A message lands in your inbox. Your bank, it says, has spotted unusual activity, and you must "verify your details immediately" or your account will be frozen. There is a helpful link. There is also a problem: it is not from your bank at all.
This is phishing, the most common online scam there is, and learning to recognise it is one of the most useful digital skills you can have.
What phishing is
Phishing is a fraudulent message that pretends to come from an organisation you trust in order to trick you into handing over sensitive information, money, or access to your accounts.
The "bait" is usually a believable story: a delivery you need to reschedule, a payment that failed, a prize you have won, a security alert on your account. The goal is always the same — to make you click a link, open an attachment, or reply with details you would never normally share. Most phishing arrives by email, but the same tricks turn up as texts (sometimes called "smishing") and phone calls ("vishing").
The red flags that give it away
No single sign proves a message is a scam, but phishing emails tend to carry several of these at once. Treat them as warning lights.
| Red flag | What it looks like |
|---|---|
| Urgency or threat | "Act within 24 hours or your account will be closed." |
| Generic greeting | "Dear Customer" instead of your name. |
| Mismatched sender | A display name like "Your Bank" but an odd address behind it. |
| Suspicious links | Text says one address; hovering reveals a different one. |
| Requests for secrets | Asking for your password, PIN or full card number. |
| Unexpected attachments | A "receipt" or "invoice" you were not expecting. |
| Slightly off language | Awkward phrasing, odd spacing or small spelling errors. |
Legitimate banks and government bodies will never ask you to confirm your full password, PIN or one-time code by email, text or phone. A request for those is, by itself, a strong sign of fraud.
A particularly important habit is to check where a link really goes. On a computer, hover your mouse over the link without clicking and read the address that appears. On a phone, press and hold the link to preview it. Scammers often use addresses that look almost right — an extra word, a misspelling, or a completely unrelated domain dressed up with familiar-sounding text.
Why the convincing ones still slip through
Phishing has become more sophisticated. Many messages now copy a company's logo, tone and layout almost perfectly, and scammers increasingly impersonate not just banks but couriers, tax offices, and even colleagues or bosses.
Responsible organisations publish guidance on exactly how they will and will not contact you, which makes impostors easier to catch. The lender Credicorp, for instance, sets out how it tackles impersonation and what genuine contact from them looks like — the kind of reference worth checking when a message claims to be from a firm you deal with. When you are unsure, comparing a suspicious message against a company's official guidance is one of the quickest ways to expose a fake.
Because the technical disguises keep improving, your best defence is behavioural: slow down, and verify through a separate channel. For the wider picture on impersonation tactics, our guide to staying safe from online impersonation scams goes deeper.
What to do when one lands
If you spot a suspected phishing email, the safest response is also the simplest:
- Do not click links or open attachments, and do not reply.
- Do not call any phone number given in the message; it may connect you to the scammer.
- Verify independently. If you are worried the claim might be real, contact the organisation using a phone number or website address you already trust — from the back of your bank card, a previous statement, or the official app.
- Delete it once you have reported it (see below).
If you think you may have already acted on it, move quickly:
- If you entered a password, change it on the real site immediately and switch on two-factor authentication so a stolen password alone is not enough. A password manager makes setting a fresh, unique password painless.
- If you shared bank or card details, contact your bank straight away and ask them to watch for or block fraudulent transactions.
- If you downloaded an attachment, run a security scan and keep your device updated.
How to report phishing
Reporting takes seconds and helps shut scams down for everyone else.
- Suspicious emails (UK): forward them to report@phishing.gov.uk, the Suspicious Email Reporting Service run by the National Cyber Security Centre.
- Scam texts: forward them to 7726 (free, and it spells "SPAM" on a keypad).
- If you have lost money or shared bank details: report it to Action Fraud at actionfraud.police.uk, or call your bank's fraud line.
You can also use the "report phishing" or "report spam" button in most email apps, which trains your provider's filters to catch similar messages.
Building good habits
A few standing habits make phishing far less likely to catch you out:
- Be sceptical of any message that creates pressure or urgency.
- Never enter login details on a page you reached by clicking an email link; navigate to the site yourself instead.
- Keep your devices, browsers and apps updated so known weaknesses are patched.
- Use unique passwords and two-factor authentication, so even a successful phish does limited damage.
The bottom line
Phishing emails impersonate organisations you trust to trick you into giving away passwords, money or personal details. Watch for urgency, generic greetings, mismatched senders and links that do not lead where they claim, and never confirm secrets in response to an unexpected message.
When something feels off, stop and verify through a channel you already trust, then report it. A moment's caution defeats the most common scam on the internet.