JCM

Learn

How scammers work, where scams come from, how to handle one — and what to do if you've already been caught.

Spotting scams

What scams look like, where they come from, and the signs that give them away.

Common Scam Types We Check

Links & URLs

Fake sites & phishing URLs

SMS & texts

Impersonation & delivery scams

Emails

Phishing & fake invoices

Phone numbers

Robocalls & scam callers

QR codes

Malicious codes in emails & flyers

How Scammers Operate

Almost every scam leans on the same handful of psychological tricks. Recognise the tactic and the spell breaks.

Urgency & fear. “Your account is suspended”, “act within 24 hours” — pressure stops you thinking clearly.

Impersonation. They pose as your bank, the ATO, myGov, police, a courier — even a family member (“Hi Mum, my phone broke”).

Too good to be true. Surprise prizes, refunds, unexpected inheritances, or crypto/investment returns that can't lose.

Borrowed authority. Official logos, spoofed sender names and faked caller ID make a message look legitimate.

Unusual payment. Demands for gift cards, crypto, or a transfer to a “safe account” — or asking you to install software.

Building rapport. Romance and friendship scams invest weeks earning trust before they ever ask for money.

Where Scams Come From

Text messages. Fake delivery, toll, bank or myGov texts with a link to tap.

Email. Phishing, fake invoices and “verify your account” messages.

Phone calls. Robocalls, “tech support”, and fake bank or government callers.

Marketplaces & social media. Fake sellers and buyers, giveaway and investment ads, hacked friends' accounts.

Search results & ads. Sponsored links and look-alike sites for banks, logins and support numbers.

Messaging & dating apps. WhatsApp “family emergencies”, romance scams, and investment “mentors”.

Email Authentication Checks

When you paste email headers, we automatically check three technical signals that prove whether the sender is who they claim to be. You'll see these badges on community reports too.

SPF. Sender Policy Framework — confirms the sending server is on the list of servers authorised to send on behalf of this domain. A fail means the email came from somewhere it shouldn't.

SPF passSPF softfailSPF fail

DKIM. DomainKeys Identified Mail — a cryptographic signature proving the message wasn't tampered with. Pass is good, but only if the signing domain matches the sender. A pass from an unrelated domain (e.g. a Microsoft tenant) is a red flag.

DKIM passDKIM pass (other[.]domain)DKIM fail

DMARC. Domain-based Message Authentication — the domain owner's own policy tying SPF and DKIM together. A fail means the message violated the sender's own rules. None means the domain publishes no enforcement — scammers love this.

DMARC passDMARC noneDMARC fail

Common Scam Red Flags

  • Asks for bank, tax file number (TFN) or Medicare details
  • Creates urgent pressure to act right now
  • Promises prizes, refunds or unclaimed money
  • Link doesn't match the organisation it claims to be
  • Unsolicited texts from random numbers
  • Asks for payment by gift card or crypto
  • Automated robocall from an unexpected number
  • Email asks you to open a suspicious attachment

If Something Seems Off

  • Slow down. Genuine organisations never mind you taking time to check.
  • Don't engage. Don't tap links, scan the QR, call the number back, or reply.
  • Verify independently. Find the official number or website yourself — never use the contact details in the message.
  • Never pay unusually. No gift cards, crypto, or transfers to a “safe account”, and never install apps or grant remote access on request.
  • Block & delete the sender once you're sure.
  • Report it (below) — it helps protect others.

If You've Already Clicked or Shared Details

Don't panic, and don't feel embarrassed — this happens to careful people too. Act quickly, based on what you shared.

You clicked a link or entered a login

Change that password now, and anywhere you reused it. Turn on two-factor authentication and watch the account for activity you don't recognise.

You gave bank or card details, or paid

Call your bank immediately (use the number on your card) to freeze cards and stop transfers — recent payments can sometimes be recalled.

You shared ID — tax file number, Medicare, licence or passport

Contact IDCARE on 1800 595 160 for a free response plan, and consider a credit ban with Equifax, illion and Experian to stop accounts being opened in your name.

You installed an app or gave remote access

Disconnect from the internet, uninstall it, run a security scan, and change important passwords from a different, trusted device.

Then report it to Scamwatch and ReportCyber, and tell your bank. If you're unsure where to start, IDCARE can walk you through it.

Where to report a scam

Reporting helps authorities warn others and disrupt scammers. This tool gives a best-effort check only — it can't guarantee it catches every scam, so trust your instincts too.

Getting the most from this tool

How to capture a scam so we can read it — a clear photo, screenshot, or the email's raw source.

Taking a photo

Point your camera straight at the message or QR code in good light, fill the frame, and hold steady. We decode QR codes and read text automatically.

Uploading an image

A clear screenshot of the full message works best. Any format (PNG, JPG, HEIC) is fine — just make sure the text and any links are readable.

Getting the email source

Pasting the full source (or a .eml file) lets us read the sender details automatically. Here's how, by app:

  1. Open the email, then choose View → Message → Raw Source (or press ⌥⌘U) to see the full source.
  2. Select all (⌘A) and copy (⌘C), then paste it below.
  3. On iPhone: drag the email to your Files app, or forward it as an attachment — that gives a .eml you can upload.

Can't find it? Just paste the From and Reply-To addresses into the fields above — that's enough to report.

Check or report a scam →