .doc with macros, or .js. Even a real PDF can contain malicious links or embedded code - do not open attachments from unexpected senders.
Sender you do not recognise: If you were not expecting an invoice from this sender, do not open the attachment. Call the supplier to confirm before opening anything.
What to do: If you are not expecting an invoice from this sender, do not open the attachment. Call the apparent sender to verify. If you must open an attachment from an uncertain source, do so on a device with updated endpoint protection, and watch for any unusual behaviour immediately after.
Example Type 5: ATO and Government Impersonation
What it looks like:
From: Australian Taxation Office <noreply@ato-gov-au.info> Subject: Tax Refund - Action Required
Dear Taxpayer,
Following our annual assessment, you are eligible for a tax refund of $2,847.00.
To claim your refund, please verify your identity by clicking the link below and providing your myGov credentials and bank account details.
[Claim Your Refund]
This offer expires in 7 days.
Australian Taxation Office
The tells:
Domain: The ATO uses @ato.gov.au. Any other domain - including ato-gov-au.info - is not the ATO.
Unsolicited refund notification: The ATO does not send unsolicited refund notifications by email requiring you to click a link. Tax refunds are processed through myGov, and you find out about them by logging in to myGov - not by clicking an email link.
Credential request: The ATO will never ask for your myGov credentials via email. Never provide government account credentials in response to an email.
Bank details request: Government agencies with legitimate refund processes do not collect bank details through email links. These are collected through verified secure portals.
What to do: Go to ato.gov.au directly (type it in, do not click) or log in to myGov directly. If there is a genuine refund, it will be visible there.
Running Phishing Training With These Examples
Format 1: Lunch and learn. Walk through three to four examples as a team. For each, ask: “What would you do if this arrived in your inbox?” Discuss the tells before revealing them.
Format 2: Print and desk drop. Print two examples and leave them on desks with a brief explanation of what to look for. Low effort, visible reminder.
Format 3: Simulated phishing. Use a tool like Microsoft Attack Simulator (included in Microsoft 365 Business Premium) to send simulated phishing emails to your team. Staff who click are taken to a training page rather than an actual phishing site. This is the most effective form of phishing training.
What to do when you spot a real one:
- Do not click anything in the email
- Report it to IT (forward to your IT security contact, or use the “Report Phishing” button in Outlook if enabled)
- If you already clicked: notify IT immediately - time is critical
For technical controls to reduce phishing email delivery, see Email Security for Australian Businesses.
For related resources:
