Phishing email: how to spot the warning signs
A plain English guide to spotting a phishing email, checking links, handling attachments and reporting suspicious messages safely.
A phishing email does not need to be clever to work. It only needs to catch you at the wrong moment. The safest habit is to slow the message down before it speeds you up.
The Short Version
- A phishing email tries to trick you into clicking, paying, logging in or sharing information.
- The warning signs are urgency, odd sender details, strange links, unexpected attachments and pressure to act.
- Do not use links inside a suspicious message. Go to the service directly instead.
- If you clicked, change passwords from a trusted device and watch affected accounts.
- In the UK, suspicious emails can be reported to the NCSC.
What a phishing email is
A phishing email is a fake message designed to make you act before you think. It may pretend to be a bank, delivery firm, employer or public body.
The goal is usually to steal a password, payment card, bank code or personal detail. Sometimes the email carries a dangerous attachment.
The message may look polished. Scammers copy logos, wording and layouts because familiar design lowers your guard.
The National Cyber Security Centre phishing guidance explains how scam emails, texts and websites work.
Some attacks are broad and sloppy. Others are targeted and use real names, job titles or recent events.
That is why spelling mistakes are not the only test. A clean design can still hide a fake request.
Urgency is the main pressure trick
A phishing email often creates a deadline. Your parcel will be returned, your account will close, or a payment will fail.
That pressure matters because it pushes you away from normal checks. The scammer wants speed, not careful reading.
Pause whenever a message asks for urgent payment, login details or personal information. Real organisations can usually be contacted another way.
If the message claims to be from a service you use, open your browser or app yourself. Do not start from the email link.
Urgency can also be emotional. A message may claim a relative needs help, a colleague is waiting, or a refund is about to expire.
Those stories work because they borrow context from normal life. The answer is still the same: verify outside the email.
Sender details can reveal the trick
Check the sender name and the actual email address. They are not always the same thing.
A display name can say HMRC or your bank while the real address is unrelated. On a phone, you may need to tap to see it.
Small spelling changes matter. A phishing email may use a domain that looks close to the real one at a glance.
Also watch for odd replies. If the reply address differs from the sender, treat that as another warning sign.
Be cautious with messages from free email accounts claiming to represent a company. Some small firms use them, but major brands usually do not.
If a work email asks for money or gift cards, check with the person by phone or a trusted chat channel.
Links deserve a second look
A link can show one thing and lead somewhere else. Hovering on a computer can reveal the destination before you click.
On a phone, long-pressing may show the address, but do not open it if you are unsure.
Shortened links are harder to judge. So are links filled with long strings of random letters and numbers.
A safer habit is to type the known website address yourself. That avoids the link inside the phishing email completely.
Look for the domain, not just familiar words in the address. Scammers often place a brand name somewhere in a longer fake link.
If the link asks you to sign in again, stop. Open the real service separately and check from there.
Attachments are a common trap
Unexpected attachments need caution, especially invoices, delivery notices, shared files and security warnings.
A file can carry malware, which is software designed to harm a device or steal information. Office files and compressed folders are common lures.
If an attachment arrives from a colleague but feels odd, check through another channel. Their account may have been compromised.
This is also why device updates matter. Security updates close weaknesses that criminals try to exploit.
Cloud document links need the same caution. A fake shared file can lead to a login page that steals your password.
Do not enable macros in a document unless you are completely sure why they are needed. Most people do not need them.
What to do if you clicked
If you clicked a link but did not enter details, close the page and do not continue. Run updates and check your browser downloads.
If you entered a password, change it from the real website or app. If you reuse that password elsewhere, change those accounts too.
If you shared bank details or approved a payment, contact your bank quickly. Speed can matter after a scam.
The NCSC explains how to report a scam email and what to do if you responded.
Tell your workplace IT team if the message touched a work account. Early reporting can help protect other people.
Do not feel embarrassed. A phishing email is designed to catch busy, sensible people at the wrong moment.
A Worked Example
Imagine an email says your delivery needs a 1.99 pound fee. The logo looks right and the message says the parcel returns tonight.
That is the pressure. Instead of clicking, open the delivery company’s app or website yourself.
If no fee appears there, the email was likely fake. You avoided the trap by checking the source, not the design.
Now imagine the message came after you really ordered something. That timing makes the phishing email more believable.
The same rule still applies. Do not let the message choose the route you use.
If the real app shows no problem, delete the email and report it. You do not need to argue with the message.
The same approach works for banks, streaming accounts and tax messages. Start from the real service, not the warning page itself.
What This Means For You
Build a pause into your email habits. If a message asks you to act now, that is exactly when you should slow down.
Use bookmarks, official apps or typed addresses for banking, tax, delivery and work accounts. Do not trust links by default.
Turn on two-factor authentication where possible. It gives an extra barrier if a password is stolen.
Our guide to two-factor authentication explains how that extra check works.
A phishing email works by borrowing trust. Your defence is to verify the route before you trust the request.
In Plain English
A phishing email is a fake message that tries to make you click, pay or log in. It often uses pressure and familiar branding.
The safe response is simple. Check the sender, avoid the link, use the real website and report suspicious messages.