Audience: End users and admins.
Purpose: Help you decide if an email is legitimate in under 60 seconds.
Updated: 2025

• Are you expecting anything right now?
• Are you expecting anything from these people/company?
• If the email mentions domains/hosting/billing: ask, *who is my real provider?* If it’s not the sender, it’s likely phishing.
• If it asks you to click, hover your mouse over the button/link—your mail app shows the actual URL.
• Want more certainty? In Outlook (desktop): File → Properties → Internet headers. Check the true From/Return-Path and authentication results (SPF/DKIM/DMARC). They must match the brand you expect.
• Geo note: Country/TLD is only a weak signal—attackers use any country and many generic TLDs. Treat geo as extra-scrutiny, not a blocker.

Stop now if any are true: asks for passwords/2FA, urgent payment/bank-detail changes, gift cards/crypto, remote access, or you didn’t expect it.

1) Sender

1. Name matches someone you know or a real department.
2. Email address matches the real domain (no look-alikes like `rnicrosoft.com`).
3. Reply-To is the same as From.

2) Context

1. Am I expecting anything right now?
2. Am I expecting anything from these people/company?
3. You were expecting this email (invoice, file, delivery, password reset).
4. You actually have an account/relationship with the company named.

3) Links

1. Hover shows the same brand domain (e.g., `https://accounts.google.com/…`).
2. No link shorteners (bit.ly, tinyurl) or random strings.
3. No QR codes you’re being pushed to scan.

4) Attachments

1. You expected an attachment from this sender.
2. Avoid risky types: `.exe .js .scr .bat .ps1 .vbs .iso .img .zip .html .htm`
3. Office/PDF files do not ask to “Enable Content/Macros”.

5) Language & look

1. Uses your correct name and specific details you recognise.
2. No odd grammar, threats, or too-good-to-be-true offers.
3. Branding looks right (logos not blurry; footer/legal normal).

6) Client warnings

1. No “External sender” or “Failed authentication (SPF/DKIM/DMARC)” banners.
2. Not flagged by your mail client as suspicious.

7) Verify safely (don’t use email links)

1. Open the website/app yourself from a saved bookmark or by typing the address.
2. Call/message the sender on a known number/channel to confirm.
3. For payments/bank changes: do a voice check with your contact.

8) If suspicious

1. Don’t click, don’t reply, don’t forward (except to IT/security).
2. Use Report phishing in your mail app, then delete.
3. If you clicked or entered details: change password, enable MFA, inform IT/bank, run a malware scan.
4. Optional: forward to reportphishing@apwg.org.

Notes:

*.yu* (Yugoslavia) = retired.
*.mf* (Saint Martin, FR) = reserved/not generally in operation.
Reminder: ccTLD/country is a weak indicator. Always prioritise SPF/DKIM/DMARC, link/attachment analysis, sender reputation, and business context.

Audience: End users (with quick admin notes).\ Goal: Fast, idiot-proof actions that limit damage.\ Use when: You clicked a suspicious link OR you entered details on a fake site.

• If you only clicked: Disconnect → Close browser → Clear data → Scan device → Change passwords (if prompted/logged in). Report it.
• If you entered any info: Change that password NOW (from a different device) → Enable/confirm MFA → Sign out of all sessions → Remove risky mail rules / app tokens → Notify bank/IT → Report it.

Within 10 minutes

1. Disconnect from the internet (Wi-Fi off / Airplane mode) if anything started to download.
2. Close the tab/app. If it won’t close, reboot.
3. Clear only the phishing site’s data:
   • Chrome/Edge: Menu → Settings → Privacy → Cookies & Site Data → See all site data → search the domain → Remove.
     
   • Safari (iOS/macOS): Settings/Preferences → Safari → Advanced → Website Data → search → Remove.
4. Delete any downloaded file (especially `.zip .exe .js .scr .bat .ps1 .html .iso .img`) without opening.

Within 1 hour

1. Run a security scan:
   
   • Windows: *Windows Security* → Virus & threat protection → Scan options → Microsoft Defender Offline scan.
     
   • macOS: Update macOS, then run a full scan if you have reputable AV.
     
   • Android: Play Store → Play Protect → Scan.
     
   • iOS/iPadOS: Update iOS; Settings → General → VPN & Device Management → remove unknown profiles.
2. If that browser was already logged in to email/banking, change those passwords as a precaution.

Report

1. Use Report phishing in your mail app and send the message to IT/security.
   
2. Optional public reporting: ACCC Scamwatch, ReportCyber (ACSC), reportphishing@apwg.org.

Do all applicable items below, in this order.

A) If you entered your work or personal account password

1. From a different, clean device, go change the password immediately.
2. Turn MFA on (or re-enrol a fresh MFA method).
3. Sign out everywhere:
   
   • Google: myaccount.google.com → Security → Manage all devices → Sign out of unrecognised devices; Third-party access → Remove unknown apps.
     
   • Microsoft 365: myaccount.microsoft.com → Security info → Sign out everywhere; Apps & services → Remove unknown OAuth grants.
4. Check mail rules and forwarding:
   • Look for auto-forward to unknown addresses, reply-to changes, or auto-delete rules. Remove anything suspicious.

B) If you entered card or banking info

1. Call your bank immediately (use the number on the card/official app) → block the card and dispute any charges.
2. Turn on transaction alerts. Consider a temporary credit ban/freeze with AU credit bureaus (Equifax, illion, Experian).

C) If you entered ID documents (driver’s licence, passport, Medicare)

1. Contact the issuing authority to flag or replace the document number (as per their policy).
2. Get identity assistance: IDCARE (AU/NZ identity support).

D) If you installed anything or accepted an extension

1. Uninstall the app/extension. Reboot.
2. Run the scans listed in *Scenario A* (Defender Offline etc.).
3. For managed work devices: isolate the device and notify IT to run full EDR scans.

E) Tell IT/Security (work accounts)

1. Send the original email (as attachment if possible) and include: your username, time clicked, data typed, files downloaded, current device state.
2. Expect IT to: force password resets, revoke sessions/tokens, check mail rules, scan hosts, and monitor sign-ins.

1. Don’t keep browsing the phishing site “to look around.”
2. Don’t reply to the attacker or use links/phone numbers provided in the email.
3. Don’t reuse the compromised password anywhere else.

1. Watch your inbox for password-reset emails you didn’t initiate.
2. Review recent account activity/sign-ins; enable login alerts.
3. For banking: monitor transactions; keep your case reference from support.
4. Consider a security check-up (Google/Microsoft account security pages).

Subject: Possible phishing — clicked/entered info
When: YYYY-MM-DD HH:MM (local time)
From address of email: (copy/paste)
Link hovered/visited: (full URL)
What I did: Clicked only / Entered password / Entered card# / Downloaded file (specify)
Device & OS: (e.g., Windows 11 laptop)
Browser: (e.g., Chrome)
Actions taken so far: Disconnected, cleared site data, Defender Offline scan, changed password, enabled MFA, notified bank, etc.
Attachments: Original email (.eml/.msg) and any screenshots.

1. Clicked? Disconnect → Close → Clear site data → Scan → Report.\
2. Entered info? Change password (other device) → Enable MFA → Sign out everywhere → Remove mail rules/OAuth apps → Notify bank/IT → Report.