Staff Scam Cheat Sheet: What to Watch For and What to Do
Most scams succeed because a busy person acted in good faith. This one-page cheat sheet gives your team the red flags to watch for and a simple response: stop, verify on a known channel, report.
Red flags in any message
- Urgency or secrecy ('pay this now', 'don't tell anyone yet')
- Changed bank details, payment instructions, or 'new' payment portals
- Login links arriving unexpectedly — even if the page looks right
- Sender address slightly wrong (extra letter, different domain)
- Requests to buy gift cards, move money, or share codes
- Attachments you weren't expecting, especially invoices and 'remittances'
The three-step response
- STOP — don't click, don't pay, don't reply
- VERIFY — contact the person or company on a number you already have, never one from the message
- REPORT — tell your manager or security contact immediately; fast reporting limits damage and nobody gets in trouble for reporting
Everyday habits
- Use MFA everywhere it's offered — and never share the codes with anyone, including 'IT'
- Use unique passwords via the company password manager
- Lock your screen when away from your desk
- Don't paste client data into personal AI tools or personal email
General guidance only, drawn from practical experience and aligned with public Australian guidance from the ASD's Australian Cyber Security Centre (cyber.gov.au) and ACCC Scamwatch (scamwatch.gov.au). Check those sources for current official advice. This guide is not legal advice.