Phishing, or email fraud, is one of the oldest and most common forms of internet fraud. The Australian Cyber Security Centre states that phishing has been observed in Australia since 2003. According to the Australian Competition and Consumer Commission, phishing was the most reported scam in 2021 with 71,308 cases.
What is phishing?
Phishing occurs when a cybercriminal attempts to steal confidential information through fraudulent emails and online messages. The fraudulent messages and emails are sometimes called “lures”.
In traditional forms of phishing, individuals may be sent emails attempting to persuade them to buy a product or service or visit a fraudulent website. Some emails will tell individuals they have won the lottery or have been gifted money. These scams will inform recipients that they can only claim their prize after they have paid a fee.
Common methods of phishing
In classic phishing cases, the individual is tricked into providing their personal information through scam emails in which the cybercriminal pretends to be a reputable company such as a bank and asks for credit card details.
Other types of phishing include:
- Spear phishing – The fraudulent messages target specific people and organisations, and may contain information that is true to make them appear more authentic. These messages can be extremely difficult to detect, even for trained professionals, as they catch people off guard.
- Malware phishing – the fraudulent email will encourage individuals to click a link or download an attachment so that malware can be installed on the device. It is currently the most pervasive form of phishing attack.
- Business Email Compromise (BEC) – the fraudulent email will appear to be from someone in or associated with the targeted individual’s company requesting urgent action such as transferring money.
Commonwealth phishing laws and penalties
The Criminal Code Act 1995 (Cth) has various offences that criminalise phishing in Australia:
Section | Offence | Maximum penalty |
134.2 Obtaining a financial advantage by deception
|
(1) A person commits an offence if:
(a) the person, by a deception, dishonestly obtains a financial advantage from another person; and (b) the other person is a Commonwealth entity. (2) Absolute liability applies to the paragraph (1)(b) element of the offence. |
10 years’ imprisonment |
135.1(1) General Dishonesty -Obtaining a gain
|
(1) A person commits an offence if:
(a) the person does anything with the intention of dishonestly obtaining a gain from another person; and (b) the other person is a Commonwealth entity. (2) In a prosecution for an offence against subsection (1), it is not necessary to prove that the defendant knew that the other person was a Commonwealth entity. |
10 years’ imprisonment |
135.1(3) General Dishonesty – Causing a loss
|
(3) A person commits an offence if:
(a) the person does anything with the intention of dishonestly causing a loss to another person; and (b) the other person is a Commonwealth entity. (4) In a prosecution for an offence against subsection (3), it is not necessary to prove that the defendant knew that the other person was a Commonwealth entity. |
10 years’ imprisonment |
135.1(5) General Dishonesty – Causing a loss to another
|
(5) A person commits an offence if:
(a) the person dishonestly causes a loss, or dishonestly causes a risk of loss, to another person; and (b) the first‑mentioned person knows or believes that the loss will occur or that there is a substantial risk of the loss occurring; and (c) the other person is a Commonwealth entity. (6) Absolute liability applies to the paragraph (5)(c) element of the offence. |
10 years’ imprisonment |
478.1 Unauthorised access to, or modification of, restricted data | (1) A person commits an offence if:
(a) the person causes any unauthorised access to, or modification of, restricted data; and (b) the person intends to cause the access or modification; and (c) the person knows that the access or modification is unauthorised. (3) In this section: restricted data means data: (a) held in a computer; and (b) to which access is restricted by an access control system associated with a function of the computer. |
2 years’ imprisonment |
477.3 Unauthorised impairment of electronic communication | (1) A person commits an offence if:
(a) the person causes any unauthorised impairment of electronic communication to or from a computer; and (b) the person knows that the impairment is unauthorised. (3) A conviction for an offence against this section is an alternative verdict to a charge for an offence against section 477.2 (unauthorised modification of data to cause impairment). |
10 years’ imprisonment |
474.17 Using a carriage service to menace, harass or cause offence | (1) A person commits an offence if:
(a) the person uses a carriage service; and (b) the person does so in a way (whether by the method of use or the content of a communication, or both) that reasonable persons would regard as being, in all the circumstances, menacing, harassing or offensive. (2) Without limiting subsection (1), that subsection applies to menacing, harassing or causing offence to: (a) an employee of an NRS provider; or (b) an emergency call person; or (c) an employee of an emergency service organisation; or (d) an APS employee in the Department administered by the AFP Minister acting as a National Security Hotline call taker. |
5 years’ imprisonment |
480.4 Dishonestly obtaining or dealing in personal financial information
|
(1) A person commits an offence if the person:
(a) dishonestly obtains, or deals in, personal financial information; and (b) obtains, or deals in, that information without the consent of the person to whom the information relates. |
5 years’ imprisonment |
480.5 Possession or control of thing with intent to dishonestly obtain or deal in personal financial information
|
(1) A person commits an offence if:
(a) the person has possession or control of any thing; and (b) the person has that possession or control with the intention that the thing be used: (i) by the person; or (ii) by another person; to commit an offence against section 480.4 (dishonestly obtaining or dealing in personal financial information) or to facilitate the commission of that offence. (2) A person may be found guilty of an offence against subsection (1) even if committing the offence against section 480.4 (dishonestly obtaining or dealing in personal financial information) is impossible. (3) It is not an offence to attempt to commit an offence against subsection (1). |
3 years’ imprisonment |
NSW phishing laws and penalties
The Crimes Act 1900 (NSW) criminalises phishing through various offences:
Section | Offence | Maximum penalty |
192E Fraud | (1) A person who, by any deception, dishonestly—
