Skip to main content

Phishing Awareness

Phishing is the most common way people get hacked. Attackers send convincing-looking emails, texts, and calls to trick you into handing over passwords or money. Knowing what to look for is your best defence.

How to spot a phishing email

Phishing emails try to look like they come from trusted organisations — banks, HMRC, Royal Mail, or even your employer. Look for these warning signs.

  • Check the sender's actual email address — hover over the name to reveal it. Seeing HMRC in the name field means nothing if the address is a random domain.
  • Look for poor spelling, unusual grammar, or an odd tone — though some phishing emails are now very polished.
  • Watch for urgency or threats: "Your account will be suspended in 24 hours" is a classic pressure tactic.
  • Legitimate organisations rarely ask you to click a link to verify your password or confirm payment details.
  • Unexpected attachments — especially .zip, .exe, or Office files asking you to enable macros — are a major red flag.

Check before you click

Before clicking any link in an email or text message, take a moment to verify it's legitimate. A few seconds of caution can prevent significant harm.

  • Hover over links (without clicking) to see the real destination URL — does it match the claimed sender?
  • When in doubt, go directly to the website by typing the address into your browser rather than clicking the link.
  • Never enter your password on a page you reached through an email link — go directly to the site instead.
  • SMS phishing (smishing) is common — be especially cautious of delivery notifications asking for payment.
  • If a text from your bank asks you to call a number, call the number on the back of your bank card instead.

Protect your accounts against phishing

Even if you click a phishing link by mistake, having the right protections in place can stop attackers from doing serious damage.

  • Enable two-factor authentication on your email and banking accounts — a stolen password alone won't be enough to log in.
  • Use a password manager — it won't auto-fill your password on a fake website, alerting you that something's wrong.
  • Keep your browser and security software up to date — they can warn you about known phishing sites.
  • Enable spam filtering in your email — it won't catch everything, but it reduces the volume.

What to do if you've been caught

If you've clicked a link, entered your details, or believe you've been phished, act quickly. The sooner you respond, the less damage is done.

  • Change your password immediately for any account where you entered your details.
  • If you entered payment card details, contact your bank straight away and ask them to block the card.
  • If you entered your email password, change it and review what emails have been sent from your account.
  • Check whether two-factor authentication has been disabled on any accounts — re-enable it if so.
  • Tell someone close to you — phishing attacks sometimes target contacts from a compromised account.

Report phishing attempts

Reporting phishing helps protect others and can lead to scam websites being taken down faster.

  • Forward suspicious emails to the NCSC Suspicious Email Reporting Service: report@phishing.gov.uk.
  • Report suspicious texts by forwarding them to 7726 (spells SPAM) — this works on most UK mobile networks.
  • Report scam websites to the NCSC at ncsc.gov.uk/section/about-ncsc/report-scam-website.
  • Report fraud and attempted fraud to Action Fraud at actionfraud.police.uk or call 0300 123 2040.

Ready to protect your home?

Start free — no credit card needed