The scariest part about getting scammed was not realising it was happening in the first place.

Perhaps naively, I never thought I would be the victim of a cyber scam. I’m reasonably digitally literate and have had it drilled into me to be wary of phishing emails and strange text messages. I’ve even received training at my workplace on how to safeguard yourself against hacking.

It may have been this assumption, that cybercrimes target the elderly and vulnerable rather than a tech-savvy zillennial who grew up with mobile phones and the internet, that loosened my guard.

I had been on a summer vacation, rarely checking my phone, when the text message arrived. It purported to be from my bank and said my “awards points” were going to expire the following day.

“We’re reminding you that 12,805 awards points … are set to expire on 31 December 2025,” the message read. “Don’t miss out – redeem your points today.”

This was followed by a link that, looking at it now, was clearly not from my bank. The message also came from a generic mobile number, rather than the bank itself.

But I was on holiday, I wasn’t reading it in detail, so I clicked on the link.

_{Sign up: AU Breaking News email}

Once doing so, I was sent to a page that looked extremely similar to my bank’s online services. Same colours, same font, same banner head. I scrolled through a range of options for how I could redeem my so called “points”, including smartwatches and speakers.

Even though I wasn’t aware my bank had a points system which expired each year, it wasn’t shocking to me. My phone service accumulates points that can be used towards items. With little consideration, I clicked on a watch and proceeded to the checkout.

This was where they got me. I was then prompted to log into my account using my banking credentials, and to authorise a $2.99 transaction for shipping in my app.

In this way, the scammers managed to authorise a cardless cash transaction in my account without me realising a thing. It was only a few days later, when I was back home and checking the damage in my account for the holiday season, that I saw $500 had been withdrawn from an ATM in Melbourne.

I immediately called my bank to report the incident, my mind ticking over how anyone in Victoria could have accessed my account when I was miles away on the south coast of New South Wales.

Their fraud team accessed my account and began to ask me a series of questions. Had I received any suspicious text messages claiming to be from my bank? Had I clicked on the links? My stomach dropped.

It was so obvious.

A simple Google search before clicking the link would have brought up my own bank’s warning that a “fraudulent SMS message campaign” had been circulating, designed to trick customers by telling them to redeem awards points by clicking links, calling phone numbers, or disclosing sensitive information including their banking credentials.

“Be suspicious of any message that asks you for sensitive information, or to complete tasks like updating software, or giving remote access via email or text,” it said.

Similar text message scams claiming awards points are expiring have been sent to Qantas Frequent Flyer, Telstra and Coles loyalty programs’ customers in the past, according to the Australian Competition and Consumer Commission.

Its National Anti-Scam Centre reported Australians lost nearly $260m to scams in the first nine months of 2025, the vast majority occurring online.

Luckily, my money was refunded from my bank after reporting the scam and my cards were changed. More important, though, is the message I’ve learned. That scams can get anyone, and if it looks too good to be true, it probably is.

• Caitlin Cassidy is education reporter for Guardian Australia