Skip to main content
PhishingHome & Business7 min read · Updated June 2026
Man in a checked shirt working on a laptop at a home desk

The Complete UK Phishing Guide

Phishing is the number one cybercrime in the UK. This guide covers everything: the different types of phishing attack, how to recognise every warning sign, how to report what you receive, and exactly what to do if you have already been caught.

The Six Types of Phishing

Email phishing

The most common form. Fake emails impersonating banks, HMRC, Royal Mail, delivery companies, or online retailers. Links lead to convincing fake websites that steal your login or payment details.

Smishing (SMS phishing)

Fake texts claiming a parcel needs to be re-delivered, your bank account is frozen, or a payment has failed. Short links hide the real destination. The Royal Mail parcel text is among the most reported in the UK.

Vishing (voice call phishing)

Criminals phone you pretending to be your bank, HMRC, or the police. They use urgency and authority to pressure you into sharing account details or making an urgent payment.

Spear phishing

Targeted attacks aimed at a specific person. Criminals research you first — using social media and public information — to make the message feel personal and credible. Common in business contexts and higher-stakes fraud.

Clone phishing

An exact replica of a genuine email you have previously received, with one change: the links have been replaced with malicious ones.

Whaling

Spear phishing directed at business owners, directors, or senior executives. High-value targets justify more preparation and more convincing impersonation.

Warning Signs — Regardless of Type

Every phishing attempt, however sophisticated, tends to share these tells:

  • ⚠️Urgency"Act within 24 hours or your account will be closed." Real organisations rarely demand instant action by email or text.
  • ⚠️Suspicious sender addressThe display name says "HMRC" but the actual email is refunds@hmrc-uk.com — not @hmrc.gov.uk. Always check the full address.
  • ⚠️Link destination does not match the textHover over links before clicking. The real URL is often completely different from the text shown.
  • ⚠️Generic greeting"Dear Customer" or "Dear Account Holder" rather than your name.
  • ⚠️Requests for passwords or PINsNo legitimate bank, government body, or business will ever ask for these via email, text, or phone call.
  • ⚠️Poor spelling or unusual phrasingThough AI tools are making phishing more convincing, errors remain common.

How to Verify Before You Act

When any message prompts you to click, call, or provide information:

  1. Do not use contact details from the message — look up the organisation's official contact details independently (their website, the back of your card, a statement)
  2. Check the sender's full email address — click or tap the name to expand it
  3. Call the organisation directly on a number you already have or found independently
  4. Take your time — urgency is a tactic. A real problem will still be a real problem in 10 minutes.

Get your free personalised cybersecurity plan

Answer a few quick questions and we'll build a step-by-step plan tailored to your situation — no jargon, no credit card required.

Start for free →

How to Report Phishing in the UK

Reporting takes 30 seconds and helps protect other people. Please do it:

TypeWhere to Report
Suspicious emailsForward to report@phishing.gov.uk
Suspicious textsForward to 7726 (free, all UK networks)
Suspicious callsactionfraud.police.uk or 0300 123 2040
HMRC impersonationgov.uk/report-suspicious-emails-websites-phishing

If You Have Already Been Caught

Act quickly — the damage is often containable:

  1. Change your password on the affected account and everywhere you used the same password
  2. Enable two-factor authentication immediately
  3. Contact your bank if you provided any financial information — call the number on the back of your card
  4. Check your email for forwarding rules you did not set up
  5. Monitor your accounts for unusual activity over the next few weeks
  6. Report to Action Fraud at actionfraud.police.uk or 0300 123 2040

Protecting Your Household Long-Term

  • Use a different password for every account — a password manager removes the burden of remembering them
  • Enable 2FA on all important accounts, starting with email and banking
  • Talk to older family members — they are disproportionately targeted by phishing and vishing
  • Keep devices and apps updated — this removes the vulnerabilities that phishing links try to exploit

Related guides

What Is Phishing?

A plain-English introduction to phishing for beginners.

What Is Two-Factor Authentication?

2FA protects your accounts even if phishing captures your password.

How to Check If You've Been Hacked

Find out if a phishing attack has already compromised your accounts.

Frequently asked questions

What is the most common phishing scam in the UK?

HMRC tax refund emails, Royal Mail parcel redelivery texts, and bank security alert calls are consistently among the most reported. Action Fraud processes hundreds of thousands of reports each year.

What happens if I click a phishing link?

A single click does not guarantee compromise — it is entering your details on the fake site that causes most damage. Change your password on the affected account immediately, enable two-factor authentication, and report to Action Fraud.

How do I report phishing to HMRC specifically?

Forward the suspicious email to phishing@hmrc.gov.uk and to report@phishing.gov.uk. You can also report online at gov.uk/report-suspicious-emails-websites-phishing.