Online Scam Defence Checklist (2026)
A practical, printable 15-point checklist for spotting online scams in 2026 — phishing emails, fake websites, AI voice clones, romance scams, and what to do if you've been hit.
By ECTD Editorial · Published 2026-05-02 · Updated 2026-05-02
In 2024, Australians lost $2.74 billion to scams — and the numbers are climbing as scammers use AI to make their attacks more convincing. The good news: almost every scam relies on the same handful of pressure tactics. Once you know what to look for, the defence becomes a habit. This checklist gives you 15 quick checks to run before clicking, paying, or trusting any online communication.
How to use this checklist
Read through it once now. Then print it (Ctrl+P → Save as PDF, or print on paper) and keep it next to your computer. Before sending money, providing credentials, or clicking unfamiliar links, run through the relevant section.
The checklist is broken into 4 categories: <strong>emails & text messages</strong>, <strong>phone calls</strong>, <strong>websites</strong>, and <strong>after the fact</strong>.
Section 1 — Emails & text messages
1. Check the sender address — exactly
Real bank email comes from <code>@anz.com.au</code> or <code>@westpac.com.au</code>, not <code>@anz-security.com</code> or <code>@anzbank.support</code>. The sender display name is easy to fake; the actual email address (in angle brackets) is what matters. On phones, tap the sender name to see the full address.
2. Hover over links BEFORE clicking
On a computer, hover your mouse over a link without clicking — the destination URL shows in the bottom-left of your browser. On a phone, long-press the link to preview. If the destination doesn't match what the email claims, don't click.
3. Watch for urgency language
"Verify within 24 hours or your account will be suspended." "Your refund expires today." "Immediate action required." Real institutions don't use these tactics. Urgency is the #1 signal of a scam.
4. Real banks never ask for passwords or OTP codes
Any email or SMS claiming to be from your bank that asks for your password, PIN, or a one-time code is a scam. Period. Banks never need these — they have your account already.
5. Check for AI-written language patterns
AI-generated phishing is fluent, but often has subtle giveaways: overly polite tone, unusual formality for a casual context, generic greetings ("Dear Valued Customer"), or oddly specific claims that don't quite fit your relationship with the sender. If a message feels slightly "off" — trust that instinct.
Section 2 — Phone calls
6. Hang up. Call back on a known number.
If anyone calls claiming to be your bank, the ATO, a telco, the police, or a family member in trouble — hang up. Look up the official number yourself (back of bank card, your contacts list, the official website you typed into a browser) and call back. Real callers won't mind the verification; scammers will protest.
7. Set a family safe word
AI voice cloning means scammers can now sound exactly like a distressed family member. Agree on a single safe word with closest family members — a private word no scammer would know. If anyone calls in crisis asking for money, ask for the safe word. Real family members will know it.
8. The ATO does not call you out of the blue
The ATO communicates by mail and through myGov messages. They do not call demanding immediate payment, threats of arrest, or payment via iTunes/Google Play/gift cards. None of these are real. Hang up.
9. Never give remote access to your computer
"Microsoft support" or "Telstra technical support" never cold-call. If someone wants remote access to your computer to "fix a problem" or "verify your security", they're trying to install malware or directly transfer money out of your accounts while you watch. Hang up.
Section 3 — Websites
10. Check the URL character by character
<code>mygov.au</code> is real. <code>my-gov.au.support-2024.com</code> is not. <code>westpac.com.au</code> is real. <code>westpac-au.com</code> is not. <code>amazon.com.au</code> is real. <code>amazon-support.com</code> is not. Government sites end in <code>.gov.au</code> — anything else claiming to be government is fake.
11. Watch the HTTPS padlock — but don't rely on it
The padlock in the address bar means the connection is encrypted. It does NOT mean the site is legitimate — scammers can easily get free SSL certificates. The padlock is a minimum bar, not a guarantee.
12. Be skeptical of sponsored search results
When you Google "Westpac customer support" or "MyGov login", the top results are often <strong>sponsored ads</strong> — and scammers buy these ads to impersonate real services. Look for the small "Sponsored" label. For banks, government, and big services, type the URL directly or use bookmarks — don't click search ads.
13. Investment too good to be true is too good to be true
"Guaranteed 20% monthly returns." "Insider crypto opportunity." "Celebrity-endorsed platform." None of these exist legitimately. Particularly suspect: investment platforms advertised on Facebook with deepfake "endorsements" from real Australian celebrities (Gina Rinehart, David Koch, Andrew Forrest). All scams.
Section 4 — After the fact
14. If you've been scammed, act in the first 24 hours
Time matters enormously for fund recovery:
- Stop sending more money — even if the scammer claims "one more payment unlocks the rest"
- Call your bank immediately — they may be able to recall a recent transfer
- Report to Scamwatch: <code>scamwatch.gov.au</code>
- Report to ReportCyber: <code>cyber.gov.au</code>
- Identity theft: call IDCARE on <strong>1800 595 160</strong> (free national service)
- Change your email password (the master key to everything else)
15. Tell someone
Scam victims often feel embarrassed and stay silent. Don't. Telling a trusted person within 24 hours often results in faster recovery (they spot what to call, what to check), and reporting publicly helps protect others. Scammers count on shame to keep you isolated. Take that weapon away from them by talking about it.
The bigger picture
AI has changed the look of scams — fluent emails, cloned voices, deepfake videos — but the mechanics are the same as they've been for decades. Every scam needs to create urgency, isolate you from verification channels, and push you to act before thinking. Every defence comes back to slowing down, verifying through a separate channel, and checking with another person before any significant action.
Print this checklist. Share it with family, especially older relatives who are the most targeted. The 30 seconds spent running through the relevant checks before clicking or paying is the cheapest insurance you'll ever buy.
Print this guide as a PDF: Press Ctrl+P (Windows) or Cmd+P (Mac) and choose "Save as PDF" to keep a clean printable copy. Stick it next to your computer or share with family members.
General information only — not personal financial, tax, legal or medical advice. Consider your own situation and consult a licensed professional before acting.