(a) obtains property belonging to another, or (b) obtains any financial advantage or causes any financial disadvantage, is guilty of the offence of fraud. (2) A person’s obtaining of property belonging to another may be dishonest even if the person is willing to pay for the property. (3) A person may be convicted of the offence of fraud involving all or any part of a general deficiency in money or other property even though the deficiency is made up of any number of particular sums of money or items of other property that were obtained over a period of time. (4) A conviction for the offence of fraud is an alternative verdict to a charge for the offence of larceny, or any offence that includes larceny, and a conviction for the offence of larceny, or any offence that includes larceny, is an alternative verdict to a charge for the offence of fraud. |
10 years’ imprisonment |
192G Intention to defraud by false or misleading statement | (1) A person who dishonestly makes or publishes, or concurs in making or publishing, any statement (whether or not in writing) that is false or misleading in a material particular with the intention of—
(a) obtaining property belonging to another, or (b) obtaining a financial advantage or causing a financial disadvantage, is guilty of an offence. |
5 years’ imprisonment |
308C Unauthorised access, modification or impairment with intent to commit serious indictable offence
|
(1) A person who causes any unauthorised computer function—
(a) knowing it is unauthorised, and (b) with the intention of committing a serious indictable offence, or facilitating the commission of a serious indictable offence (whether by the person or by another person), is guilty of an offence. |
The maximum penalty applicable if the person had committed, or facilitated the commission of, the serious indictable offence in this jurisdiction. |
308F Possession of data with intent to commit serious computer offence
|
(1) A person who is in possession or control of data—
(a) with the intention of committing a serious computer offence, or (b) with the intention of facilitating the commission of a serious computer offence (whether by the person or by another person), is guilty of an offence. |
3 years’ imprisonment |
308G Producing, supplying or obtaining data with intent to commit serious computer offence
|
(1) A person who produces, supplies or obtains data—
(a) with the intention of committing a serious computer offence, or (b) with the intention of facilitating the commission of a serious computer offence (whether by the person or by another person), is guilty of an offence. |
3 years’ imprisonment |
308H Unauthorised access to or modification of restricted data held in computer (summary offence)
|
(1) A person—
(a) who causes any unauthorised access to or modification of restricted data held in a computer, and (b) who knows that the access or modification is unauthorised, and (c) who intends to cause that access or modification, is guilty of an offence. |
2 years’ imprisonment |
308I Unauthorised impairment of data held in computer disk, credit card or other device (summary offence)
|
(1) A person—
(a) who causes any unauthorised impairment of the reliability, security or operation of any data held on a computer disk, credit card or other device used to store data by electronic means, and (b) who knows that the impairment is unauthorised, and (c) who intends to cause that impairment, is guilty of an offence. |
2 years’ imprisonment |
Offences under sections 308C, 308F and 308G criminalise an individual using victims’ stolen data to commit a serious offence such as theft, fraud or extortion. For example, if a cybercriminal logs into a victim’s bank account using information obtained by a scam and steals money from the account, the cybercriminal will be in breach of section 308F as they possessed unauthorised data for the purpose of committing theft.
It is not an offence to attempt to commit offences under sections 308C, 308F and 308G.
What the prosecution must prove?
For offences under both Commonwealth and NSW laws, the prosecution must generally prove beyond a reasonable doubt that the accused did any of the following, in relation to the commission of an indictable offence:
- Intended to access or impair communication or data,
- Intended to gain a financial advantage for themselves or cause a financial loss to the victim, or
- Intended for unauthorised data to be used for committing or facilitating the commission.
For Commonwealth offences such as those under s 134.2 and s 135.1(1), the prosecution must prove that the target of the phishing attack was a Commonwealth entity such as the Australian Taxation Office or Department of Health.
Possible defences
Possible defences include:
- The accused did not access or impair data or electronic communication.
- In the instance the accused did access this data, they had authorisation or a legitimate reason to access it.
- The accused did not have intention to commit or facilitate the offence.
For offences involving a carriage service, a potential defence is establishing that the accused did not use or obtain information through a carriage service (such as a phone, mobile device or computer).
How to prevent phishing
You can take steps to protect yourself against phishing including:
- Don’t click on links in emails or messages, or open attachments, from people or organisations you don’t know.
- Do not give out personal or sensitive information in response to unprompted telephone calls or emails. Banks and other financial institutions will never call or email you to ask for these details.
- Before you click a link (in an email or on social media, instant messages, other web pages, or other means), hover over that link to see the actual web address it will take you to (usually shown at the bottom of the browser window). If you do not recognise or trust the address, try searching for relevant key terms in a web browser. This way you can find the article, video or web page without directly clicking on the suspicious link.
- Look to see whether the website is secure. Secure websites can be identified by the use of “https:” rather than “http:” at the beginning of the URL, as well as a closed padlock symbol. Legitimate websites that ask you to enter confidential information are generally encrypted to protect your details.
- Carefully read emails before you click on any links, check for typos, spelling errors and the sender’s email as scam emails may have uncommon email addresses.
- Frequently review your bank statements and credit card statements to check for any suspicious withdrawals.
- Review credit reports annually to check for any suspicious loans or financial activity under your name.
- Install antivirus software.