Spot and report the phish before it bites

Learn how to spot the red flags of a phishing email and how to report it to help protect everyone at the University.

A close up photo of Venus fly traps

Phishing emails are the ultimate impersonators, like a Venus Fly Trap. They lure in unsuspecting prey with bright colours (or great offers), then clamp shut and claim another victim. Some are easy to spot, but others are surprisingly slick, and falling for just one can put your personal information, passwords, or the University’s systems at risk.

Things don’t look to be improving either, with the Australian Taxation Office (ATO) reporting that email and SMS continuing to be the most common ways scammers reach Australians – accounting for around 90% of ATO scam reports in 2024. Knowing how to spot a phishing email is one of the simplest and most powerful ways to protect yourself and our University community.

Capture the (red) flags

Phishing emails are designed to trick you into clicking a link, opening an attachment, or giving away sensitive information. They often pretend to be from someone you trust – like a colleague, your bank, or even someone from the University.

Like all scams, there are common red flags to look out for. We’ve highlighted some of those flags in the examples below, which are based off real phishing emails that have been doing the rounds. If you spot any red flags like these in an email, or you’re just not sure – report it as a phishing email!

Click the images to enlarge them.


This phishing emails shows and urgent subject to cause you to act quickly without thinking. The sender’s email address is not a genuine University email address, and they use a generic greeting rather than your name. They provide links to log into your University portal rather than telling you where to navigate to. Lastly there is no branding at all – it just doesn’t feel like an email from the University.

This phishing email shows a subject that looks like it’s part of a transaction you are aware of. The greeting is generic and the email contain typos and errors. They’ve included a phone number to call, hoping you call without thinking – in this case the phone number is part of the scam and goes to a scam call centre. Lastly, ask yourself if you were expecting the email – if they’re offering something ask if it’s too good to be true. Trust your gut!


A screenshot of the Report button in Microsoft Outlook to report phishing emailsWhat to do if you spot one

If something feels off, it probably is. Don’t click, don’t reply – just report it.

Use the “Report” button in Outlook (it’s in the toolbar).

If you don’t have the button, forward the email to: spam-report@unimelb.edu.au.

Remember: when in doubt, report it – you can help protect the whole University.

Cybercriminals are always refining their tactics –  but so are we. To stay one step ahead, check out our Scam Advice page for common scam types, and keep an eye on our Scam Alerts for the latest threats doing the rounds.

Scam advice Scam alerts