Common Scam Types We Check
Fake sites & phishing URLs
Impersonation & delivery scams
Phishing & fake invoices
Robocalls & scam callers
Malicious codes in emails & flyers
How Scammers Operate
Almost every scam leans on the same handful of psychological tricks. Recognise the tactic and the spell breaks.
Urgency & fear. “Your account is suspended”, “act within 24 hours” — pressure stops you thinking clearly.
Impersonation. They pose as your bank, the ATO, myGov, police, a courier — even a family member (“Hi Mum, my phone broke”).
Too good to be true. Surprise prizes, refunds, unexpected inheritances, or crypto/investment returns that can't lose.
Borrowed authority. Official logos, spoofed sender names and faked caller ID make a message look legitimate.
Unusual payment. Demands for gift cards, crypto, or a transfer to a “safe account” — or asking you to install software.
Building rapport. Romance and friendship scams invest weeks earning trust before they ever ask for money.
Where Scams Come From
Text messages. Fake delivery, toll, bank or myGov texts with a link to tap.
Email. Phishing, fake invoices and “verify your account” messages.
Phone calls. Robocalls, “tech support”, and fake bank or government callers.
Marketplaces & social media. Fake sellers and buyers, giveaway and investment ads, hacked friends' accounts.
Search results & ads. Sponsored links and look-alike sites for banks, logins and support numbers.
Messaging & dating apps. WhatsApp “family emergencies”, romance scams, and investment “mentors”.
Email Authentication Checks
When you paste email headers, we automatically check three technical signals that prove whether the sender is who they claim to be. You'll see these badges on community reports too.
SPF. Sender Policy Framework — confirms the sending server is on the list of servers authorised to send on behalf of this domain. A fail means the email came from somewhere it shouldn't.
DKIM. DomainKeys Identified Mail — a cryptographic signature proving the message wasn't tampered with. Pass is good, but only if the signing domain matches the sender. A pass from an unrelated domain (e.g. a Microsoft tenant) is a red flag.
DMARC. Domain-based Message Authentication — the domain owner's own policy tying SPF and DKIM together. A fail means the message violated the sender's own rules. None means the domain publishes no enforcement — scammers love this.
Common Scam Red Flags
- Asks for bank, tax file number (TFN) or Medicare details
- Creates urgent pressure to act right now
- Promises prizes, refunds or unclaimed money
- Link doesn't match the organisation it claims to be
- Unsolicited texts from random numbers
- Asks for payment by gift card or crypto
- Automated robocall from an unexpected number
- Email asks you to open a suspicious attachment
If Something Seems Off
- Slow down. Genuine organisations never mind you taking time to check.
- Don't engage. Don't tap links, scan the QR, call the number back, or reply.
- Verify independently. Find the official number or website yourself — never use the contact details in the message.
- Never pay unusually. No gift cards, crypto, or transfers to a “safe account”, and never install apps or grant remote access on request.
- Block & delete the sender once you're sure.
- Report it (below) — it helps protect others.