How to Check If a Message Is a Scam
A text appears. "Your parcel can't be delivered." An email lands. "Your myGov account needs verification." A DM arrives from someone claiming to be from your bank. The challenge isn't whether scams exist — it's that they look identical to the real thing in the four seconds it takes to skim a phone screen.
This guide is the structural difference. Five red flags every Australian scam message contains, a ten-second test that catches almost all of them, and the right tool to use when your gut says "something's off" but you can't quite place it.
What's actually happening
Scam messages don't arrive at random. Australia is one of the most-targeted English-speaking countries in the world, partly because we're a wealthy market, partly because our biggest brands — myGov, Australia Post, ATO, Linkt, the major banks — are easy to impersonate, and partly because criminals have bought enough breach data over the last decade to personalise attacks at scale.
The result is a steady stream of polished, plausible messages most of which fall into three families:
- Phishing for credentials — fake bank, myGov, Microsoft 365 login pages designed to harvest your password.
- Phishing for card details — fake parcel, toll-road, government refund pages designed to capture your card number, expiry, and CVV.
- Direct-payment fraud — fake "outstanding debt" texts and "your payment was rejected" emails that pressure you into a transfer to a criminal-controlled account.
Phishing is consistently one of the highest-loss scam categories tracked by the National Anti-Scam Centre's Targeting Scams program, with Australians losing tens of millions of dollars a year. The fastest-growing variant in 2026 is AI-generated phishing — emails that read like a competent professional wrote them, with no spelling errors, your real first name, and references to a real prior address scraped from a 2022 breach.
The "spot the typo" defence is over. The new defence is structural.
The five red flags
Every scam message in active circulation hits at least one of these. Most hit two or three.
1. Urgency that doesn't match the channel. "Act within 24 hours or your account will be closed." No legitimate Australian organisation operates on a 24-hour SMS countdown. Banks, government, telcos — they all give you weeks, written notice, and reference numbers you can verify.
2. A request for information they should already have. Your bank knows your account number. The ATO knows your TFN. myGov knows your CRN. If a message asks you to "confirm" one of these, the asker isn't who they claim to be.
3. A link that doesn't go where the brand lives. Real Linkt links end in linkt.com.au. Real Australia Post links end in auspost.com.au. Real myGov links go to my.gov.au. Anything else — a hyphenated lookalike, a .shop or .support domain, a bit.ly shortener — is a scam.
4. An offer that doesn't fit the relationship. A "refund" you didn't apply for. A "prize" in a competition you didn't enter. A "discount" from a brand you don't shop with. The criminal counts on you wanting it to be true; the test is whether you'd have asked for it.
5. A demand for an unusual payment method. Gift cards, cryptocurrency, wire transfer, BPAY to an unfamiliar biller. Real Australian institutions accept Australian banking; criminals need irreversible.
One red flag is enough. You don't need to spot all five. The cost of being wrong is your money or your identity; the cost of over-reacting is fifteen seconds of inconvenience. When in doubt, treat it as a scam — that's the right asymmetry.
The ten-second test
Run this on any message. It takes longer to read than to do.
1. Look at the sender. Is it a brand-name sender ID ("AusPost", "Westpac", "ATO") or a random mobile number? Random numbers from anyone claiming to be a major Australian institution are a near-certain scam.
2. Look at the link, not the text. Tap and hold on the link to preview the URL without opening it. Real links live on the brand's official domain. Fake links contain the brand name somewhere in the middle of an unrelated URL.
3. Look at the request. Is it asking for money, card details, or login credentials? Real Australian institutions never request these via SMS or unsolicited email.
4. Look at the urgency. Is there a clock running? Real notifications don't pressure you into action.
5. Go direct. Don't click the link in the message. Open the brand's official app or type the address yourself. If a real notification exists, it'll be in your inbox or app. If it isn't, the message was fake.
When to use Ask Arthur
The ten-second test catches the obvious cases. The less obvious ones — the AI-generated emails, the lookalike domains with valid HTTPS certificates, the impersonations that include your real first name — are where Ask Arthur exists.
Paste any suspicious message into askarthur.au and you'll get a verdict in five seconds. Free. No signup. We use Anthropic's Claude AI combined with sixteen Australian and international threat-intelligence feeds, and we look at the URL, the sender, the language pattern, and the brand-impersonation cues in one go. If you're uncertain at any point, paste — that's what it's for.
The browser extension does the same thing automatically as you scroll Facebook, and the mobile app handles screenshots so you can check a message without typing it out.
What to do once it's confirmed a scam
If Ask Arthur or your own check returns red flags — or you've already clicked something and now have second thoughts — there's an order to the actions.
1. Don't reply, don't call back, don't click. Engaging confirms your number is live and escalates follow-up volume.
2. If you entered card details, call your bank's fraud line. CommBank 13 2221, Westpac 132 032, NAB 13 22 65, ANZ 13 33 50, Macquarie 1800 622 742. Card-testing happens within minutes of a phishing harvest.
3. If you entered identity details (Medicare, driver licence, TFN), call IDCARE on 1800 595 160. Free, government-funded, and Australia's specialist identity-recovery service.
4. Report to Scamwatch at scamwatch.gov.au or 1300 795 995. The reference number matters for any subsequent bank refund decision under the ePayments Code.
5. Forward the scam to the right channel. Scam SMS to 0429 401 703 (cross-industry). Scam emails to report@cyber.gov.au (ReportCyber, ACSC). Brand-specific reporting addresses for ATO, Linkt, Aus Post, etc.
The bottom line
You don't need to memorise every scam pattern in circulation — there are too many, and the criminals iterate faster than awareness campaigns. What works is the structural habit: never click a link in an unexpected message, always go to the brand's official app or website yourself, and paste anything that makes you hesitate into Ask Arthur. Five seconds, free, and most fakes break visibly under that test.
If a message ever feels off — even slightly — paste it. That's the entire defence.
If you've shared personal or financial information with a scammer, contact your bank's fraud line first, then call IDCARE on 1800 595 160 and report to Scamwatch on 1300 795 995. Reports help the National Anti-Scam Centre disrupt active campaigns.
Ask Arthur is Australia's friendly scam-detection companion, built locally with Australian threat intelligence. For more guides and real-time alerts, visit askarthur.au.
Related posts
Think you've received a scam?
Check it instantly — free, private, no signup.
Check now