How to deal with email phishing scams

See guide sections

In this guide

What is phishing?

Phishing is a method scammers, hackers, and other malicious actors use to try and get would-be victims to willingly (but unkowingly) hand over key personal information or otherwise grant them access to their devices. 

Usually this involves sending out an email or text message that is designed to look like it's from an official entity - e.g. a bank, postal service, or internet service provider - that contains a malicious link of some kind. Once you click that link, you'll typically be taken to a form where you'll be asked to enter information like your bank details or username and password.

Typically, throughout this whole process, the victim will be totally unaware that they are being scammed. That is, right up until the contents of their iCloud are posted online, or money starts leaving their bank account unexpectedly.

How to spot phishing emails

Scammers don’t arrive in your inbox announcing their intent. Usually, they’re pretending to be companies you have legitimate dealings with, such as your bank, mobile phone provider or even the government. 

But there are telltale signs that you’re dealing with an imposter.

• The email address doesn’t match the organisation’s website or any emails you’ve received from them before. Look out for dashes, misspellings, free mail addresses. For example, HMRC doesn't use a Hotmail account.
• The email doesn’t use your name but rather a generic address such as “Dear Customer.”
• The email contains spelling or grammatical errors.
• The email has a sense of urgency—for instance telling you to act now or your account will be closed. The email may also use threats and other scare tactics.
• The email requests your personal information, such as username, password or bank details. Legitimate organisations will never ask for these details in an email.
• You didn’t expect to receive an email from the organisation that claims to have sent it.

If in doubt about an email you’ve received, reach out to the organisation it claims to be from, using the contact information publicly listed on their website and not that contained in the email.

What to do if you suspect an email to be a phishing scam:

Once you’ve identified a scam email:

• Don’t click on any links within it. If you do open a link, don’t enter any personal information into the website.
• Don’t respond to the sender, even to tell them to stop contacting you.
• Don’t open or download any attachments.

What if you do fall for a scam email?

Look, nobody's perfect, and these scams are designed specifically to trick you, so if you do fall victim to one, don't beat yourself up. If you think you've unwittingly given a digital scammer access to your personal or financial information, or have lost money to a scam, take the following steps:

• Get in contact with relevant organisations (e.g. your bank or credit card provider) and secure your accounts.
• Report any financial losses to your bank. In some cases you may be refunded under rules protecting consumers victimised by authorised push payment scams, also called bank transfer scams.
• Reset any passwords you believe scammers may have accessed.
• Report the fraud to Action Fraud, run by a police unit gathering intelligence about financially motivated cybercrime.

Reporting phishing scams

Once you’ve protected yourself from scam emails, you can help deter fraudsters and protect others by reporting any suspicious contacts to the authorities.

• Forward emails you suspect of being phishing attempts to the Suspicious Email Reporting Service (SERS) at report@phishing.gov.uk. The National Cyber Security Centre (NCSC) will analyse the email and websites it links to.
• If you've lost money to a scam, report it to Action Fraud.

Improve your security

You can also boost your internet security to ensure you don’t receive as many fraudulent emails and that the scammers sending them can’t hijack your accounts or devices.

• Use an email service with a good spam filter that can recognise and isolate scam messages so they don’t even appear in your main inbox. But be aware that no spam filter is foolproof and even approved emails can be nefarious.
• Keep your operating systems up to date.
• Install anti-virus software. But be warned: a lot of anti-virus software is itself disguised malware. Always go with a trusted antivirus security company such as McAfee or Norton.
• Contact your broadband provider to see which security software they recommend. If your current provider does not have a robust security policy, you can use usave to compare broadband deals and find one that does. And if you're not sure of the level of security your current provider offers, check out our guide on which broadband provider has the best online security.