Phishing for rewards | ACMA

Phishing for rewards

scam_cupcake-01 jpg

Consumers should be on high alert for email scams circulating that claim to be from big-name brands like Woolworths and Qantas. These ‘phishing’ scams promise cash and other rewards in exchange for completing a customer satisfaction survey. Sometimes consumers take the bait and give valuable information, such as financial details or names, addresses and other types of personal material, to criminals.

What does a phishing scam look like?

This screenshot is taken from the emails and associated survey forms linked to the Qantas and Woolworths survey phishing scams recently identified by the ACMA:

scam-alert-woolworths jpg 

How does the scam work?

These phishing scammers follow a similar pattern:

  • They send a fake email claiming to be from a well-known brand.
  • They offer a reward (in these cases, frequent-flyer points for the Qantas scam and cash for the Woolworths scam) for taking part in a ‘quick and easy’ online survey.
  • The email includes a link to an online form that asks the user for a range of personal information—often email address and account password, contact info and bank account details.

Although scam emails are often easy to spot due to giveaways like poor wording or typos, scammers are increasingly using better English to replicate what looks like a genuine message from a known brand. These fake emails nearly always include the email design format and marketing images used by the targeted brand, which are easily copied from a genuine email.

The fake emails are usually sent far and wide over the period of the scammer’s ‘campaign’, which typically lasts only a few days. And while many email recipients may have no relationship to the targeted brand, this scope increases the likelihood that recipients may be a genuine customer.

What gives away a phishing scam email?

Recipients will be asked for personal information that the real brand would never request through an email. The combination of a trusted brand and the lure of quick and easy cash or rewards can override a user’s common sense. Scammers use this strategy to overcome a customer’s natural suspicion about the email—and particularly the personal information requested in the linked form.

Do these scams work?

Unfortunately they do. Some recipients even fill in the survey forms multiple times in their eagerness to receive the promised rewards.

While we’ve seen comments on our social media sites that ‘nobody would fall’ for the information requested, the reality is that a small percentage of people do enter the requested data, whether through inattention, ignorance or confusion. With much more sophisticated phishing scams currently in circulation, it’s dangerous to assume no one could possibly fall victim.

Cybercriminals know when they’re onto a good thing and the cost of running a phishing campaign is negligible to them—but may come at great cost to others.

Tips to stay protected

Consumers can minimise the chance of falling victim to a phishing campaign by: 

  • Not opening SMS or emails from unknown or suspicious sources.
  • Never following hyperlinks contained in these messages (e.g. use a search engine or type in the actual website address yourself!).
  • Never using the same login details on multiple services (e.g. have different passwords for different websites and services).

Remember, if the offer looks too good to be true, it almost certainly is.

Need help or want to find out more?

Anyone who has fallen victim to this or any other scam should report the details to the Australian Cybercrime Online Reporting Network.

The government’s Stay Smart Online website has further tips on how consumers can protect themselves from email scams.

To arrange an interview please contact: Emma Rossi, Media Manager, (02) 9334 7719, 0434 652 063 or

17 February 2017

Last updated: 16 February 2017